HHS updates to EHR interoperability, information blocking

Interoperability key to care coordination and transparency

On February 11, 2019, the Centers for Medicare and Medicaid Services (CMS) and the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) released proposed rules aimed at driving the US health care system toward greater interoperability of electronic health records (EHRs).

February 11, 2019 | Health care

Taken together with provisions of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016, the new proposed rules from CMS and ONC continue the push to make health care information more accessible to patients and providers as part of a larger effort toward value-based health care.

The proposed rules will be published in the Federal Register on March 4, 2019, with comments due on May 3, 2019.

The proposed rules would build upon CMS’ experience with the Blue Button 2.0 approach, which gave Medicare beneficiaries access to Medicare Part A, Part B, and Part D claims data via an application programming interface (API) based on the Fast Healthcare Interoperability Resources (FHIR) standard for exchange of health care data that was developed by Health Level Seven (HL7). The proposed rules would require Medicare Advantage organizations, Medicaid managed care organizations, CHIP managed care organizations and issuers of qualified health plans on federally-facilitated exchanges to provide claims and other health information to their own members. The new API requirements would apply to begin in 2020.

Although the proposed requirements would apply only to payers participating in government programs, CMS hopes payers would follow CMS’ example and provide data via APIs to members of commercial plans, as well.

For health care providers, the proposed rules would update the Medicare Conditions of Participation to require hospitals and critical access hospitals to provide automated, electronic patient event notifications from the discharging provider to another facility, or to another community provider as identified by the patient in an effort to alert the receiving provider that the patient has received care in another setting.

CMS intends for the proposed rules to make it easier for providers, patients, plans, and other stakeholders to “have appropriate access to the information necessary to coordinate individual care; analyze population health trends, outcomes, and costs; and manage benefits and the health of populations, while tracking progress through quality improvement initiatives.”

CMS and ONC put the proposed rules forward in the context of previous proposals. CMS included requests for information on interoperability in Medicare provider payment updates for 2019, while ONC in April 2016 issued a request for information on interoperability under MACRA. In the advanced notice and draft call letter for Medicare Advantage and Part D on February 1, 2019, CMS encouraged Medicare Advantage (MA) organizations to participate in interoperability and prior authorization coordination efforts similar to the Da Vinci project, an FHIR-based effort led by HL7 in which CMS has participated since 2018.

As an indication of CMS’ commitment to push forward with interoperability, CMS expects to include a proposal in rulemaking for the 2020 Inpatient Prospective Payment System/Long-term Care Hospital Prospective Payment System to update the Promoting Interoperability Program (formerly called Meaningful Use) to include activities with a focus on interoperability.

Stakeholder reaction

The American Hospital Association (AHA) stated the proposal for payers to provide claims information and provider directories via APIs “has the promise to give patients better information about all of their care.” AHA said it would not support the proposed change in conditions of participation to require electronic patient event notifications and instead encouraged CMS to “focus on building this exchange infrastructure rather than layering additional requirements on hospitals.”

America’s Health Insurance Plans (AHIP) said, “As we review the proposed rules, we will focus on ensuring it further protects patients, minimizes administrative burdens, and establishes clear data standards and operational protocols to put meaningful information into the hands of patients, providers, and insurance providers.”

Senate Health, Education, Labor, and Pensions (HELP) Committee Chairman Lamar Alexander (R-TN) voiced support for the proposed rules and said the HELP Committee would continue oversight of the rules.

Legislative definitions

The proposed rules generally build upon a definition of interoperability created in the Public Health Services Act (Section 3000(9), as amended) by the Cures Act:

The term "interoperability," with respect to health information technology, means such information technology that:

  1. Enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user;
  2. Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and
  3. Does not constitute information blocking as defined in section 3022(a).

The Cures Act also defined information blocking generally as a practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” The definition goes on to provide examples of information blocking, including:

  • Practices that restrict authorized access, exchange, or use of electronic health information (EHI) for treatment and other permitted uses
  • Implementing health information technology in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI
  • Implementing health information technology in ways that:
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health information technology systems
    • Lead to fraud, waste, or abuse, or impede innovations and advancement in health information access, exchange, or use, including care delivery enabled by health information technology

Next steps

The proposed rules will be published in the Federal Register shortly and will have a comment period of 60 days, likely closing in late April.

