CMS and ONC Final Rules – What It Means for Providers and Payers


Updated on April 24, 2020

The following update is provided by emids subject matter experts (SMEs) in the Provider and Payer Business Units, covering Health IT policy changes that are important to our customers and partners.

On April 21, 2020, the U.S. Department of Health and Human Services (HHS) filed the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) Interoperability final rules. Additionally, the Office of Inspector General (OIG) filed a proposed rule that would amend HHS’ civil money penalty (CMP) rules. The CMS and ONC final rules are scheduled to be published in the Federal Register on May 1, 2020. Due to the COVID-19 public health emergency, HHS modified some dates from the HHS-approved versions released on March 9, 2020 and will also exercise enforcement discretion in some cases.

Below is a summary of the noted changes and of the OIG proposed rule. The updates are also included in the original posting. Additionally, we have updated links under the Sources section based on the 4/21/2020 updates.

Summary of the implementation timeline changes in the CMS and ONC Final Rules

Rules
Policies
Compliance Dates
 
CMS Payer Policies
1 – Patient Access Through APIs 
Compliance date: January 1, 2021 Update: CMS will not enforce this requirement until July 1, 2021
2 – API access to published provider directory data
Compliance date: January 1, 2021 Update:  CMS will not enforce this requirement until July 1, 2021
CMS Provider Policies
3 – Admission, Discharge, and Transfer Event Notifications
Compliance date: Applicable Fall 2020 Update: Applicable Spring 2021 (effective 12 months after the final rule is published in the Federal Register, which is scheduled for May 1, 2020)
ONC Policies
1 – Information Blocking
Compliance date:  Beginning fall of 2020, full compliance required by 2022 Update: The compliance date required by November 2, 2020.  
2 – EHR certification criteria updated
Notable certification updates include:
  • Adoption of the USCDI – Vendor compliance:  Year 2022 Update: 24 months plus 3 months after final rule publication May 1, 2020
  • Clinical Quality Measures (CQMs) Report – Effective date: 60 days after publication of final rule Update: final rule publication May 1, 2020
  • Electronic Health Information (EHI) Export – Vendor compliance: Year 2023 Update: 36 months plus 3 months after final rule publication May 1, 2020
  • Application Programming Interfaces – Vendor compliance: Year 2022 Update: 6 months plus 3 months after final rule publication May 1, 2020

Summary of the OIG Proposed Rule

The OIG proposed rule — Grants, Contracts, And Other Agreements: Fraud and Abuse; Information Blocking; Office Inspector General’s Civil Money Penalty Rules — would incorporate statutory changes in three areas: (1) new authorities for civil money penalties (CMPs), assessments and exclusions related to HHS grants, contracts and other agreements; (2) new CMP authorities for information blocking; and (3) increased maximum penalties for certain violations.

  • CMP authorities for information blocking apply to health IT developers or other entities offering certified health IT, health information exchanges and health information networks.
  • The CMS authorities in this proposed rule do not apply to health care providers who engage in information blocking; appropriate disincentives will be established in future notice and comment rulemaking.
  • The OIG may impose a penalty of not more than $1,000,000 per violation. OIG proposes a definition of “violation” in the proposed rule to clarify how they would determine the number of information blocking practices that might be penalized (a single violation or multiple violations). Each violation would be subject to a separate penalty.

Original Post

On March 9, 2020, the U.S. Department of Health and Human Services (HHS) released two health IT final rules requiring implementation of new interoperability policies.

  • The Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Final Rule focuses on patient access to electronic health information (EHI) and interoperability among providers, payers and patients.
  • The Office of the National Coordinator for Health Information Technology (ONC) Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule focuses on health IT certification, which applies to health IT developers; and policy guidance on what does not constitute information blocking, which applies to health care providers, health IT developers of certified health IT, and health information networks or exchanges.

The goal of CMS’ Interoperability and Patient Access Final Rule is to put patients first, giving them access to their health information when they need it most and in a way they can best use it.4  The goal of ONC’s Cures Act Final Rule is for patients to access their electronic medical record at no additional cost and for providers to choose the IT tools that allow them to provide the best care for patients, without excessive costs or technical barriers.9

This blog covers highlights of the CMS and ONC final rules and includes insights from emids’ Provider and Payer SME teams’ analysis.

