Commercial risk will be a critical catalyst of progress – it’s complicated, but is it possible? We think so.

Blog Post

CMS, ONC just finalized sweeping rules on patient data. Here are our 4 key takeaways.

March 9, 2020

    On Monday, CMS and the Office of the National Coordinator for Health IT (ONC) dropped two highly anticipated final rules to expand patients' access to health information, improve interoperability, and crack down on information blocking.

    The final rules are largely consistent with what was initially proposed, with a few important differences.

    The CMS rule finalizes the agency's plan to improve access to clinical, encounter, claims, and other types of data that can be shared among patients, plans, and federal agencies through FHIR-standard Application Programming Interfaces (APIs), but does little to address payers' concerns around the types of cost data being shared. The rule also finalizes ways CMS can discourage information blocking, capture more electronic addresses for providers, and require hospitals to electronically send admission, discharge, and transfer notifications.

    The ONC rule finalizes major changes to the health IT certification program that will require developers to update to their technology. The final rule also clarifies how the health care industry can prevent information blocking among health care providers, health IT developers, exchanges, and health information networks. However, some provider groups already have noted that the rule does not address a key concern: protecting private patient data from third-parties.

    Our teams will spend the next few weeks diving into the 1,718 pages of regulations to examine the key provisions providers, payers, and health IT developers need to know.

    Below we've outlined four initial takeaways to the final rules. Be sure to join us on Tuesday, April 7 at 3 p.m. EDT, where we'll unpack the final rules in full.

    Register Now

    Our 4 key takeaways so far

    1. HHS is moving full steam ahead despite industry pushback.

      Together, CMS and ONC are taking significant steps to "crack down" on siloes of patient data and any practices that prohibit access to, and exchange of, information in the health care industry. We anticipate these rules will serve as a floor from which CMS and ONC will build on to continue to encourage greater interoperability. In the meantime, providers and payers should begin preparing to answer patient questions as their access to cost and other data expands, and providers and payers are called on to better share patient data.

    2. CMS doesn't back down on access to data through APIs.

      The final CMS rule follows and expands on the MyHealthEData initiative, and requires specific types of plans and agencies to provide information to patients via APIs and share beneficiary data between plans. While payers in comments raised concerns about the lift these new regulations would require—as well as the impact of making certain cost data publicly available—CMS appears to be moving forward with its proposal (and intends to leave regulation of third-party apps to the FTC). For payers, this means patient education should be a major strategic imperative. We expect payers to see an influx of patients accessing cost data through APIs, and payers need to prepare to provide better guidance and education to help members select emerging apps, interpret the information and make health care decisions.

    3. Big changes in store for ONC's Health IT Certification program.

      Certification criteria have been removed, revised, or newly added to support evolving health IT standards and interoperability. This means IT developers must update their software to comply within 24 months for revised and 36 months for newly added criteria. Stakeholders should ask their IT vendors when they expect to make CEHRT updates available in their product roadmap.

    4. CMS adds an eighth prevention of information blocking exception.

      Providers, health IT developers, health information exchanges, and health information networks are all considered "actors" in prevention of information blocking. ONC finalized eight exceptions: Seven were included in the proposed rule, and were finalized with some updates and clarifications, while one was added in the final rule. All actors should start educating stakeholders as soon as possible to comply with these policies.

      The eight finalized exceptions to information blocking are:

      • Preventing harm exception;
      • Privacy exception;
      • Security exception;
      • Infeasibility exception;
      • Health IT performance exception;
      • Fees exception;
      • Licensing exception; and
      • Content and manner exception (NEW).


    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.