Highlights of select key provisions of the proposed rules are provided below.

The CMS Interoperability and Patient Access proposed rule

Use of FHIR for APIs

CMS proposes to require that payers in all CMS programs be prepared to implement, test, and monitor an openly-published HL7 FHIR-based API. The proposed requirement would apply to:

  • Medicare Advantage (MA) organizations
  • State Medicaid Fee-for-Service (FFS)
  • Medicaid managed care
  • All Children’s Health Insurance Program plans and entities
  • Issuers of Qualified Health Plans (QHPs) on the Federally-facilitated Exchange (FFE)

CMS hopes that states operating their own exchanges would extend the requirement to QHPs participating in their exchanges.

The standards described in the proposed rule relating to establishing shared content, vocabulary, and technology standards, with the intention of preserving flexibility for competition and innovation among software developers, plans, and providers.

Under the proposal, the information required to be made accessible under the open API would include:

  • Adjudicated claims (including cost)
  • Encounters with capitated providers
  • Provider remittances
  • Enrollee cost-sharing
  • Clinical data, including laboratory results (where available)

CMS proposes that these programs and organizations would also be required to make information regarding provider directories and formularies available through the open API. The proposal for provider directories and formularies would not apply to QHP issuers in FFEs because such issuers already are subject to a similar requirement.

In most cases, all claims activity related to adjudicated claims (including cost) and encounter data for beneficiaries would need to be available on the open API no later than one business day after a claim is adjudicated or the encounter data is received by the plan.

In addition, Medicaid managed care plans would be required to include any data from subcontractors and providers compensated by the plan for services. Examples of such providers include behavioral health organizations, dental management organizations, and pharmacy benefit managers. Medicaid managed care plans would have to include all claims and encounter data, regardless of whether it is adjudicated or generated by the managed care plan itself, a subcontractor, or a provider compensated on the basis of capitation payments.

CMS proposes that the new requirements for MA plans take effect January 1, 2020, while the new requirements for QHP issuers in FFEs would take effect for plan years beginning on or after January 1, 2020.

CMS proposes that the new requirements for Medicaid FFS, Medicaid managed care organizations, and CHIP plans and entities take effect July 1, 2020, regardless of when their managed care contracts started.

APIs for provider directories and formularies

To ensure that consumers have access to up-to-date information on in-network providers, the proposed rule would require that all CMS program payers maintain provider directories that interface with APIs. FFE QHPs already are required to make directories available in a machine-readable format.

For MA plans, any changes to contracted providers would be required to be updated for the API no later than 30 business days after the directory itself is updated.

Medicaid managed care provider directories would be required to make the information accessible to the API no later than 30 calendar days after the state receives any updates to provider directory information.

Formulary information and pharmacy directory data would need to be available to the API, although the proposed rule does not disclose a timeframe for updates. The proposed rule solicits comments on whether a timeframe is appropriate for this information.

Health information exchange and cross-payer care coordination

CMS proposes that the agency’s program payers be required to support a process to coordinate care between plans by exchanging the data elements in the US Core Data for Interoperability (USCDI) standard at the request of the enrollee. The API that supports USCDI exchange includes lab results and tests, medications, health concerns, assessments and treatment plans, care teams, clinical notes, and other items related to care coordination.

The proposed rule would require that plans:

  1. Accept the data set from another plan that had covered the enrollee within the previous five years
  2. Send the data set at any time during an enrollee’s enrollment and up to five years later, to another plan that currently covers the enrollee
  3. Send the data set at any time during enrollment or up to five years after enrollment has ended to a recipient identified by the enrollee

The proposed policy is intended to reduce procedural redundancy and provider burden that may occur when a beneficiary switches plans. For example, sharing of USCDI information may help to avoid the re-issuance of letters of medical necessity, reduce inappropriate step therapy and utilization reviews, and could streamline prior authorization.

