CMS and ONC Final Rules – What It Means for Providers and Payers

By March 18, 2020Blog, Provider

The following update is provided by emids subject matter experts (SMEs) in the Provider and Payer Business Units, covering Health IT policy changes that are important to our customers and partners.

On March 9, 2020, the U.S. Department of Health and Human Services (HHS) released two health IT final rules requiring implementation of new interoperability policies.

  • The Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Final Rule focuses on patient access to electronic health information (EHI) and interoperability among providers, payers and patients.
  • The Office of the National Coordinator for Health Information Technology (ONC) Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule focuses on health IT certification, which applies to health IT developers; and policy guidance on what does not constitute information blocking, which applies to health care providers, health IT developers of certified health IT, and health information networks or exchanges.

The goal of CMS’ Interoperability and Patient Access Final Rule is to put patients first, giving them access to their health information when they need it most and in a way they can best use it.4  The goal of ONC’s Cures Act Final Rule is for patients to access their electronic medical record at no additional cost and for providers to choose the IT tools that allow them to provide the best care for patients, without excessive costs or technical barriers.9

This blog covers highlights of the CMS and ONC final rules and includes insights from emids’ Provider and Payer SME teams’ analysis.

CMS Final Rule Policies for Payers and Providers

CMS finalized four new policies for payers and three for providers.  They did not finalize the requirement for payers to participate in a trusted exchange network.

The new CMS policies break down the barriers that impede patients’ ease of access to their electronic health care information; they create and implement new mechanisms for patients to access their own health care information, as well as the ability to decide how, when, and with whom to share their information.

For Medicare and Medicaid payer organizations, new policies require use of open application programming interfaces (APIs), and health information exchange and care coordination across payers.  For Medicare and Medicaid providers, new policies include deterrents for not attesting yes to required information blocking statements, and a new condition of participation (CoP) requirement for electronic patient event notifications.

Payer Policies

The four new policies for payers, with some potential implications for providers as well, are as follows.

1 – Patient Access Through APIs 

CMS regulated payers are required to use standardized, open APIs to make claims and encounter data available to patients in these programs.

Compliance date:  January 1, 2021

What this means for Payers and Providers

  • Payers will need to:
    • Define and implement a micro services architecture for API enablement strategy
    • Establish an end-to-end API operating model, including security.
    • Implement, configure and maintain security functionalities of the API and the electronic information systems it connects to.
    • Review and possibly update security policies to support this need.
    • If third party developers start utilizing the API to access payer systems, payers will need to have a plan to validate/approve the access of their systems’ APIs (Apple Health, Coral, etc.).
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

2 – API access to published provider directory data

CMS-regulated payers are required to make provider directory information publicly available via a standards-based API.  This would include the names of providers, addresses, phone numbers and specialty.  This requirement does not include Qualified Health Plan (QHP) issuers in the Federally Facilitated Exchanges (FFEs) as they are already required to make provider directory information available.

Compliance date:  January 1, 2021

What this means for Payers and Providers

  • The impact for payers should be minimal as most plans have the data available via “Find a Doctor” functionality for their members. The impact will be if this information is not currently available via an API.
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

3 – Payer-to-Payer Data Exchange

CMS-regulated payers are required to exchange certain patient clinical data at the patient’s request, allowing the patient to take their information with them as they move from payer to payer over time to help create a cumulative health record with their current payer.  This would require payers to maintain a process for the electronic exchange of, at a minimum, the data classes and elements included in the United States Core Data for Interoperability (USCDI) standard via a payer-to-payer data exchange.  The impacted payers are required to incorporate the data they receive into the enrollee’s record; and with the approval and at the direction of a current or former enrollee, a payer must send the defined information set to any other payer.  A payer is only obligated to send data received from another payer under this policy in the electronic form and format it was received, and they are required to make data available with a date of service on or after January 1, 2016.

Compliance date:  January 1, 2022

What this means for Payers and Providers

  • Payers must implement the processes and technology to facilitate data exchange with other payers and ensure standard clinical data set (specifically the USCDI) is in place.
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

4 – Increased Frequency of federal-state data exchanges for dual eligible members

States are required to exchange Medicare and Medicaid enrollee data daily with CMS.

