Final CMS Interoperability Rules Come without Privacy Requirements

The rule does not set requirements for the privacy and security of the apps and the data they contain. 

The Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) final interoperability rules were released last week, about a year after the proposed rules were published.

These groundbreaking rules provide requirements for electronic health records (EHRs) and federally administered health plans to make data available to patients in a standardized, mobile-friendly method, using HL7 FHIR standards. The rules also provide strict prohibitions against data blocking (like excess charges or technological hurdles), as well as specific exceptions to the prohibition (for privacy and security issues).

The rules will provide patients the ability to select their own applications to download certain clinical data from provider EHRs and claim data from the health plans. The clinical data exchange will also take place among providers, enabling them to share data from their EHRs in a standardized manner.  

While the application exchange requires only a certain subset of data to be available, EHRs will also be required to make the complete set of data for a patient available for exchange, as well as a complete set of data for all patients. This will make switching providers easier for patients, and switching EHRs easier for providers.

The CMS rule also requires Medicare-participating acute-care hospitals, long-term care hospitals, inpatient rehabilitation facilities, psychiatric hospitals, children’s hospitals, cancer hospitals, and critical access hospitals to send electronic notifications to receiving providers when an inpatient is admitted, discharged, or transferred.

While the notification requirement mentioned above will be required six months after the rule is published, there are much longer time frames for the exchange requirements.

Some of the key dates include the following:

• No later than 24 months after publication, new HL7® FHIR®API capability must be rolled out.
• No later than 36 months after publication, EHI export capability must be rolled out.
• Six months after publication, compliance starts for information blocking rules for the limited data exchanged through apps.
• Twenty-four months after publication, compliance with exceptions will be required for the full set of electronic health information.

ONC and CMS envision a robust market of applications for consumers to use in both acquiring their data, and more importantly, using their data to help manage their health. The rule sets the standards for the data acquisition, but does not set any other requirements for the application capabilities or the privacy and security of the apps and the data they contain. 

The final rule made some minor changes to definitions and some of the blocking criteria, as well as revising the compliance dates. Despite the long time between the proposed and final rules, there does not appear to be any significant changes between them.