Industry News

CMS and ONC Release Proposed Rules on EHR System Interoperability and Patient EHR Access.

The Centers for Medicare & Medicaid Services (CMS) recently released a proposed rule (the CMS Proposed Rule) to enhance the interoperability of health information technologies and provide patients with greater access to their complete health records.  In doing so, CMS hopes to give patients greater control over their health care.  In addition, the CMS Proposed Rule aims to enhance provider and health plan access to their patients’ health information and reduce piecemeal records that are often incomplete due to unconnected electronic health records (EHR) systems.  Interoperability is the health Information Technology (IT) functionality that allows for the secure exchange, viewing, and use of electronic health information (EHI) with and from other health IT systems without special effort by the user.  The Office of the National Coordinator for Health Information Technology (ONC) also released a related proposed rule (the ONC Proposed Rule) regarding information blocking and Conditions and Maintenance of Certification for Health IT, which include interoperability requirements.  The ONC issued the proposed rule as part of its implementation obligations under the 21st Century Cures Act of 2016 (Cures Act) and Executive Orders 13813, 13771, and 13777.

The Federal Government’s prior attempts to make EHR systems interoperable have fallen short due to challenges and barriers in adopting interoperable EHR systems and sharing patient data.  The challenges and barriers include: 1) a lack of EHR software and patient identifier standardization; 2) disparities between provider EHR sophistication; 3) information blocking by providers to retain patients in a competitive market; and 4) a lack harmonization between state and federal health information privacy laws.

CMS Proposed Rule

The main provisions in the CMS Proposed Rule require Medicare Advantage Organizations, state Medicaid and Children’s Health Insurance Program (CHIP) agencies and managed care organizations, and Qualified Health Plan Issuers in a federally-facilitated exchange to adopt an open Application Programming Interface (API).  An API is a set of communication functions and procedures that allows an application to access another system or application and retrieve the specific information that the user requested.  An open API is an application interface with publicly available technical and other information that a third-party application can use to connect to the system.  The API adoption requirement will allow enrollees and beneficiaries to download a third-party application and connect to a payor’s open API to retrieve their EHI.  Further, CMS requires that the API allow the enrollee or beneficiary to obtain or make sense of the retrieved information without special effort.  In adopting these APIs, payors and plans must do the following:

  • Make it possible for enrollees and beneficiaries to access standardized data concerning adjudicated claims, encounter data, provider directory data of the organization’s contracted providers, and clinical data if managed by the plan or organization;
  • Make pharmacy directory data, including number, mix, and addresses of network pharmacies, and formulary data, standardized and accessible to enrollees and beneficiaries, if it is a Medicare Advantage Prescription Drug Plan;
  • Make information about covered outpatient drugs standardized and accessible to enrollees and beneficiaries, if it is a state;
  • Follow ONC’s specified technical standards outlined in ONC’s Proposed Rule;
  • Follow content and vocabulary standards required under the HIPAA Administrative Requirements, e-prescribing requirements for Medicare Part D sponsors, and additional standards set out in the ONC Proposed Rule;
  • Make technical information about the API publicly accessible by posting the information directly on the payor’s website or via publicly accessible hyperlinks;
  • Not deny a third-party application’s connection to the API unless the organization can reasonably, objectively, and fairly show that allowing the application to connect with the API would pose an unacceptable level of risk to the protected health information in the organization’s system;
  • Maintain a process for electronic exchange of certain health information at the request of the enrollee or former enrollee for up to five years after disenrollment and the ability to incorporate information received by the enrollee into the enrollee’s record; and
  • Provide enrollees and beneficiaries with information about steps to take to protect the privacy and security of their health information.

The CMS Proposed Rule also suggests a change to the Medicare and Medicaid Conditions of Participation for hospitals, psychiatric hospitals, and Critical Access Hospitals (collectively “hospitals”).  Hospitals that use an electronic medical record (EMR) system that has the capacity to generate the proper information for a patient event notification using specified content and implementation exchange standards must demonstrate the following:

  • The system has notification capacity that is fully operational and in compliance with state and federal statutes and regulations regarding the exchange of patient information;
  • The system sends notifications that include the required patient information, which at a minimum must include patient name, treating practitioner name, sending institution name, and diagnosis if not prohibited under applicable law; and
  • The system, at the time of patient admission, transfer, or discharge from the hospital, will send, directly or through an intermediary that facilitates exchanges of health information, a notification to licensed and qualified practitioners, the patient’s team members, and post-acute care service providers and suppliers.

CMS proposes to publicly report the names of providers and hospitals that cannot positively attest to three statements related to the prevention of information blocking under the Quality Payment Program or Medicare Fee-For-service (FFS) Promoting Interoperability Programs.  Additionally, since CMS has modified the National Plan and Provider Enumeration System (NPPES) to   capture provider digital contact information, CMS proposes to publish the names and National Provider Identifiers of providers who have not added their digital contact information to the NPPES by the second half of 2020.

ONC Proposed Rule

In a related recently proposed rule, the ONC also strives to reduce information blocking, increase interoperability of EHR systems, provide patients with greater access to their EHI, and increase voluntary health IT certification.  One of the ONC Proposed Rule’s main goals is to reduce information blocking, the practice, by a health care provider or health information technology developer, exchange, or network, of knowingly and unreasonably interfering with the free exchange and use of health information to proper recipients.  The ONC Proposed Rule requires that EHR systems, as a criterion for certification, allow patients to easily access their EHR at no additional cost.  The ONC also proposes seven categories of practices that would constitute exceptions to the prohibition against information blocking.  The exception would only apply if the practice is reasonable and necessary and meets all of the criteria under the applicable exception at all relevant times.  The seven proposed exceptions cover practices that:

  1. Prevent harm;
  2. Promote the privacy of EHI;
  3. Promote the security of EHI;
  4. Allow organizations to recover reasonably incurred costs to provide access, exchange, or use of EHI;
  5. Allow organizations to avoid responding to infeasible requests;
  6. License or use interoperability elements on reasonable and non-discriminatory terms; and
  7. Maintain and improve Health IT performance.

The comment period for both the CMS and ONC Proposed Rules ends on May 3, 2019.

The CMS Proposed Rule is available at:

The ONC Proposed Rule is available at: