CMS Interoperability and Patient Access Proposed Requirements

By March 13, 2019Blog

The following update is provided by emids subject matter experts (SMEs) in the Provider Business Unit, Digital Transformation Advisory Services, covering proposed Health IT policy changes that are important to our customers and partners.

In early February, the U.S. Department of Health and Human Services (HHS) released two health IT relevant proposed rules. These rules reflect a distinct pivot and change for the healthcare industry as the government moves to implement interoperability among health plans, payers, clinicians, hospitals and post-acute care providers.

The two rules are related and propose policies for different stakeholders. The Centers for Medicare and Medicaid Services (CMS) proposed rule is focused on patient access to electronic health information (EHI) and interoperability among providers, payers and patients. The Office of the National Coordinator for Health Information Technology (ONC) proposed rule is focused on health IT certification, which applies to health IT developers; and policy guidance on what does not constitute information blocking, which applies to health care providers, health IT developers, health information exchanges and health information networks.

The proposed rules would implement requirements established by the 21st Century Cures Act signed into law on December 13, 2016. The magnitude of requirements is similar to what we saw in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) Act (Title XIII) and the subsequent regulations implementing health IT certification requirements and provider’s meaningful use of electronic health records (EHRs). The key difference is there are no incentive payments associated with compliance, but rather, provisions that act as deterrents as well as potential monetary penalties.

This blog covers highlights and insights from the CMS proposed rule policies, and subsequent blogs will focus on provisions in the ONC proposed rule.

About the CMS Proposed Rule

On February 11, 2019, HHS released the CMS proposed rule titled: Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans in the Federally-facilitated Exchanges and Health Care Providers. The proposed policy changes in this rule support CMS’ MyHealthEData initiative to improve patient access and advance electronic data exchange and care coordination throughout the healthcare system.

This rule proposes regulations and requests for information with implications for providers (hospitals, physicians and clinicians), patients, health plans, payers and post-acute care settings. Among the provisions proposed are Medicare and Medicaid payer organization requirements for using open application programming interfaces (APIs), health information exchange and care coordination across payers, and participation in a trusted exchange network. For Medicare and Medicaid providers, provisions proposed include deterrents for not attesting yes to required information blocking statements, and a new condition of participation (CoP) requirement for electronic patient event notifications.

Within the CMS rule there are five proposals for payers; three proposals for providers; and three requests for information (RFIs).  Herein, we provide a summary of the proposed provisions by stakeholder and include some Health IT insights from our SME team’s analysis.

CMS Proposals for Payers and Providers

CMS is proposing initiatives to break down the barriers that impede patients’ ease of access to their electronic health care information; they are proposing to create and implement new mechanisms for patients to access their own health care information, as well as the ability to decide how, when, and with whom to share their information.


The 5 proposals for Payers apply to Medicare Advantage (MA) organizations, Medicaid state agencies, state Children’s Health Insurance Program (CHIP) agencies, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan (QHP) issuers in Federally-facilitated Exchanges (FFEs).

Patient access through open APIs

CMS would require information to be made accessible to patients via “openly published” APIs, for which the technical information required to connect to them is publicly available. Open API standards require implementing open APIs consistent with the API technical standards proposed by ONC for adoption; and to use content and vocabulary standards adopted and proposed by HHS. Retrievable data would include:  adjudicated claims data, including provider remittances and beneficiary or enrollee cost-sharing data; encounters from capitated providers; and clinical data, including laboratory results (if managed by the payer).

Compliance date: MA organizations, January 1, 2020; Medicaid and CHIP, July 1, 2020

What this means for Payers:

  • Payers would be required to use standardized, open APIs to make claims and encounter data available to patients in these programs along with other plan data including provider directory data.
  • This is significant for payers as they have not had to deploy Certified EHR technology (CEHRT) in the same way that providers did as part of the EHR Incentive Program, which incorporated the API certification criteria in the 2015 Edition CEHRT.
  • Payers will need to take greater care in configuring and maintaining security functionalities of the API and their electronic information systems it connects to. They will need to review and possibly update security policies to support this need.
  • To implement the new requirements for APIs, CMS estimates that payers and states will need to conduct three major work phases: initial design; development and testing; and long-term support and maintenance.  CMS estimates the one-time cost to implement API requirements would be ~$789,356 per organization or state per implementation, and the total annual cost to maintain the API requirements would be ~$158,360 per organization or state.

