In March 2020, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) released rules that have far reaching implications for healthcare providers, payers, and health IT vendors.
The two rules are designed to implement interoperability and patient access provisions of the 21st Century Cures Act, a bipartisan bill signed into law in 2016, with the goal of empowering patients with access to their medical data so that they can make informed decisions about their health.
The rules were entered into the Federal Register on May 1, 2020, which started the clock on compliance timelines. Several deadlines were set for early 2021; however, because of the COVID-19 pandemic, CMS and ONC have relaxed some deadlines.
Here, we highlight some important aspects of each rule and explain how different stakeholders will be affected by the rules. We also explain how Lyniate can help stakeholders meet compliance deadlines.
CMS and ONC: What’s the Difference?
While CMS and ONC are separate divisions under the U.S. Department of Health and Human Services (HHS), they often coordinate efforts to surface different aspects of the same intention. In the case of these two rules, the intention is to make data more broadly available using APIs.
Who Is Impacted by the Rules?
- Healthcare provider organizations
- Developers of Certified health IT
- Health information exchanges
- Health information networks
Taken together, what do the rules mean for health IT vendors, provider networks, and payers? While we don’t have a crystal ball, the following table illustrates — based on past healthcare regulations, such as the HITECH Act — which aspects of the rules will have greater impact on the industry. Decoupling the silos from vendors that have largely controlled patient healthcare data will dramatically change the dynamic in which these organizations are viewed.
CMS and ONC Rules: Impact on Health IT Vendors
As they consider how they will comply with these rules, developers of health IT solutions should ask themselves following:
- In what formats does your organization store all data comprising the USCDI?
- What type of data is stored in your organization?
- What systems do you connect with, and where is protected health information housed?
- If you store patient protected health information in your system, you must have a FHIR API that allows patients to access their data.
CMS and ONC Rules: Impact on Providers
As they consider how they will comply with these rules, leaders of provider organizations should ask themselves the following:
- How are you managing ePHI? Is your organization — either intentionally or inadvertently — blocking information?
- Do you have the technical capability for bulk data sharing?
- Do you have the technical capability to meet the CMS’s Condition of Participation requirement of sending real-time e-Notifications to patient-identified providers?
- Are you prepared to educate your patients about the benefits and risks of accessing their data using third-party apps?
CMS and ONC Rules: Impact on Payers
As they consider how they will comply with these rules, leaders of payer organizations should ask themselves:
- Do you have the technical infrastructure to implement and maintain a secure, standards-based Patient Access API that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice?
- Do you have the technical infrastructure to implement a FHIR-based Provider Directory API?
- Do you have in interoperability solution that integrates easily with your existing systems?
- How will your infrastructure support all requirements for payer-to-payer exchange?
- Do you have the infrastructure to build, manage, maintain, expose, and govern FHIR APIs?
- Can your vendor partners enable use cases outside of the CMS requirements, such as those outlined by the DaVinci Project and SMART on FHIR?
And Keep in Mind:
- By failing to meet this requirement, vendors risk losing ONC certification, as well as being named on the ONC’s list of information-blocking offenders.
- Vendors must rely on the Oauth 2.0 protocol to ensure patient data security.
- Vendors that have taken the “walled garden” approach to storing patient data will have to restructure business models regarding how they store and allow access to patient data.
- For the first two years after the rules go into effect, data access and exchange will be restricted to USCDI, which is the minimum data you need to be able to transmit as a vendor, as a provider organization is that core data set.
How Lyniate Can Help
Lyniate continues to invest and expand our current native FHIR capabilities, ensuring our products can enable interoperability success in tomorrow's regulatory climate, while adding critical business value today.
Corepoint and Rhapsody can fit into virtually any infrastructure footprint. Because we specialize in healthcare interoperability, our products can support interaction with virtually any other system vendors will find within a health IT ecosystem.
With our suite of FHIR-native tools implementations can be built quickly and efficiently.
Lyniate has the best in KLAS services team for the interoperability market and can provide health IT vendors the resources to meet tight implementation timelines.
Lyniate partners with a number of innovative, trusted health IT vendors and consulting groups that can assist with compliance concerns.
How Lyniate Can Help You Accelerate FHIR Deployments
FHIR can be used in a variety of workflows for everything from remote patient-monitoring devices to large multi-facility hospital information systems. FHIR not only enables new workflows, such as those related to patient engagement, but also more traditional communications between applications. The current versions of Corepoint and Rhapsody integration engines can be used to support workflows in many ways, with or without FHIR, such as:
- Traditional application-to-application interoperability within the four walls
- External connectivity
- National exchanges
- Mobile applications
- Home health devices
Have a question about how the CMS and ONC rules will affect your organization? Drop us a line at firstname.lastname@example.org, and we’ll get in touch with you.