CMS Final Rule Policies for Payers and Providers

CMS finalized four new policies for payers and three for providers.  They did not finalize the requirement for payers to participate in a trusted exchange network.

The new CMS policies break down the barriers that impede patients’ ease of access to their electronic health care information; they create and implement new mechanisms for patients to access their own health care information, as well as the ability to decide how, when, and with whom to share their information.

For Medicare and Medicaid payer organizations, new policies require use of open application programming interfaces (APIs), and health information exchange and care coordination across payers.  For Medicare and Medicaid providers, new policies include deterrents for not attesting yes to required information blocking statements, and a new condition of participation (CoP) requirement for electronic patient event notifications.

Payer Policies

The four new policies for payers, with some potential implications for providers as well, are as follows.

1 – Patient Access Through APIs 

CMS regulated payers are required to use standardized, open APIs to make claims and encounter data available to patients in these programs.

Compliance date:  January 1, 2021 Update: CMS will not enforce this requirement until July 1, 2021

What this means for Payers and Providers

  • Payers will need to:
    • Define and implement a micro services architecture for API enablement strategy
    • Establish an end-to-end API operating model, including security.
    • Implement, configure and maintain security functionalities of the API and the electronic information systems it connects to.
    • Review and possibly update security policies to support this need.
    • If third party developers start utilizing the API to access payer systems, payers will need to have a plan to validate/approve the access of their systems’ APIs (Apple Health, Coral, etc.).
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

2 – API access to published provider directory data

CMS-regulated payers are required to make provider directory information publicly available via a standards-based API.  This would include the names of providers, addresses, phone numbers and specialty.  This requirement does not include Qualified Health Plan (QHP) issuers in the Federally Facilitated Exchanges (FFEs) as they are already required to make provider directory information available.

Compliance date:  January 1, 2021 Update: CMS will not enforce this requirement until July 1, 2021

What this means for Payers and Providers

  • The impact for payers should be minimal as most plans have the data available via “Find a Doctor” functionality for their members. The impact will be if this information is not currently available via an API.
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

3 – Payer-to-Payer Data Exchange

CMS-regulated payers are required to exchange certain patient clinical data at the patient’s request, allowing the patient to take their information with them as they move from payer to payer over time to help create a cumulative health record with their current payer.  This would require payers to maintain a process for the electronic exchange of, at a minimum, the data classes and elements included in the United States Core Data for Interoperability (USCDI) standard via a payer-to-payer data exchange.  The impacted payers are required to incorporate the data they receive into the enrollee’s record; and with the approval and at the direction of a current or former enrollee, a payer must send the defined information set to any other payer.  A payer is only obligated to send data received from another payer under this policy in the electronic form and format it was received, and they are required to make data available with a date of service on or after January 1, 2016.

Compliance date:  January 1, 2022 Update: no change

What this means for Payers and Providers

  • Payers must implement the processes and technology to facilitate data exchange with other payers and ensure standard clinical data set (specifically the USCDI) is in place.
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

4 – Increased Frequency of federal-state data exchanges for dual eligible members

States are required to exchange Medicare and Medicaid enrollee data daily with CMS.

Compliance date:  April 1, 2022 Update: no change

What this means for Payers and Providers

  • Each state must implement system changes to support daily enrollee exchanges with CMS. This addresses notification of patients with dual Medicare and Medicaid coverage.
  • Providers who have their own health plan that includes Medicare Advantage will also need to address this.

Provider Policies

The 3 policies for Providers apply to:

  • Hospitals = eligible hospitals (EH), short-term acute care, long-term care, rehabilitation, psychiatric, children’s, cancer hospitals, and critical access hospitals (CAHs); includes the hospital Promoting Interoperability (PI) Program
  • Clinicians = physicians and eligible clinicians (EC); includes the Quality Payment Program (QPP)

1 – Public reporting and information blocking

CMS will publicly report eligible clinicians, hospitals, and critical access hospitals (CAHs) that may be involved in information blocking based on how they attested to the CMS Promoting Interoperability (PI) Program or CMS Merit-based incentive payment system (MIPS).

