What Providers Should Know for CMS Interoperability Rule Compliance

Security

To comply with the interoperability and patient access final rule, most provider organizations are implementing application programming interfaces (APIs).

APIs are widely leveraged across business sectors. When someone checks the weather on her phone, uses a website to search for a flight, or sends a direct message, she is using an API.

Put simply, an API sends information back and forth between a user and a website or app.

To ensure the security of patient health data through APIs, CMS adopted Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Release 4.0.1 as the foundational data exchange standard.  

“Patients have a right under HIPAA to access their health information,” CMS officials noted in a fact sheet. “We believe they also have a right to know their health information is exchanged in a way that ensures their privacy and security. We are working to balance these important issues in a way that empowers patients to be in charge of their healthcare.”

EHR Exchange

The final rule requires hospitals, psychiatric hospitals, and critical access hospitals (CAH) that use EHR systems or other electronic administrative systems to demonstrate that its system can comply with federal data exchange standards and regulations. This will advance electronic exchange of information between providers for care coordination, CMS said.

First, provider organizations must show that their system can generate the minimum information for electronic patient event notifications regarding a patient's admission, discharge, and/or transfer to another health care facility or to another community provider or practitioner.

This information includes the patient's basic demographic information, as well as the name of the sending institution and, if not prohibited by other applicable law, the patient's diagnosis.

Next, provider organizations must demonstrate that their EHR system has the capacity to send patient event notifications through the ADT messaging standard to all applicable post-acute care providers. This includes primary care practitioners and groups, and other practitioners and groups identified by the patient as primarily responsible for her care.

“We are establishing that this policy will be applicable 12 months after publication of this rule for hospitals, including psychiatric hospitals, and CAHs to allow for adequate and additional time for these institutions, especially small and/or rural hospitals as well as CAHs, to come into compliance with the new requirements,” the final rule states.

Digital Contact Information

Additionally, the final rule requires providers to input their digital contact information in the National Plan and Provider Enumeration System (NPPES) system beginning in the second half of 2020, as proposed.

CMS noted that it will continue to ensure providers are aware of the benefits of posting digital contact information in NPPES. The agency said it will also ensure providers know when and where their names and NPIs will be posted if they do not include this information.

If providers know FHIR endpoint information, CMS strongly encourages them to enter it in NPPES.

Daily State Data Exchange

The CMS interoperability rule requires all states to participate in daily exchange of buy-in data, which includes sending data to CMS and receiving responses from CMS. Additionally, all states must submit the MMA file data to CMS daily by April 1, 2022. This data identifies all dually eligible individuals.

These requirements will improve the experience of dually eligible individuals by boosting provider and payer coordination for eligibility, enrollment, benefits, and care for this population.

As the digital health transformation progresses, these new regulations will promote interoperability, which could ultimately lead to a more connected health system that is equipped with the data needed to improve patient outcomes, according to CMS.