API access to published provider directory data

CMS would align program requirements so each payer/plan issuer would make provider directory information publicly available via an API. This would include the names of providers, addresses, phone numbers, and specialty.

Compliance date: MA organizations, January 1, 2020; Medicaid and CHIP, July 1, 2020

What this means for Payers: The impact for this should be minimal as most plans have the data available, but they would now need to provide through APIs and make available no later than 30 days after changes to the provider directory are made. CMS is not proposing to include this requirement for QHP issuers in FFEs.

Payer to payer coordination

CMS would require payers to support beneficiaries in coordinating their own care via payer to payer care coordination. If asked by the beneficiary, a plan would be required to forward the beneficiary’s information to a new plan or other entity for up to 5 years after the beneficiary has disenrolled with the plan. This would require coordinating care between plans by exchanging, at a minimum, the data elements in the United States Core Data for Interoperability (USCDI) standard at enrollee request at specified times, and the information requested, in the form of the USCDI data set, would need to be incorporated into the recipient plan’s systems. The USCDI (Version 1) data set includes laboratory results and tests, medications, health concerns, assessment and plan of treatment, care teams, clinical notes, and other data points essential for care coordination.

Compliance date: January 1, 2020

What this means for Payers:

  • CMS is proposing to allow multiple methods for electronic exchange of the information, including use of the APIs or utilizing a regional health information exchange.
  • CMS believes this would impose minimal additional costs to plans.

Participation in a trusted exchange network

CMS would require payers to participate in a trusted health information exchange network meeting criteria for interoperability. This requirement lays the foundation for future proposals outlining an approach to payer-to-payer and payer-to-provider interoperability, which leverages such existing trusted networks.

Compliance date: January 1, 2020

What this means for Payers:

  • The trusted exchange framework must be able to exchange protected health information (PHI); be capable of connecting both inpatient EHRs and ambulatory EHRs; and support secure messaging or electronic querying by and between patients, providers and payers.
  • CMS believes this would impose minimal additional costs on plans, but they are requesting comments on challenges payers may face to meet this requirement.

Frequency of federal-state data exchanges for dually eligible individuals

CMS would increase the frequency of federal-state data exchanges for dually eligible individuals requiring states to submit buy-in data from weekly or monthly, to daily exchange of buy-in data with CMS. CMS would also update the frequency requirements to require all states to submit the required Medicare Modernization Act (MMA) file data to CMS daily.

Compliance date: April 1, 2022

What this means for Payers:

  • For daily exchange of buy-in data, CMS estimates the cost for states to be one-time costs associated with updates to the state systems over a 3-year implementation period. CMS estimates the one-time costs would be less than $80,000 per state, per change. A state that needs to make system updates to send buy-in data daily, and receive buy-in data daily would have a one-time cost of just under $160,000.
  • For daily submission of the required MMA file data, CMS estimates the cost for states to comply with these new requirements to be a one-time cost over a 3-year implementation period. CMS estimates the one-time cost for a state to be a little less than $80,000 for this MMA data systems change.


The 3 proposals for Providers apply to:

  • Hospitals = eligible hospitals (EH), short-term acute care, long-term care, rehabilitation, psychiatric, children’s, cancer hospitals, and critical access hospitals (CAHs); includes the hospital Promoting Interoperability (PI) Program
  • Clinicians = physicians and eligible clinicians (EC); includes the Quality Payment Program (QPP)

Information blocking public reporting

CMS would publicly post information on appropriate CMS websites for those who attested negatively to any of the prevention of information blocking attestation statements under the QPP or the Medicare Fee-For-Service (FFS) PI Program.

Compliance date: Publicly post 2019 performance period data in late 2020

What it means for Providers:

  • There are three prevention of information blocking attestation statements that require a “yes” attestation response to successfully report for the CMS programs.
  • CMS proposes to publicly report negative attestations on physician compare for eligible clinicians, and on a CMS website for eligible hospitals.
  • To publicly post information on attesters who do not answer “yes” will require CMS to update the portal functionality as the system currently does not allow a provider to complete the process if “no” is selected.

