On Dec. 13, 2016, the 21st Century Cures Act was signed into law. This strongly bipartisan legislation included several provisions to accelerate the adoption and effective use of health information technology (HIT) and promote the interoperability of health data. On March 9, 2020, the Office of the National Coordinator for HIT (ONC) and the Centers for Medicare & Medicaid Services (CMS) issued final rules implementing the Cures Act.

CMS Provisions

Patient access API

CMS-regulated payers (e.g., Medicaid, Medicare Advantage plans and others) are required to implement and maintain a secure, standards-based Application Programming Interface (API). This API must permit patients (through use of a third-party app of their choice) to easily access their claims and encounter information, including cost. Payers are required to implement the patient access API beginning Jan. 1, 2021.

Provider directory API

CMS-regulated payers are required to make provider directory information publicly available via a standards-based API. Payers are required to implement the provider directory API by Jan. 1, 2021.

Opportunities and challenges for medical groups: Claims data, captured in conjunction with clinical data, can offer the patient and the practice a broader understanding of an individual’s interactions with the healthcare system. Apps may have the capability of sharing this data with the practice (having the patient as the conduit), resulting in better information for the practice. Knowing which specialists and care centers a patient has visited could assist in population health tracking and value-based care arrangements. However, if plans do not convey the data in a structured format, it could result in a massive “data dump” that will not be as useful for the practice.

Similarly, making provider directory information broadly available should encourage innovation. Third-party app developers will be able to access information to create services that help patients find providers for care and treatment (better practice marketing), as well as help providers locate other providers for referrals and care coordination.

Public reporting

Beginning in late 2020 (starting with data collected for the 2019 performance year), CMS will publicly report eligible clinicians, hospitals and critical access hospitals (CAHs) that may be information blocking based on how they attested to certain Promoting Interoperability Program requirements. Also in late 2020, CMS will begin publicly reporting those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES). This includes providing digital contact information such as secure digital endpoints [For example, a Direct (secure) email address and/or a FHIR API endpoint]. Practices interested in getting a Direct email address should contact their EHR vendor or go to directtrust.org for more information.

Opportunities and challenges for medical groups: Best case scenario, this public reporting could act as a deterrent to blocking data and result in fewer civil money penalties (CMPs) being imposed. One concern is that the Office of the Inspector General (OIG) will leverage this database to conduct audits of information blockers, much like the federal government does with the public listing of all data breaches of 500 or more individuals.¹ The public reporting related to digital contact information could act as an incentive for practices to secure, for example, a Direct email address and share that with their affiliated providers. Increased use of Direct email will reduce administrative burden for practices for actions such as referrals, care coordination and care transitions. 

ADT event notifications

CMS is modifying the Conditions of (Medicare) Participation to require hospitals, including psychiatric hospitals and CAHs, to send electronic event notifications of a patient’s admission, discharge and/or transfer (ADT) to another healthcare facility or to another community provider or practitioner. This policy goes into effect May 2021.

Opportunities and challenges for medical groups: This ADT feed will improve care coordination by allowing a receiving practice to know if a patient has been to the hospital. It will allow the practice to reach out to the patient in a timely manner and deliver appropriate follow-up care. This ADT feed will improve care coordination by allowing a receiving practice to know if a patient has been to the hospital. It will allow the practice to reach out to the patient in a timely manner and deliver appropriate follow-up care, particularly important for practices in value-based care arrangements. One concern is the logistics of how the electronic data transfer will occur and practices are encouraged to adopt Direct email addresses. Having a dedicated email address for this type of data may help avoid having the ADT feed sent to an inactive address. As with all these types of data feeds, however, the concern is that the practice will experience data “overload,” especially if little of the data proves actionable. 

ONC final rule provisions

API requirement

The rule outlines conditions of certification for API software developers (EHR vendors, for the most part). To be certified, EHRs will be required to have API capability and patients will be permitted to request that the practice send their health information to a third-party app of their choice. The scope of the health information that must be supported via APIs is the United States Core Data for Interoperability (USCDI) standard — a compilation of many of the key elements included in a patient’s health record, such as demographics, clinical notes, test results, medications, allergies and problem list. EHR vendors will have until 2021 to include API technology in their software.

Opportunities and challenges for medical groups: ONC asserts that API technology will facilitate the movement of clinical data via apps from the practice to the patient and between care settings. It also asserts that apps will convert raw clinical data and present it to the patient in an understandable and actionable manner. Challenges for medical groups center around the potential fees software developers will charge for API capability and the lack of privacy policies in place for third-party apps not covered under HIPAA.

Information blocking

ONC is prohibiting physician practices and other actors from blocking health information. In this rule, ONC finalized the seven exceptions they had originally proposed and added an additional (“Content and Manner”) exception. ONC has yet not defined potential CMPs for practices blocking information. Exceptions that involve not fulfilling requests to access, exchange or use electronic health information (EHI) include:

• Preventing Harm Exception
• Privacy Exception
• Security Exception
• Infeasibility Exception
• Health IT Performance Exception.

Exceptions that involve procedures for fulfilling requests to access, exchange or use EHI include:

• Content and Manner Exception
• Fees Exception
• Licensing Exception.

Opportunities and challenges for medical groups: The eight exceptions exist to shield a practice if it has a legitimate reason for not sharing patient data. However, much like Stark and Anti-kickback regulations, these exception categories can be confusing, will require substantial documentation by the practice, and will be evaluated by ONC and OIG on a case-by-case basis. Practices should review their current information sharing policies and revise them accordingly. Additionally, practices should develop a workflow process to determine first if there is a legitimate reason for blocking data and then identify and document the appropriate exception category.

In terms of what patient information the practice is prohibited from blocking, compliance is required by November 2020, with the agency extending enforcement discretion for three additional months. ONC is permitting the USCDI data set to be the floor for information blocking purposes for two years (until May 2022). Thereafter, however, practices will be required to revert back to the more expansive HIPAA data set.

Gag clauses

Currently, many EHR contracts with practices contain provisions that either prevent or are perceived to prevent practice staff from sharing information related to the EHRs in use, such as screenshots or video. In an effort to increase transparency, particularly in the areas of usability, security, compliance with certification requirements and patient safety, the ONC final rule updates certification requirements for HIT developers and establishes new provisions to ensure that providers using certified HIT have the ability to communicate directly to ONC, including (with limitations) screenshots and video. EHR vendors have until March 2021 to contact practices and potentially update contracts to reflect this new requirement.

Opportunities and challenges for medical groups: Until this final rule, many practices were contractually restricted from raising concerns to the government with their EHR software. This regulation will for the most part ban these types of gag clauses and potentially allow practices to shine a light on unsafe software and software that does not meet certification requirements.

While CMS and ONC have committed to move forward with implementing these final rules, the COVID-19 pandemic could impact compliance dates. Access mgma.com and the MGMA Washington Connection e-newsletter for updated information. 

Note:

1. Office for Civil Rights. “Breach Portal.” U.S. Department of Health & Human Services. Available from: bit.ly/2yiSF9W.