On March 9, 2020, the United States Department of Health and Human Services (HHS) issued two new sets of rules under the 21st Century Cures Act designed to provide patients with more control over their health care data. With the goal of interoperability, the final rules developed by each of the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) require providers, payers and information technology vendors to provide patients with the ability to easily access their electronic health information (EHI) on electronic devices, including smart phones.
The new rules are quite lengthy and complex and will take time for providers, payers and others within the healthcare ecosystem to fully understand and appreciate how to implement the changes. To allow time for the system to adapt to the changes, the rules will be phased in over a two year period.
Some of the highlights include:
- requiring providers and payers to establish secured application programming interfaces, commonly known as APIs, to link EHI with applications so patients can access EHI;
- carving out certain activities that previously were considered “information blocking” prohibited by the 21st Century Cures Act and updated certification requirements;
- transparent public reporting of providers that engage in “information blocking” or that fail to provide or update contact information;
- requiring that EHI records contain certain clinical data (i.e., allergies, medications, etc.) based on standards set by the U.S. Core Data For Interoperability;
- mandating that hospitals send an electronic notification to other providers of a patient when such patient is admitted or discharged from a hospital, also known as Admission, Discharge and Transfer (ADT) notifications; and
- requiring the daily exchange of data between CMS and state agencies for patients enrolled in both Medicare and Medicaid, instead of the current monthly reporting standards.
The new rules seek to upgrade an ever aging healthcare system through the use of new technology – the goal being to promote patient data access and give patients the ability to control their health information in a way that will promote price and care transparency. However, such enhanced access and interoperability raises potential concerns. The greatest apprehension expressed to date is how to adequately protect patient privacy, including when sharing EHI on third-party applications. New advanced technology involving data transmission and storage always comes with the risk of being compromised or “hacked.” For example, third parties gaining access or control and demanding payments, or ransom, to release data – which would extend to EHI. It remains to be seen whether patient privacy can in fact be protected.
Another concern raised by stakeholders impacted by the rules is the interplay with the Health Insurance Portability and Accountability Act (HIPAA) and whether third parties that were not previously empowered to accept EHI without appropriate protections (i.e., a business associate agreement) are now able to circumvent the security and privacy safeguards of HIPAA. In response to the final rules, the CEO of America’s Health Insurance Plans said “[w]e remain gravely concerned that patient privacy will still be at risk when healthcare information is transferred outside the protections of federal patient privacy laws.” The details are still being ironed out and the concerns, particularly with respect to privacy, will remain a hot topic.
We will continue to follow developments with respect to the new rules and provide updates as appropriate. Understanding the complexity of the rules, ONC has provided helpful fact sheets.
If you have questions or would like further information, please contact Lori Smith (firstname.lastname@example.org; 212.714.3075), Jeremy Miller (email@example.com; 212.631.4414) or another member of the Corporate and Securities Group.