Trusted exchange networks

Currently, information exchange is often limited to payers and providers within set geography, or within a particular network. The proposed rule would require that payers in CMS programs have the capacity to participate in a trusted exchange network wherein plans and providers can share information without regard to the networks to which they belong.

Under the proposed rule, CMS payers would be required to join in a trusted exchange network as a condition of their contracts starting on January 1, 2020. The proposal would require that a trusted exchange network be able to:

  1. Exchange Protected Health Information (PHI) in compliance with all applicable state and federal laws across jurisdictions
  2. Connect both inpatient EHRs and ambulatory EHRs
  3. Support secure messaging or electronic querying by and between patients, providers, and payers

CMS states that a trusted exchange network would enable plans and providers to exchange health information on a nationwide scale.

Although CMS’ authority is limited to payers within its purview, the regulators believe that this requirement would lead to widespread participation in trusted exchange networks. Future regulation could expand the trusted exchange requirements to better enable payer-to-payer and payer-to-provider interoperability in an effort of improving care coordination and improve patients’ access to their own data.

CMS seeks comments on this potential approach, as well as the feasibility of the proposed effective date.


The proposed rule would require the exchange of data between Medicare and state Medicaid programs once every business day. Current rules require the exchange of data on a monthly basis.

The proposal is intended to improve the coordination of benefits across programs and to reduce misallocations of funds as enrollee status changes.

“Buy-in” is a practice where states may state elect to pay for Medicare Parts A and B premiums for certain beneficiaries who are dually eligible for Medicare and Medicaid. Currently, all states have buy-in agreements for Part B, and 36 states and the District of Columbia elect to buy into Part A, as well.

While many states currently report enrollment data to CMS for buy-in purposes on a daily basis, the proposed rule would require all states with buy-in agreements to do so by April 1, 2022. CMS states that a daily requirement will reduce the time needed to address improper transactions and administrative burdens on Medicaid programs and beneficiaries alike.

The proposed rule seeks comment on another possible rulemaking for improving the interoperability of state and federal systems.

Transparency on information blocking

In the interest of applying public pressure on non-compliant entities, the proposed rule would require the publication of any clinicians, hospitals, and critical access hospitals (CAHs) that have not attested to be in compliance with any one of the three statements on the prevention of information blocking. Attestation on information blocking compliance is a requirement for entities reporting on promoting interoperability measures in several federal programs.

The three statements on information blocking that entities attest to are:

  1. A health care provider must attest that they did not knowingly and willfully take action (such as to disable functionality) to limit or restrict the compatibility or interoperability of Certified Electronic Health Record Technology (CEHRT).
  2. A health care provider must attest that they implemented technologies, standards, policies, practices, and agreements reasonably calculated to ensure, to the greatest extent practicable and permitted by law.
  3. A health care provider must attest that they responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information, including from patients, health care providers, and other persons, regardless of the requestor’s affiliation or technology vendor.

The proposed rule would report attestation information under the Quality Payment Program (QPP) as required by MACRA on Physician Compare.

For hospitals and CAHs, reporting would occur under the Medicare FFS Promoting Interoperability Program on a CMS website.

Digital provider contact information

The Cures Act requires that the HHS secretary establish a National Plan and Provider Enumeration System (NPPES) as a means of identifying providers to facilitate the electronic exchange of health information. The NPPES is a centralized directory of electronic addresses that relate to the national provider identifier (NPI) numbers for the purposes of data transfer. Recent updates to NPPES infrastructure now allow for several distinct types of digital address (e.g., direct address, FHIR server URL, query endpoint, or other digital contact information), as well as the preferred uses for a given address.

CMS states, “Ubiquitous, public availability of digital contact information for all providers is a crucial step towards eliminating the use of fax machines for the exchange of health information.” To that end, CMS proposes to initiate the public reporting of the names and NPIs of those providers who do not have digital contact information included in the NPPES system beginning in the latter half of 2020.

CMS requests feedback on the appropriate venue for this information, the frequency, and any other information that would be useful to encourage providers to update the NPPES.

