In April of 2020, the Centers for Medicare and Medicaid Services issued the Interoperability and Patient Access final rule (CMS-9115-F). As part of the federal government’s MyHealthEData initiative, the new rule’s goal is to give patients greater access to and control over their personal health data. It’s an important shift that will likely set a new bar for all healthcare entities moving forward (beyond just Medicare and Medicaid).
But CMS-9115-F also represents a massive overhaul in the way healthcare organizations structure, manage, and share patient data. Pulling it off will require a great deal of preparation and coordination across the healthcare industry. And that almost certainly includes your organization.
The CMS’s compliance deadlines are fast approaching. If you don’t meet them, your organization will be vulnerable to hefty penalties. The time to start planning is now. However, not all of the new policies will need to be implemented at the same time. And on top of that, not all of them will require the same level of effort to achieve. The first step in meeting the deadlines is to understand what’s required and when it’s due. In this article, we’ll discuss the three key provisions laid out in CMS-9115-F — and let you know how to prioritize your IT activities over the next year.
The 3 Key Provisions in the CMS Interoperability Standards — and Their Deadlines
CMS-9115-F includes a number of individual requirements. However, the following three major provisions make up the bulk of the new regulations. With each provision, we’ll take a look at who is affected, what’s required, and when you’ll need to be compliant.
Patient Access API
What is it?: The Patient Access API empowers users to be in command of their own health data by allowing them to transfer their data to the third-party applications of their choice.
Who is affected?: CMS-regulated payers, specifically MA organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid-managed care plans, CHIP FFS programs, CHIP-managed care entities, and QHP issuers on the FFEs, excluding issuers offering only stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP). In short, this provision applies to any payer that accepts payments from government healthcare programs, including Medicare, Medicaid, Medicaid Advantage, and CHIP.
What is required?: Impacted organizations must implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows patients to easily access their clinical, claims and encounter information. This includes healthcare costs as well as a defined subset of their clinical information through a wide variety of third-party applications.
Compliance deadline: January 1, 2021 (for QHP issuers on the FFEs, plan years beginning on or after January 1, 2021). However, CMS won’t enforce compliance or levy penalties until July 1, 2021.
Provider Directory API
What is it?: A provider directory API is a database of all the in-network providers with whom a payer partners. Per the CMS’s requirements, these directories should be personalized to each user so that patients understand exactly which providers are available to them. Provider directories typically include the providers’ location and contact details, as well as a link to schedule an appointment. Many private insurers already have a provider directory. If that’s the case for your organization, then the only new requirement is to make the directory available via a standardized API.
Who is affected?: MA organizations, Medicaid and CHIP FFS programs, Medicaid-managed care plans, and CHIP-managed care entities
What is required?: Impacted organizations must expose their provider directories via a standardized API.
Compliance deadline: January 1, 2021. However, CMS won’t enforce compliance or levy penalties until July 1, 2021.
Payer-to-Payer Data Exchange
What is it?: This provision requires payers to create an interoperable interface that allows patients to switch between participating health insurance providers without having to manually transfer their personal data from one provider to the next. Over time, this will allow patients to compile a cumulative health record that can be accessed at any time and with any payer.
Who is affected?: CMS-regulated entities
What is required?: Impacted organizations must create the necessary interfaces to exchange certain patient clinical data — specifically, the U.S. Core Data for Interoperability (USCDI) version 1 data set — at the patient’s request.
Compliance deadline: January 1, 2022. No grace period is currently anticipated for this provision.
Prioritizing Your Interoperability and Patient Access Roadmap
Now that you understand what’s required, the next step is to compile a CMS-9115-F roadmap and prioritize your efforts.
As with any large project, you should plan to start with the biggest, most time-sensitive tasks first. And in this case, one challenge clearly rises above the rest. Creating a patient access API promises to be a major undertaking, one that will easily require the lion’s share of your effort.
Many industry leaders are focusing on the need to adapt the FHIR format for all data outputs. While this is a key part of becoming compliant, the more complicated question is how you plan to organize your data on the back end.
To do this well, you’ll need to:
- Identity and locate each of your individual data sources (including clinical data and lab results, provider encounter data, and claims data).
- Gather all of your data into one central repository. Given that your disparate databases are likely structured in unique ways, making them “mesh” into a coherent structure may be especially difficult.
- Address quality issues within your aggregated data, including duplicated, missing, and corrupted data.
Consider your API’s security and ensure that you remain HIPAA-compliant even as you pass data out of your closed-loop system and into the hands of third-party providers.
Once you’ve got the patient access API project well underway, turn your attention to the provider directory API. And the payer-to-payer data exchange, which is due a full year after the other two provisions, can wait until after you’ve finalized your patient access and provider directory APIs.
Ready to get started? Read more about the Interoperability and Patient Access rule, then take our Interoperability Readiness Quiz to find out where your organization currently stands.
Want helping planning and executing a CMS interoperability compliance roadmap? We’d love to talk.