Compliance date: Based on 2019 attestations, public reporting becomes applicable in late 2020 Update: no change

What it means for Providers and Payers

  • Currently, submission of data to the CMS PI program or MIPS requires providers to answer 3 prevention of information blocking attestation statements. Providers and hospital organizations will need to be educated that their answers to these statements will be disclosed to the public.
  • Providers will need to have policies and procedures in place to ensure information blocking practices are prevented.
  • Payers could publish this for their provider network.

2 – Digital contact information

CMS will begin publicly reporting in late 2020 those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES).

Compliance date: Applicable Late 2020 Update: no change

What this means for Providers and Payers

  • CMS would require all individual health care providers and facilities to take immediate action to update their NPPES record online to add digital contact information.
  • For a commercial payer who also owns and manages provider practices, the payer may need to ensure that NPPES is updated appropriately for their providers who see Medicare patients.
  • For Providers this would mean establishing a monitoring and maintenance process to ensure internal provider dictionaries include the most up to date digital contact information.
  • Providers should work with their electronic health record (EHR) vendors to help them clean up provider master files to ensure up-to-date digital information and current National Provider Identifier (NPI) has been updated.

3 – Admission, Discharge, and Transfer Event Notifications

CMS is modifying their Conditions of Participation (CoPs) to require hospitals, including psychiatric hospitals and critical access hospitals, to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner.

Compliance date: Applicable Fall 2020 Update: Applicable Spring 2021 (effective 12 months after the final rule is published in the Federal Register, which is scheduled for May 1, 2020)

What this means for Hospitals and Payers

  • Implementation of this data exchange is significant; hospitals will need to either build out additional interfaces or engage with a third-party application, and/or a Health Information Exchange (HIE) to satisfy this requirement.
  • Payers can capture this in care management systems to track and engage in any relevant programs as required.

ONC Final Rule Policies for Providers, Health IT Developers and Health Information Networks (HINs) and Exchanges (HIEs)

The Final Rule includes provisions that require support for modern computing standards and application programming interfaces (APIs); and prevent industrywide information blocking practices and other anti-competitive behavior by those entrusted to hold patients’ electronic health information (EHI).9

The rule implements certain provisions of the 21st Century Cures Act.  In this blog, we highlight the provisions that most affect emids clients and partners.  This includes:

1. Information Blocking

2. Updates to the 2015 Edition Certification Criteria, including Adoption of the United States Core Data for Interoperability (USCDI) as a Standard

3. Health IT for the Care Continuum

1 – Information Blocking

The rule identifies and outlines eight reasonable and necessary activities that interfere with the access, exchange, or use of EHI, but do not constitute information blocking provided certain conditions are met.  The intent is to prevent “information blocking” practices (e.g., anti-competitive behaviors) by healthcare providers, developers of certified health IT, HIEs, and HINs.

The eight exceptions are divided into two categories and are as follows:10

  • Exceptions that involve not fulfilling requests to access, exchange, or use EHI

1. Preventing Harm Exception

2. Privacy Exception

3. Security Exception

4. Infeasibility Exception

5. Health IT Performance Exception

  • Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

6. Content and Manner Exception (new to final rule)

7. Fees Exception

8. Licensing Exception

Compliance date:  Beginning fall of 2020, full compliance required by 2022 Update: The compliance date for the following Information Blocking provisions is required by November 2, 2020.   

  • 45 CFR 170.401: Information blocking: Condition of Certification requirement.
  • 402(a)(1): Assurances: Condition of Certification requirement (1) A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in … on and after November 2, 2020, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access and use of electronic health information.
  • 45 CFR part 171: Information Blocking: General Provisions; Exceptions that involve not fulfilling requests to access, exchange or use electronic health information; and exceptions that involve procedures for fulfilling requests to access, exchange or use electronic health information.

What this means for Providers and Payers

  • The provider or healthcare organization must have appropriate policies and procedures in place to ensure information blocking practices are prevented.
  • Providers will need to put forth processes to mitigate against any information blocking complaints.
  • If one of the information sharing exceptions applies to the provider organization, policies and procedures need to clearly state why it is appropriate not to share information, as the final rule provides very specific conditions that must be met for the exception to apply.
  • The Security Risk Analysis should include language on information blocking prevention.
  • Like providers, payers will also need to establish policies.
  • Future rule provisions may penalize providers if they are found to be engaged in information blocking and do not demonstrate that they meet the outlined exceptions.