Hospital and CAH conditions of participation for Medicare and Medicaid

To foster the electronic exchange of information in support of transitions of care between hospitals and community-based providers, the proposed rule updates the conditions of participation (CoPs) in Medicare and Medicaid to require that hospitals:

  • Transfer medically necessary information to another facility upon a patient transfer or discharge do so electronically
  • Send required discharge information to a community provider via electronic means if possible and if a community provider can be identified
  • Make certain information available to patients or a specified third-party application (for example, required discharge instructions) via electronic means if requested

The new CoPs refer to this information as a patient event notification, defined as “automated, electronic communications from the discharging provider to another facility, or to another community provider as identified by the patient, which alerts the receiving provider that the patient has received care at a different setting.”

The information within a patient event notification draws in large part from admission, discharge, and transfer (ADT) messages, which CMS describes as a standard message used within an EHR. ADT messages provide each patient’s personal or demographic information (such as the patient’s name, insurance, next of kin, and attending physician), when that information has been updated, and also indicate when an ADT status has changed. The ADT standard is identified as the minimum information needed for a patient event notification.

The requirement would be limited to hospitals that currently have EHR systems with the capacity to generate the needed information, exempting hospitals that have not been eligible for past programs that promote the adoption of EHRs.

Interoperability in the innovation center

The proposed rule devotes a segment to describing how interoperability can be integrated into new and existing payment and delivery models supported by the Center for Medicare and Medicaid Innovation (CMMI). Examples of how interoperability may become a focus for new models include models that would pilot new standards, and those that would leverage non-traditional or non-clinical data in model design (e.g., school data, housing, or food insecurity), or other sources of data related to social determinants of health.

CMS requests comment on the principles that CMMI should follow in developing such models for the following topics:

  • Provide patient access to their own electronic health information: New models could require providers interacting directly with patients to grant patients access to their own electronic health information and, upon the patient’s authorization, to third-party developers via APIs.
  • Promote trusted health information exchange: Models could require participants to be part of a comprehensive trusted exchange network that supports core functions such as electronic queries between patients, providers, and payers.
  • Adopt leading health IT standards and pilot emerging standards: Models could pursue new opportunities to exchange more types of health care data by piloting new FHIR standards and the advance adoption of new data classes in the USCDI (e.g., psychosocial data) to improve interoperability for care management, quality reporting, or other priorities.

Requests for information: Patient matching

CMS seeks feedback on how the private sector can support and scale a strategy for patient matching. The request for information (RFI) also seeks comment on how various alternative patient matching strategies might present similar security concerns to the UPI.

Regarding its program authorities, CMS asks for feedback on how it can improve patient identification, such as:

  • Requiring CMS payers to use a particular patient matching algorithm or third-party software
  • Expanding on the work of the unique Medicare ID to develop a CMS-wide identifier
  • Advancing more standardized data elements across programs to enhance data matching through standards such as the USCDI
  • Complementing CMS data and plan data from CMS payers with one or more verifying data sources for identity proofing
  • Supporting the connection of EHRs with other verifying sources for identity proofing

Requests for Information: other care settings

CMS seeks feedback on how the agency can promote interoperability among other health care settings such as long-term and post-acute care (PAC), behavioral health, settings serving dual-eligible beneficiaries, and those receiving home and community-based services.

Subjects that CMS seeks comment on include:

  • New interoperability measure concepts that address PAC, behavioral health, home, and community-based services, and other provider settings
  • Strategies to offer financial support for technology adoption and use in these settings
  • Whether to adopt PAC standardized data elements by expanding the USCDI process
  • Whether hospitals and physicians should be capable of collecting and exchanging a subset of PAC standardized patient assessment data elements (e.g., functional status, pressure ulcers/injuries) in their EHRs

Interoperability, information blocking, and the ONC Health IT Certification Program

Information blocking

The Cures Act defined practices considered to be information blocking of EHI by a health care provider, or a health information technology developer, exchange, or network (an “actor”). The Act allows for penalties of $1 million per violation, enforceable by the OIG.

