POCP Blog


CMS and ONC Interoperability Rules Will Affect You. Let Us Count the Ways.

Share this story:

By Gary Austin, Payer/Provider Interoperability Lead​ and
Ken Kleinberg, Innovative Technologies Practice Lead

Editor’s Note:  This blog was updated April 23, 2020 to reflect timeline updates made by CMS and ONC to their Final Rules.  

iStock-897710992The long-awaited interoperability rules recently dropped from the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS). The rules are long (approaching 2,000 pages) and highly complex. And, just this week, some deadlines for the two rules have been extended due to the COVID-19 crisis. The rules’ updates, for the most part, fall into the category of “discretionary enforcement,” meaning that during the enforcement discretion period (varies from 3-6 months), CMS and ONC do not intend to enforce these provisions as they currently apply to certain entities or activities. There was one key provision that was a true deadline extension: CMS, in their April 21 announcement, gave physicians and other providers a full year (until 5/1/2021) to comply with the implementation timeline for the admission, discharge, and transfer (ADT) notification and Conditions of Participation (CoPs).

Regardless of the new implementation timelines or essentially delayed enforcement of specific provisions, these rules still require immediate resources and planning for compliance. Stakeholders need to quickly understand what is in the rules, what pertains to them, and where there is market differentiation or operational improvement opportunities leveraging the rules. We will leave it to others to do a deeper dive into the contents and specific requirements of the two rules. In this blog, adapted from our March 13 webinar available here, we will briefly explore key requirements of both rules and some possible stakeholder impacts. Next week’s HIT Perspectives will shed further light on the opportunities inherent in the rules.

What’s in the rules?  The rules are a game changer on several fronts. BUT it is important to remember they are part of an evolutionary process, which leverages technology and policy levers to better engage the patient and caregivers in the care program.​ The transformational path to the future will be driven by business needs; these rules are not just a massive, Congressionally mandated health information technology (health IT) project.

So what’s in the rules? Here are some highlights.

  1. The rules seek to expand the use and alignment of standards between ONC Certification for electronic health records (EHRs) and Medicare.
  • USCDI. In a new requirement, the rules require standardized data ​exchange using the US Core Data for Interoperability (USCDI)​. We expect a future rule will address the exchange of additional codified data elements to support value-based care.
  • FHIR version 4.0. HL7’s Fast Healthcare Interoperability Resource (FHIR) standard, version 4, is being adopted for as the foundational standard to support data exchange via secure application programming interfaces (APIs).
  • NCPDP SCRIPT 20170701. This standard from the National Council for Prescription Drug Programs (NCPDP) is now required for electronic prescribing under Medicare Part D and ONC EHR Certification.
  1. The ONC rule defines information blocking by exception (with an eighth exception added on top of the seven provided in the proposed rule).
  2. The CMS rule will require hospitals to send admission, discharge, and transfer event notifications to another healthcare facility or to another community provider or practitioner as a condition of participation. States now are to exchange certain enrollee data for the dual eligibles for Medicare and Medicaid on a daily basis.
  3. Information blockers and providers who don’t update their digital contact information will be publicly reported by CMS. While this “public shaming” technique has been used before, it will be interesting to see whether it will be effective for these use cases.
  4. The rules do NOT address many key issues. They include alignment with the privacy rule implementing provisions of the Health Insurance Portability and Accountability Act (HIPPA) and with the upcoming rule on TEFCA (the Trusted Exchange and Common Agreement). [In fact, some stakeholders would like to see enhanced privacy protections for APIs. It’s not outside the realm of possibility that we could see an updated HIPAA Privacy Rule in the future to accommodate changes in business requirements, consumers’ needs and technologies since the original was published in 2000.] The Office of the Inspector General (OIG) intends to flesh out civil monetary penalties for non-compliance for which it issued a proposed rule on April 21.
  5. The implementation timelines remain short, which has many stakeholders concerned. ONC announced discretionary enforcement of most of its new requirements until 3 months after each initial compliance date. As their revised timeline shows, 11/1/2020 is still the compliance date for key provisions including information blocking certification conditions, assurances and APIs. Stakeholders, however, now have three additional months of breathing room (until 2/1/2021) during which time ONC does not intend to enforce compliance.   

The biggest change is CMS’ April 21 rule revision in which physicians and other providers were given an additional six months (until 5/1/2021) to comply with the ADT notification and Conditions of Participation (CoPs). CMS also will exercise discretionary enforcement of the Patient Access API and Provider Directory API policies for six months past the initial compliance date. It remains to be seen how the OIG proposed rule will impact enforcement (and penalties) associated with the CMS and ONC Final Rules. For now, OIG has stated that their enforcement of the information blocking provisions “would not begin sooner than the compliance date for the ONC Final Rule.” Regardless of where OIG lands, nearly all the original deadlines in both rules stand but enforcement of some key provisions will be slightly delayed.  We will publish an updated Final Rules combined timeline in the April issue of HIT Perspectives.

What do the rules mean?  There are many possible impacts from the two rules. Here are just a few of the many that we’ve identified.

Rules compliance and the transformation to APIs, based on FHIR version 4, will be key to value-based care success. The APIs, in particular, will provide access to—and exchange of—new kinds of patient data from a range of sources, including payers, providers and patients. Artificial intelligence and other data analytics can be applied to the expanded data sets to identify at-risk patients, gaps in care and outcomes across provider networks, payers and population groups.

But make no mistake, this is a business issue, not just a technology issue. Business teams will need to engage now and consider how to meet compliance deadlines. In addition, they will need to stay on top of unfolding developments to identify market opportunities and capitalize on them to stay ahead of the competition. Leveraging new capabilities, based on the rules’ requirements, will be key to developing marketplace leadership.

There also are risks and benefits for key stakeholder groups. For example:

  • Payers will have to adjust or redo their platforms, which may not be enabled for APIs or certain standards​. There may be member stickiness issues if patient data are not provided in a timely manner. ​BUT the opportunity exists for payers to steer the consume to lower cost providers and care pathways​.
  • Providers will have to make a major mindset shift related to patient data. They also will have to deal with increased competition around the shop-ability of healthcare services​. BUT those organizations doing Value-Based Care contracting can more readily share and access needed patient data​.
  • EHR and health IT vendors may have to create new business models to address data blocking rules. There will be Increased competition for provider customers, whose business needs also will evolve to deal with the evolving regulatory and payment landscapes. BUT the new rules will create new partnership and revenue opportunities​. Plus, standardization of APIs and data sets will help to minimize development costs. ​
  • Patients and caregivers must carry the burden of protection of their own data​. They may be ill equipped to deal with the possible proliferation of “bad actors” in the marketplace​. BUT, they will receive higher quality of care at a lower price​ and be empowered to manage their own healthcare data​. 

These rules present tremendous opportunity for both operational improvement and market differentiation.  We will cover these opportunities in the April issue of HIT Perspectives (subscribe here).

Remember: this is an Interoperability Journey. It will be key for stakeholders to design and build supportable ​strategies; a roadmap for successful implementation; and a sustainable organization.​ Point-of-Care Partners can help. Reach out to us at Gary “Lumpy” Austin (gary.austin@pocp.com) and Ken Kleinberg (ken.kleinberg@pocp.com).  We’d love to hear from you.