2 – EHR certification criteria updated

The functionality criteria that EHR vendors need to demonstrate in order to become a certified EHR technology (CEHRT) was updated.  Providers are required to implement and use CEHRT to participate in several CMS payment incentive and quality reporting programs.  Notable certification updates include:

  • Adoption of the USCDI – this standard sets the baseline of data classes that should be available for health information exchange.  Vendor compliance:  Year 2022 Update: 24 months plus 3 months after final rule publication May 1, 2020 
  • Clinical Quality Measures (CQMs) Report – this standard requires Health IT Modules to support the CMS QRDA Implementation Guide (IGs); it removed the Health Level 7 (HL7®) Quality Reporting Document Architecture (QRDA) standard requirements.  Effective date:  60 days after publication of final rule Update: final rule publication May 1, 2020
  • Electronic Health Information (EHI) Export – new functionality that would allow patients to request an export of their EHI.  Vendor compliance:  Year 2023 Update: 36 months plus 3 months after final rule publication May 1, 2020
  • Application Programming Interfaces – criterion updated to support the multiple patient data API calls (previously certification criteria only required single patient calls) and requires the use of the Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) standard Release 4.  Vendor compliance:  Year 2022 Update: 6 months plus 3 months after final rule publication May 1, 2020
  • Security Tags and Consent Management – new functionality will allow tagging of sections of the continuity of care document (CCD) as containing sensitive information, allowing for transmission of the CCD even if portions of the document are restricted.  Vendor compliance: Year 2022

Compliance date:  Years 2022 and 2023

What this means for Providers

  • Providers will need to implement updated and new EHR functionality once available from their vendor.
  • Workflow processes will also need to be updated to support the new EHR functionality provided.
  • For health IT developers, the CQM Report change will reduce burden; and providers will no longer have to develop and support two forms of the QRDA standard (QRDA I, individual patient level report; and QRDA III, aggregate quality report). It will enable a user to electronically create a data file for transmission of clinical quality measurement data based on their care setting.
  • Vendors of certified health IT must keep their clients current by making available updated certified health IT capabilities for interoperability and the essential data set required for exchange (Version 1 of the USCDI within 27 months, 39 months for EHI Export).12
  • Health IT vendors will need to attest to HHS and their certifying body their compliance with conditions of certification that assure they will not engage in information blocking, provide real world support for interoperability, and support API access for all verified registered users (including developers) who seek to connect applications to APIs to access EHI held by a health IT vendor’s certified products.12
  • Providers should ensure there is evidence of the attestations done by health IT vendors.

3 – Health IT for the Care Continuum

ONC identified the EHR certification criteria that would support voluntary certification of health IT for pediatric care and pediatric settings.

Compliance date:  Future Rulemaking

What this means for Providers

  • Pediatric providers may be interested in proactively implementing the recommended certified EHR functionality.

Points of view and interpretation were relevant at time of authorship; however, they are subject to change over time.  For more information about these new policies, contact us at engage@emids.com.

Updated Sources

1. CMS final rule titled:  Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, and Health Care Providers

2. CMS Website 4/21/2020 Announcement: CMS Interoperability and Patient Access final rule

3. CMS Press Release

4. CMS Fact Sheet: Interoperability and Patient Access Fact Sheet

5. ONC final rule titled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program

6. ONC Website: ONC’s Cures Act Final Rule

7. ONC Press Release / Announcements

    • 4/21/2020: Statements from the Office of the National Coordinator for Health IT and the Centers for Medicare & Medicaid Services on Interoperability Flexibilities amid the COVID-19 Public Health Emergency
    • 4/21/2020, ONC Announcement: Enforcement Discretion
    • 3/9/2020: HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data

8. ONC Blog, 3/9/2020: The Cures Act Final Rule: Interoperability-Focused Policies that Empower Patients and Support Providers

9. ONC Fact Sheet: The ONC Cures Act Final Rule

10. ONC Fact Sheet: Information Blocking Exceptions

11. ONC Fact Sheet: Information Blocking Actors

12. HIStalk News, 3/11/2020: Cerner’s summary of what the new regulations mean for developers

13. OIG proposed rule title: Grants, Contracts, And Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules

14. OIG Announcement: OIG proposes rule for civil money penalties for information blocking

Sign up to receive our latest insights