Compliance date:  April 1, 2022

What this means for Payers and Providers

  • Each state must implement system changes to support daily enrollee exchanges with CMS. This addresses notification of patients with dual Medicare and Medicaid coverage.
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

Provider Policies

The 3 policies for Providers apply to:

  • Hospitals = eligible hospitals (EH), short-term acute care, long-term care, rehabilitation, psychiatric, children’s, cancer hospitals, and critical access hospitals (CAHs); includes the hospital Promoting Interoperability (PI) Program
  • Clinicians = physicians and eligible clinicians (EC); includes the Quality Payment Program (QPP)

1 – Public reporting and information blocking

CMS will publicly report eligible clinicians, hospitals, and critical access hospitals (CAHs) that may be involved in information blocking based on how they attested to the CMS Promoting Interoperability (PI) Program or CMS Merit-based incentive payment system (MIPS).

Compliance date:  Based on 2019 attestations, public reporting becomes applicable in late 2020

What it means for Providers and Payers

  • Currently, submission of data to the CMS PI program or MIPS requires providers to answer 3 prevention of information blocking attestation statements. Providers and hospital organizations will need to be educated that their answers to these statements will be disclosed to the public.
  • Providers will need to have policies and procedures in place to ensure information blocking practices are prevented.
  • Payers could publish this for their provider network.

2 – Digital contact information

CMS will begin publicly reporting in late 2020 those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES).

Compliance date:  Applicable Late 2020

What this means for Providers and Payers

  • CMS would require all individual health care providers and facilities to take immediate action to update their NPPES record online to add digital contact information.
  • For a commercial payer who also owns and manages provider practices, the payer may need to ensure that NPPES is updated appropriately for their providers who see Medicare patients.
  • For Providers this would mean establishing a monitoring and maintenance process to ensure internal provider dictionaries include the most up to date digital contact information.
  • Providers should work with their electronic health record (EHR) vendors to help them clean up provider master files to ensure up-to-date digital information and current National Provider Identifier (NPI) has been updated.

3 – Admission, Discharge, and Transfer Event Notifications

CMS is modifying their Conditions of Participation (CoPs) to require hospitals, including psychiatric hospitals and critical access hospitals, to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner.

Compliance date:  Applicable Fall 2020

What this means for Hospitals and Payers

  • Implementation of this data exchange is significant; hospitals will need to either build out additional interfaces or engage with a third-party application, and/or a Health Information Exchange (HIE) to satisfy this requirement.
  • Payers can capture this in care management systems to track and engage in any relevant programs as required.

ONC Final Rule Policies for Providers, Health IT Developers and Health Information Networks (HINs) and Exchanges (HIEs)

The Final Rule includes provisions that require support for modern computing standards and application programming interfaces (APIs); and prevent industrywide information blocking practices and other anti-competitive behavior by those entrusted to hold patients’ electronic health information (EHI).9

The rule implements certain provisions of the 21st Century Cures Act.  In this blog, we highlight the provisions that most affect emids clients and partners.  This includes:

1. Information Blocking

2. Updates to the 2015 Edition Certification Criteria, including Adoption of the United States Core Data for Interoperability (USCDI) as a Standard

3. Health IT for the Care Continuum

1 – Information Blocking

The rule identifies and outlines eight reasonable and necessary activities that interfere with the access, exchange, or use of EHI, but do not constitute information blocking provided certain conditions are met.  The intent is to prevent “information blocking” practices (e.g., anti-competitive behaviors) by healthcare providers, developers of certified health IT, HIEs, and HINs.

The eight exceptions are divided into two categories and are as follows:10

  • Exceptions that involve not fulfilling requests to access, exchange, or use EHI

1. Preventing Harm Exception

2. Privacy Exception

3. Security Exception

4. Infeasibility Exception

5. Health IT Performance Exception

  • Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

6. Content and Manner Exception (new to final rule)

7. Fees Exception

8. Licensing Exception

Compliance date:  Beginning fall of 2020, full compliance required by 2022

What this means for Providers and Payers

  • The provider or healthcare organization must have appropriate policies and procedures in place to ensure information blocking practices are prevented.
  • Providers will need to put forth processes to mitigate against any information blocking complaints.
  • If one of the information sharing exceptions applies to the provider organization, policies and procedures need to clearly state why it is appropriate not to share information, as the final rule provides very specific conditions that must be met for the exception to apply.
  • The Security Risk Analysis should include language on information blocking prevention.
  • Like providers, payers will also need to establish policies.
  • Future rule provisions may penalize providers if they are found to be engaged in information blocking and do not demonstrate that they meet the outlined exceptions.

