CMS Interoperability Rule Compliance, API Use Will Require Rollout

CMS interoperability regulations that require patient access to health information began on July 1. However, provider compliance will take some time, according to Don Searing, PhD, vice president of Solutions Architecture at HGS Colibrium.

The CMS Interoperability and Patient Access final rule, which comes as part of the 21st Century Cures Act, requires that all healthcare providers grant patients access to their personal health information.

Most provider organizations are implementing application programming interfaces (APIs) to comply with the interoperability and patient access final rule.

In basic terms, APIs send information back and forth between a user and a website or app. When someone checks the weather on her phone, uses a website to search for a flight, or sends a direct message, she is using an API.

Searing likened regulation compliance to the integration of bill pay into banking.

Today, people can easily pay bills from their smartphone. However, when electronic bill pay first came on the scene, the process was a bit more convoluted; someone would request that the bank pay another entity a certain amount of money and the bank teller would mail a check for the individual.

As time went on, banks and businesses introduced APIs to allow people to pay bills digitally, effectively cutting out the bank as a middleman.

However, bill pay did not become seamless overnight, Searing explained. The process lacked a common language and developers had to catalog millions of digital endpoints to ensure the secure transfer of funds.

Searing said that the healthcare industry should expect the same growth period for the use of APIs as well.

“It’s going to start off ugly and manual,” Searing told EHRIntelligence in an interview. “There's millions of end points and there may be millions of consuming points. If I go into my HealthKit in my Apple Watch and say I want to load my information from a doctor, Apple is going to need to know where that end point is that I can access.”

With time and usage, these end point connections will grow, Searing predicted.

It will also take time for healthcare providers to comply with these new regulations as they require major health IT investments.

“Everyone's going to have to upgrade,” Searing said. “Getting health systems and providers to move to the next level or the next version is going to be a challenge. There's no way to flip a switch and make people compliant. There is going to be a little bit of a rollout.”

Reece Hirsch, JD, co-head of the privacy and cybersecurity practice at San Francisco law firm Morgan Lewis, has been working with health plans on compliance with CMS’ new patient access rule. On the payer side, the CMS rules require payers to use APIs to provide members with certain health data. Additionally, the CMS interoperability rule requires payers to produce an API-supported provider directory.

Hirsch echoed Searing’s point that compliance will not happen overnight, even for the payer-facing rule.

“It is a pretty big lift to implement this major new access requirement,” Hirsch told EHRIntelligence in a separate interview. “Not all plans were 100 percent ready on July 1. There's going to be some transition process and it remains to be seen how CMS responds to that.”

What’s more, once patients have access to personal health information, they will need tools to navigate their health record in a meaningful way that does not bury them in information, Searing explained.

“There are some openings here to bring in some new services that will help individuals access, and manage, and interpret this data,” Searing said. “Getting access to the information is really just the first step.”

The sheer volume of information could overwhelm providers as well, Searing noted. Just like patients, providers will rely on digital tools to curate information for more robust application.

“Once the data's out there and flowing, there's a lot of other capabilities that can be brought to bear that maybe we're not even thinking about today,” Searing suggested.

“It's always been shocking to me in this industry how much data you know is out there but you don't have access to,” he noted.

Greater interoperability should provide stakeholders with the data they need to advance care delivery through artificial intelligence (AI) and machine learning.

“AI and machine learning are highly dependent on the data that you have,” Searing explained. “There have been huge advances in machine learning and a lot of other technologies, but every one of those requires a dataset, something that we can work from.”

Additionally, providers will be able to request patient-generated health, wellness, and social determinants of health info through various applications to inform patient care. For instance, a provider could request data on a patient’s medical statistics from her smartwatch to view a bigger picture of what is going on.

“It’s the idea of bringing more of that wellness information together so that your doctor has a true view of what you're doing, what's going on in your life, and what's going on beyond just your medical conditions,” Searing explained.

The final rule could also benefit providers by giving them greater access to patient data as patients move from provider to provider.

“The patient access API is going to allow much easier access to patient data,” Hirsch said. “Providers are going to be able to gain access to patient information more quickly and seamlessly.”

For example, when a patient changes providers, her previous practitioner can send her health information to the new provider digitally instead of through a burdensome fax.

Searing explained that compliance with the CMS final rule will not just require financial investments in new health IT; it also requires a shift in the way patients and providers view health information across the country. Under HIPAA, health data privacy and security have been paramount.

“Everyone's been operating on the concept of, ‘I've been tasked with guarding this information with my life kind’ of approach,” Searing explained.

As health systems and providers comply with the new rule, they will have to lose hold of the idea that health information should be kept within their organization’s walls under lock-and-key.

“Hopefully, the same people who've been pushing to get these doors opened will help continue to push to get the data, tools, and services that we need to really bend the curve in the healthcare space,” Searing said.