On February 11, the Centers for Medicare and Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) unveiled long-awaited proposed interoperability and information blocking rules. The rules, which are part of the Administration's "MyHealthEData" initiative to promote the seamless flow of health information between patients and providers, would require hospitals, providers and electronic health record developers to share electronic health information (EHI) information with patients, insurers and digital health innovators in standardized formats at no cost and penalize them for "information blocking." The ONC also defines specific exceptions to data blocking and associated fines, as mandated by the 21st Century Cures Act (Cures), and would publish the names of providers and hospitals that fail to comply. The two proposed rules align by requiring that entities conform to the same advanced Application Programming Interface (API) standards, along with an aligned set of standards for clinical data classes through the United States Core Data for Interoperability standard (USCDI).

While the CMS rule does not apply to private payers, CMS Administrator Seema Verma said the changes could push them to adopt more tools that allow patients access to their data. Verma stated that the rules are an "unprecedented step toward a healthcare future where patients are able to obtain and share their healthcare data, securely and privately, with just a few clicks, is the beginning of a digital data revolution that truly empowers American patients." Health and Human Services (HHS) Secretary Alex Azar also praised the rules upon their release, saying they "strive to bring the nation's healthcare system one step closer to a point where patients and clinicians have the access they need to all of a patient's health information, helping them in making better choices about care and treatment."

For more detail on the proposed rules, visit:

• Fact sheet on the CMS proposed rule (CMS-9115-P):
• Fact sheets on the ONC proposed rule
• CMS proposed rule (CMS-9115-P)
• ONC proposed rule

Overview of the CMS proposed rule

The CMS interoperability rule would require Medicaid, the Children's Health Insurance Program (CHIP), Medicare Advantage (MA) plans and Qualified Health Plans (QHPs) to make enrollee data immediately accessible by 2020. Providers would be required to adopt technologies to allow patients easier access to their data as they move between federal programs and would require providers and plans to implement open data sharing technologies to support care coordination. The rule would also publicly report providers or hospitals that participate in information blocking practices that limit the availability, disclosure and use of EHI and undermine efforts to improve interoperability. The rule would require MA plans, state Medicaid and CHIP FFS and managed care entities, and QHP issuers in Federally-facilitated Exchanges (FFEs) to:

• Implement, test and monitor openly-published Health Level Seven Fast Healthcare Interoperability Resources-based APIs to make patient claims and other health information available to patients through third-party applications and developers
• Support electronic exchange of data transitions of care as patients move between plan types, such as information about diagnoses, procedures, tests and providers seen
• Participate in a trusted exchange network which would allow them to join any health information network they choose and be able to participate in nationwide exchange of data

The rule would also:

• Update the frequency with which states are required to exchange certain Medicare/Medicaid data on dually eligible beneficiaries from a monthly exchange to a daily exchange
• Make publically available a list of individual clinicians, hospitals and critical access hospitals (CAHs) that have submitted a "no" response to any of the three attestation statements regarding the prevention of information blocking in the Promoting Interoperability Programs
• Make publically available the names and National Provider Identifiers (NPIs) of those providers who have not added digital contact information to their entries in the National Plan and Provider Enumeration System (NPPES) beginning in the second half of 2020 (as required by Cures)
• Require Medicare-participating hospitals, psychiatric hospitals and CAHs to send electronic notifications when a patient is admitted, discharged or transferred

The rule also seeks public comment on:

• Promoting interoperability among CMS Innovation Center participants and other health care providers as part of the design and testing of innovative payment and service delivery models
• How CMS can leverage its authority to improve patient identification and safety to encourage better coordination of care across different healthcare settings while advancing interoperability
• How to promote wide adoption of interoperable health IT systems for use across healthcare settings such as long-term and post-acute care, behavioral health and settings serving individuals who are dually eligible for Medicare and Medicaid and/or receiving home and community-based services

Overview of the ONC proposed rule

The ONC proposed rule calls on the health care industry to adopt standardized APIs, help provide individuals secure access to EHI using their smartphones and other mobile devices, and requires that electronic health data be made available at no cost. Unlike the CMS proposed rule, ONC's rule impacts all parties that interact with or use an electronic health record — public or private. Major provisions of the rule include:

• Deregulatory actions aimed at reducing burdens for health IT developers, providers and other stakeholders
• Updates to the 2015 Edition Certification Criteria, including:
• Adopting the USCDI as a standard, replacing the "Common Clinical Data Set" (CCDS)
• Updating the electronic prescribing (e-Rx) SCRIPT standard
• Updating Clinical Quality Measures, including a new criterion for "EHI export"
• Adopting a new "Standardized API for Patient and Population Services" certification criterion
• Adopting two new privacy and security transparency attestation certification criteria
• Changes to the 2015 Edition Privacy and Security Certification Framework, including proposing new and revised principles of proper conduct (PoPC) for ONC-Authorized Certification Bodies (ONC-ACBs)
• Establishes certain Conditions and Maintenance of Certification requirements for health IT developers (which were outlined in Cures), including requiring health IT developers to:
• Not take any action that constitutes information blocking and provide assurances they have not
• Not prohibit or restrict communications about certain aspects of the performance of health IT and the developers' related business practices
• Adopt new standards to implement certified APIs
• Successfully test the real world use of the technology for interoperability
• Submit reporting criteria on certified health IT in accordance with the EHR reporting program established under Cures (not yet established)
• Enforcement measures to encourage consistent compliance with the requirements (stakeholders could be penalized $1 million per instance of information blocking)
• Comment requests on their analysis of the health IT landscape for pediatric settings and correlated certification criteria, how existing program requirements and proposals may support use cases related to Opioid Use Disorder (OUD) prevention and treatment, and whether certain health IT developers should be required to participate in the Trusted Exchange Framework

The rule also identifies several "reasonable and necessary activities" as exceptions to the information blocking definition, where providers and health IT companies can withhold information. This includes:

1. To prevent physical harm to a patient or another person
2. To protect privacy of EHI (ONC has included several sub-exceptions where this would be applicable)
3. To promote cybersecurity
4. To recover costs incurred in sharing health data
5. To decline a request for data sharing that is "infeasible"
6. To license interoperability tools, provided the agreement is fair and reasonable
7. To conduct maintenance or improvements to health IT

———————————————