Provider digital contact information

CMS will publicly identify those clinicians who have not submitted digital contact information in the National Plan and Provider Enumeration System (NPPES).

Compliance date: second half of 2020

What this means for Providers:

  • CMS would require all individual health care providers and facilities to take immediate action to update their NPPES record online to add digital contact information.
  • CMS is requesting comment from stakeholders on the most appropriate way to pursue this public reporting initiative, including where to post the names and the frequency as well as additional possible enforcement authorities to ensure individuals and facilities make their digital contact information publicly available through NPPES.

ADT electronic patient event notifications

CMS would create a new condition of participation (CoP) to require hospitals to send patient event notifications of a patient’s admission, discharge, and/or transfer (ADT) to another health care facility or to another community provider. This requirement would be limited to only those Medicare- and Medicaid-participating hospitals and CAHs that possess EHR systems with the technical capacity to generate information for electronic patient event notifications. Included Information would be, at a minimum, the patient’s basic personal or demographic information, as well as the name of the sending institution (that is, the hospital), and, if not prohibited by other applicable law, diagnosis. CMS would also encourage hospitals, as their systems and those of the receiving providers allow, to work with patients and their practitioners to offer more robust patient information and clinical data upon request in accordance with applicable law.

Compliance date: CMS seeks comments on a reasonable timeframe for implementation of these proposals for hospitals, psychiatric hospitals, and CAHs.

What this means for Hospitals:

  • CMS is seeking to further expand requirements for interoperability beyond the current requirements of the Promoting Interoperability (PI) program. This proposal would introduce a completely new mechanism that does not align with work currently underway to meet the 2019 PI program requirements. Hospitals would have to shift focus to this new requirement in order to satisfy the change in the Medicare CoP.
  • To create an electronic patient event notification using the change in ADT status to trigger a message to a receiving provider or to an HIE system that can then route the message to the appropriate provider, hospitals would be required to identify which patient has a relationship with what provider and either:
    • Build an interface connection point to every downstream provider and only send ADT messages about that particular patient, or
    • Find and join an HIE that offers event notification services where the HIE provides some sort of patient matching between the systems connected to the HIE and is able to manage the transmission of ADT message out to other systems.
  • Hospitals who are not part of an HIE that can manage and direct the flow of the ADT to the appropriate provider would have to custom develop and maintain this functionality on their own.
  • This would be a significant burden for hospitals who are not part of an exchange organization to develop and maintain the workflow and functionality on their own to satisfy the proposed requirement to transmit ADT messages to other providers.
  • This would require new considerations for audit evidence and supporting documentation such as a Health Level 7 (HL7) message and some configuration screen shots.
  • We do not agree with CMS’ estimation of this effort as CMS believes this proposal would impose minimal additional costs on hospitals and the cost would largely be limited to the one-time cost for initial implementation of the notification system, to revision of policies and procedures as they relate to discharge planning; and for communicating these changes to affected staff.


The 3 Requests for Information (RFIs) and Other Comment Request

RFIs for future rulemaking

CMS includes three RFIs on:

  • CMMI models. General principles around interoperability within the CMS Medicare and Medicaid Innovation Center (CMMI) models for integration into new models, through provisions in model participation agreements or other governing documents.
  • Patient matching. The role of patient matching in interoperability and improved patient care.
  • Post-acute care providers. Interoperability and health IT adoption in Post-Acute Care (PAC) settings.

Seeking Comment for 2020 rulemaking

CMS expects to introduce a proposal for establishing “interoperability activities” in the FY 2020 Inpatient Prospective Payment System (IPPS) rulemaking in conjunction with other updates to the PI Program. CMS invites comments on ideas for “interoperability activities” for which eligible hospitals (EHs) and CAHs could receive credit in lieu of reporting on program measures.

Points of view and interpretation were relevant at time of authorship; however, they are subject to change over time.  For more information about these proposed changes, contact us at