America's Health Insurance Plans and many other healthcare industry groups are urging the Centers for Medicare & Medicaid Services (CMS) to take a phased approach to its proposed interoperability rule, saying the proposed 2020 implementation timeline is "unrealistic."
The proposed rule (PDF), which CMS released back in February, would require Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans to make enrollee data immediately accessible via application programming interfaces (APIs) by 2020. The Department of Health and Human Services received 1,700 comments on the rule.
In its comments to CMS, AHIP said the timeline for the rule should be phased-in no sooner than 2022 and also tied to the development of standards as well as consumer privacy protections.
"We have significant concerns that the proposed implementation timeline fails to recognize both the operational complexity associated with building the required technology and the lack of mature standards for the proposed data elements and exchange," the organization said.
The American Medical Informatics Association (AMIA) also called (PDF) for a phased approach for health plan data to be made available via open APIs. Under CMS's proposed rules, open APIs would need to be in place by January 2020 for MA and QHP plans, and July 2021 for Medicaid and CHIP agencies, AMIA said.
The government’s timelines are too aggressive, given the state of standards development and adoption, AMIA said. For instance, CMS would have required the adoption of new data standards proposed by the Office of the National Coordinator for Health IT (ONC) as part of the U.S. Core Data for Interoperability by January 2020.
ONC is not expected to require certified health IT to generate such data until January 2021 at the earliest.
AMIA recommends CMS require payer data be made available to beneficiaries via open API beginning July 2020. The first phase would include claims and encounter data; the second phase would include clinical data and lab results; and the third phase would include drug benefit, pharmacy directory, and formulary data, the industry group said.
Here is a look at some of the top concerns that emerged from what industry stakeholders had to say:
Third-party apps and privacy protections
Many industry groups are concerned about protecting the privacy of patients' health data with increased data sharing.
"The proposed rules are complicated, intertwined, and may result in a patient’s information being shared with third parties—including those under no obligation to keep information private—in a way the patient didn’t foresee or want," said American Medical Association (AMA) president Barbara L. McAneny, M.D.
Before the rule is finalized, the AMA is urging (PDF) CMS to develop solutions to help establish transparency in how health information is used, who is using it, and how to stem data commoditization without a patient’s knowledge.
"For example, a patient’s app should have to reveal to the patient that his or her health information will be sold to other companies. And a health insurance company should be prohibited from using a patient’s medical record to increase prior authorization requirements,” McAneny said.
As written, the proposed rule includes no certification process for third-party apps, AHIP said. Given the access to personal health information these apps are expected to have, AHIP recommends that a process be established by the Federal Trade Commission (FTC), in partnership with CMS to vet apps for the adequacy of the consumer disclosures, as well as the privacy and security of the information once it is no longer governed by the Health Insurance Portability and Accountability Act (HIPAA).
"While CMS and others draw the parallel to use of third-party apps to conduct personal banking, the implications and consequences of the potentially widespread availability of personal health information are arguably far greater," AHIP said.
CMS should ask Congress to extend its authority to create a robust oversight and enforcement framework for these apps. "Consumers need confidence that this sensitive information is being treated with care and integrity to encourage widespread use of these apps," AHIP said.
AMGA also calls (PDF) for CMS to develop a certification program for APIs to reduce potential burden and liability on providers. "Providers should not be liable for misuse of patient data that is shared via a third-party application based in API technology," the group said.
The Medical Group Management Association (MGMA) noted that third-party application developers, which are entering the healthcare market at a rapid pace, are typically not required to abide by the provisions in HIPAA due to the fact they offer their applications directly to consumers and not on behalf of covered entities such as providers or health plans. CMS needs to develop an approach for how healthcare organizations subject to HIPAA share health data with non-HIPAA covered vendors.
The group says CMS, ONC, and the Office for Civil Rights should work with the private sector to develop a privacy and security trust or certification framework for third-party apps seeking to connect to APIs. "Such a program would not only foster innovation but also establish improved assurance to patients of the security of their information," the group said.
Medicare Conditions of Participation
CMS's proposed rule would revise the conditions of participation for Medicare and Medicaid participating hospitals to include a requirement for sending electronic notifications upon a patient's admission, discharge, and/or transfer (ADT) to another healthcare facility or provider.
The Healthcare Information and Management Systems Society (HIMSS) argues that the ADT requirement should not a condition of participation in Medicare, but instead urges CMS to make it a requirement as part of the Promoting Interoperability Program.
AMIA said CMS should move forward with a limited scope on eNotification Medicare conditions of participation requirements, starting with requiring hospitals to demonstrate ADT notifications for a single patient during 2020. "A single patient requirement should be seen as a stepping stone towards fuller requirements in subsequent payment years," AMIA said.
CMS also should compile stakeholder feedback over the next payment year to better understand which standards and technical approaches are preferred by industry, the group said.
In a joint letter, six former national coordinators for health IT said they applaud CMS’ proposal to revise the conditions of participation to advance interoperability. In the letter, signed by David Blumenthal, M.D.; David Brailer, M.D.; Karen DeSalvo, M.D.; Robert Kolodner, M.D.; Farzad Mostashari, M.D.; and Vindell Washington, M.D., said CMS's initial focus on ADT messages is a realistic starting point.
However, the former national coordinators note that technical gaps still exist and recommend CMS remove the express requirement to use certified EHRs for ADT messages. They suggest instead hospitals send direct notifications where feasible or use a trusted exchange network to make notifications available to all eligible receiving providers.
"We urge CMS and ONC to view implementation of this requirement as a learning experience to inform the logical outgrowth of applying the conditions of participation to a broader set of requirements focused on interoperability, beyond basic data exchange, and facilitating access to actionable data at the point of care to advance patient health and safety goals," the former national coordinators said.
The National Association of Accountable Care Organizations (NAACOS) urged CMS to implement this new ADT requirement "expeditiously," noting that many hospitals should be able to comply with these requirements today.
"ADT alerts would be an invaluable tool for ACOs’ ability to manage population health as CMS moves to place ACOs at higher levels of financial risk. If CMS wants to put ACOs under risk, they should give them the resources needed to succeed," the group said.
NAACOS also wants CMS to make it clear that ACOs are eligible to receive ADT notifications as part of the revision to conditions of participation.
Public reporting on information blocking on Physician Compare
To encourage information sharing and as a disincentive to information blocking, CMS also is proposing to make publicly available, on the Physician Compare website, the names of organizations and providers that submit a "no" response to any of the three attestation statements regarding the prevention of information blocking.
MGMA argues that this is the wrong approach. "By publicizing the fact that a provider submitted a 'no' response, the agency appears to be equating this with the quality of the healthcare they deliver," the organization said. "With no context provided to the patient for why the clinician stated “no” the patient may be left with the impression that the provider is somehow sub-par and should not be trusted."
If CMS moves forward with this proposal, MGMA recommends the agency conduct a two-year educational campaign offering additional clarification for providers.
HIMSS says it supports this proposal as "any healthcare practice that unreasonably limits the availability, disclosure, and use of electronic health information undermines efforts to improve interoperability."