2 – EHR certification criteria updated

The functionality criteria that EHR vendors need to demonstrate in order to become a certified EHR technology (CEHRT) was updated.  Providers are required to implement and use CEHRT to participate in several CMS payment incentive and quality reporting programs.  Notable certification updates include:

  • Adoption of the USCDI – this standard sets the baseline of data classes that should be available for health information exchange.  Vendor compliance:  Year 2022
  • Clinical Quality Measures (CQMs) Report – this standard requires Health IT Modules to support the CMS QRDA Implementation Guide (IGs); it removed the Health Level 7 (HL7®) Quality Reporting Document Architecture (QRDA) standard requirements.  Effective date:  60 days after publication of final rule
  • Electronic Health Information (EHI) Export – new functionality that would allow patients to request an export of their EHI.  Vendor compliance:  Year 2023
  • Application Programming Interfaces – criterion updated to support the multiple patient data API calls (previously certification criteria only required single patient calls) and requires the use of the Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) standard Release 4.  Vendor compliance:  Year 2022
  • Security Tags and Consent Management – new functionality will allow tagging of sections of the continuity of care document (CCD) as containing sensitive information, allowing for transmission of the CCD even if portions of the document are restricted.  Vendor compliance:  Year 2022

Compliance date:  Years 2022 and 2023

What this means for Providers

  • Providers will need to implement updated and new EHR functionality once available from their vendor.
  • Workflow processes will also need to be updated to support the new EHR functionality provided.
  • For health IT developers, the CQM Report change will reduce burden; and providers will no longer have to develop and support two forms of the QRDA standard (QRDA I, individual patient level report; and QRDA III, aggregate quality report). It will enable a user to electronically create a data file for transmission of clinical quality measurement data based on their care setting.
  • Vendors of certified health IT must keep their clients current by making available updated certified health IT capabilities for interoperability and the essential data set required for exchange (Version 1 of the USCDI within 24 months for most requirements, and 36 months for EHI Export).12
  • Health IT vendors will need to attest to HHS and their certifying body their compliance with conditions of certification that assure they will not engage in information blocking, provide real world support for interoperability, and support API access for all verified registered users (including developers) who seek to connect applications to APIs to access EHI held by a health IT vendor’s certified products.12
  • Providers should ensure there is evidence of the attestations done by health IT vendors.

3 – Health IT for the Care Continuum

ONC identified the EHR certification criteria that would support voluntary certification of health IT for pediatric care and pediatric settings.

Compliance date:  Future Rulemaking

What this means for Providers

  • Pediatric providers may be interested in proactively implementing the recommended certified EHR functionality.

Points of view and interpretation were relevant at time of authorship; however, they are subject to change over time.  For more information about these new policies, contact us at engage@emids.com.

Sources

1. CMS final rule titled:  Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, and Health Care Providers. HHS-approved version released on 3/9/2020.

2. CMS Website: CMS Interoperability and Patient Access final rule

3. CMS Press Release, 3/9/2020: HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data

4. CMS Fact Sheet: Interoperability and Patient Access Fact Sheet

5. ONC final rule titled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.  HHS-approved version released on 3/9/2020.

6. ONC Website: ONC’s Cures Act Final Rule

7. ONC Press Release, 3/9/2020: HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data

8. ONC Blog, 3/9/2020: The Cures Act Final Rule: Interoperability-Focused Policies that Empower Patients and Support Providers

9. ONC Fact Sheet: The ONC Cures Act Final Rule

10. ONC Fact Sheet: Information Blocking Exceptions

11. ONC Fact Sheet: Information Blocking Actors

12. HIStalk News, 3/11/2020: Cerner’s summary of what the new regulations mean for developers