Information-sharing rule creates new hospital, health plan transparency requirements
- In a little more than six months, hospitals must start sending notifications at admission, discharge and transfer to patients’ physicians.
- In late 2020, CMS will start publicly reporting which hospitals are “information blocking.”
- Many health plans will need to start sharing claims, cost and health information electronically with patients.
Both hospitals and health plans will have to implement significant data transparency requirements under long-awaited final rules released this week.
On March 9, the Office of the National Coordinator for Health Information Technology (ONC) issued one final rule and the Centers for Medicare & Medicaid Services (CMS) issued another, both of which will implement interoperability and patient access provisions of the 21st Century Cures Act.
For hospitals, key aspects of the final rules include:
- Creating a new condition of participation in Medicare and Medicaid for hospitals to send electronic notifications — starting six months after the rule’s publication — to another healthcare facility or community provider or practitioner when a patient is admitted, discharged or transferred
- Starting public reporting by CMS in late 2020 of clinicians, hospitals and critical access hospitals (CAHs) that engage in information blocking, based on the providers’ responses to certain Promoting Interoperability Program requirements
- Starting public reporting by CMS in late 2020 of providers that do not provide digital contact information in the National Plan and Provider Enumeration System (NPPES), which is necessary to facilitate data exchange
CMS estimated that the rules will cost hospitals, psychiatric hospitals and CAHs a total of about $5.2 million in the first year and about $1 million in subsequent years.
ONC estimated total costs from its rule will range from $478 million to $1.6 billion for providers.
Health plan provisions in the final rules include:
- Requiring Medicare Advantage (MA), Medicaid, the Children’s Health Insurance Program (CHIP) and federal marketplace plans to share — by Jan. 1, 2021 — claims, cost and health information data electronically with patients
- Allowing patients to access their data through any third-party application of their choosing
- Allowing health plans to ask third-party app developers to attest to privacy provisions, such as whether their privacy policy specifies secondary data uses, and to inform patients about those attestations
- Requiring CMS-regulated health plans (not individual-insurance plans in the federal marketplace) to make provider directory information publicly available via a standards-based application programming interface (API) by Jan. 1, 2021
- Requiring CMS-regulated plans to allow patients to take their clinical data with them starting Jan. 1, 2022 as they move to other health plans to help create a cumulative health record with their new payer
CMS estimated that complying with the new requirements will cost health plans $84.6 million per year.
Proposed provisions get dropped
The final rules dropped some provisions that were included in the proposed versions of the rules.
CMS dropped a proposal to require MA, Medicaid managed care, CHIP managed care and federal marketplace plans to participate in a trusted exchange network, citing concerns over the lack of an existing, agreed-to framework.
Instead of being included in the patient-accessible API, provider directory information must be included in the public-facing provider directory API. Similarly, pharmacy directory information must be included in Medicare Part D plans’ provider directory API instead of in the patient-accessible API.
CMS did not finalize a requirement for hospitals to include a diagnosis in the patient event notifications required by the rules. However, providers may choose to add that information.
Hospitals generally support the rules, but have qualms
Hospital advocates generally supported the rules, but some raised concerns that privacy protections were insufficient.
Rick Pollack, president and CEO of the American Hospital Association, said the ONC final rule failed “to protect consumers’ most sensitive information about their personal health.”
“The rule lacks the necessary guardrails to protect consumers from actors such as third-party apps that are not required to meet the same stringent privacy and security requirements as hospitals,” Pollack said. “This could lead to third-party apps using personal health information in ways in which patients are unaware.”
Similarly, Chip Kahn, president and CEO of the Federation of American Hospitals, said the CMS rule lacked vital app security for patients.
“At a time when almost all of one’s personal information is accessible on your phone, patients deserve the same convenience for their healthcare needs,” Kahn said. “But we owe it to patients to protect their privacy and security. This regulation does not meet that test.”
Blair Childs, senior vice president for Premier, a hospital quality alliance, raised similar concerns about app privacy but also hailed some provisions.
“We are encouraged that the final ONC rule requires EHR [electronic health record] vendors to be more transparent in their business practices, attest that they will not engage in ‘information blocking’ and successfully test the real-world use of interoperable technology in the type of setting where it would be marketed,” Childs said.