The U.S. Department of Health and Human Services has finalized two long-awaited sets of rules that will govern how providers, payers and technology vendors must design their systems to give patients safe and secure access to their digital health data.

Issued Monday morning by both the Office of the National Coordinator for Health Information Technology and the Centers for Medicare & Medicaid Services, the rules fulfill the interoperability and information-blocking provisions of the landmark 21st Century Cures Act.

HHS calls the new rules – which hold public and private entities accountable for enabling easy electronic access to health information – the most extensive healthcare data-sharing policies yet implemented by the federal government.

"Patients should have control of their records, period," said HHS Secretary Alex M. Azar in a statement. "These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination."

Information blocking, USCDI

The ONC Final Rule establishes new regs to prevent information-blocking practices and anti-competitive behaviors by healthcare providers, developers of certified health IT products, health information exchanges and other information networks. It also specifies the reasonable and necessary activities that do not constitute information blocking.

The rule updates certification requirements for health IT developers and establishes new provisions to ensure that providers using certified technologies have the ability to communicate about usability, user experience, interoperability and security – including (with limitations) the ability to document challenges using screenshots and video, which ONC says are critical forms of visual communication for describing such issues.

It also requires EHRs to provide the necessary clinical data to promote new business models of care – advancing this goal common through the U.S. Core Data for Interoperability, or USCDI, a standardized set of health data classes and elements that ONC says are essential for nationwide interoperability.

The final rule also has an array of requirements for standards-based application programming interfaces (APIs), with the goal to support a patient's access and control of their electronic health information. With its new API rules, patients will be empowered to more securely and easily obtain and use their electronic health information from their provider's medical record for free, using the smartphone app of their choice, according to ONC.

"Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives," said National Coordinator for Health IT Dr. Don Rucker, in a statement. "This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.

"A core part of the rule is patients' control of their electronic health information which will drive a growing patient-facing healthcare IT economy," he added, "and allow apps to provide patient-specific price and product transparency."

Interoperability and patient access

As for the CMS Final Rule, it requires health plans in Medicare Advantage, Medicaid, CHIP and through the federal Exchanges to share claims data electronically with patients.

Beginning Jan. 1, 2021, Medicare Advantage, Medicaid, CHIP and, for plan years beginning on or after Jan. 1, 2021, plans on the federal Exchanges will be required to share claims and other health information with patients in a safe, secure, understandable, user-friendly electronic format through the Patient Access API.

That API will allow patients to access their data through any third-party application they choose to connect to the API and could also be used to integrate a health plan's information to a patient's EHR.

In addition, the CMS final rule establishes a new Condition of Participation for all Medicare and Medicaid participating hospitals, requiring them to send electronic notifications to another healthcare facility, community provider or practitioner when a patient is admitted, discharged or transferred.

CMS will also require states to send enrollee data daily, beginning April 1, 2022, for beneficiaries enrolled in both Medicare and Medicaid. The goal is to improve the coordination of care for this population and help ensure they're getting access to appropriate services – and that these services are billed appropriately the first time. Beneficiaries will get the right services at the right time, at the right cost, with no administrative burden to rebill services.

"Unfortunately, data silos continue to fragment care, burden patients and providers, and drive up costs through repeat tests," said CMS Administrator Seema Verma in a statement. "We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost."

Healthcare IT News will have much more coverage and industry reaction to these major new rules in the days and weeks ahead.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a publication of HIMSS Media.