Importantly, the Cures Act authorizes the HHS Secretary to identify in regulation reasonable and necessary activities that do not constitute information blocking. ONC seeks comment on seven proposed exceptions, including whether they will achieve ONC’s policy goal:

  1. Preventing harm: Information may be blocked in order to prevent the physical harm of a patient or another person, based on a reasonable belief that this is possible, and supported by a clear organizational policy.
  2. Promoting the privacy of EHI: An actor must satisfy at least one of four exceptions that address scenarios that recognize existing privacy laws and practices:
    1. Practices that satisfy preconditions prescribed by privacy laws
    2. Certain practices not regulated by HIPAA but implement documented and transparent privacy policies
    3. Practices that are specifically permitted under HIPAA
    4. Practices that give effect to an individual's privacy preferences.

      Information may be also be blocked in furtherance of the HIPAA privacy rule. In addition, actors should have a consistent, nondiscriminatory policy on specific privacy risks and how they should be addressed.
  3. Promoting the security of EHI: Information blocking is permitted if it is related to the safeguarding, confidentiality, or integrity of EHI, and is defined in an organization’s information governance policies.
  4. Recovering costs reasonably incurred: ONC proposes to establish an exception that would permit the recovery of certain costs that the agency believes are unlikely to present concerns and would generally promote innovation, competition, and consumer welfare provided certain conditions are met, including that the costs recovered were reasonably incurred and that the costs were not speculative or subjective.
  5. Responding to requests that are infeasible: Information may be blocked if it imposes a substantial burden on the actor that is unreasonable based on the actor’s size or capacities. The actor is still obliged to work with requestors to provide an alternative means of accessing EHI.
  6. Licensing of interoperability elements on reasonable and non-discriminatory terms: The license can require a reasonable royalty but must include stated rights so that the licensee can develop, market, and/or enable the use of interoperable products and services. The terms of the license must be based on objective and verifiable criteria that are uniformly applied and must not be based on impermissible criteria, including whether the requestor is a potential competitor.
  7. Maintaining and improving HIT performance: Information may be blocked for system maintenance or improvement, provided that it is not blocked for longer than necessary, and is agreed upon by individuals or entities with which there is a formal relationship.

Deregulatory actions

ONC proposes six policies for deregulation:

  1. Removal of randomized surveillance requirements: Under the proposal, ONC-Authorized Certification Bodies (ONC-ACBs) would no longer be required to conduct in-field randomized surveillance of certification requirements. ACBs would still be required to perform “reactive” surveillance on a complaints basis and would be permitted to conduct randomized surveillance.
  2. Removal of the 2014 Edition HIT certification criteria from the Code of Federal Regulations (CFR): Removal of the 2014 edition would establish the 2015 edition as the sole baseline for HIT certification.
  3. Removal of the ONC-Approved Accreditor (ONC-AA) from the program: Direct ONC oversight has eliminated the need for an outside accreditor.
  4. Removal of certain 2015 edition certification criteria: The proposed rule identifies several criteria for removal on the grounds of their no longer having functional value, are ubiquitous in practice, have been subsumed into other aspects of certification, including the new USCDI standards. The criteria proposed for removal are:
    1. Problem list
    2. Medication list
    3. Medication allergy list
    4. Smoking status
    5. Drug-formulary and preferred drug lists
    6. Patient-specific education resources
    7. Common Clinical Data Set (CCDS) summary records
    8. Secure messaging
  5. Removal of certain program requirements: The proposed rule would remove required limitations disclosures and transparency and mandatory disclosures.
  6. Recognition of relevant Food and Drug Administration (FDA) certification processes: The proposed rule would direct ONC to defer to or coordinate with the FDA for rulemaking on medical devices, including reliance on a proposed FDA Software Pre-Certification Pilot Program for approved companies to avoid ongoing regulatory clearance for minor changes. ONC requests information on whether the office should pursue its own pre-certification process if the FDA process proves inadequate or does not go forward.

Updates to the 2015 edition certification criteria

The proposed rule would update the criteria of the 2015 edition health IT Certification Program as part of a provision of the Cures Act that requires ONC to modify HIT certification criteria to improve systems interoperability and to enhance patient access to their records.

While many data standards are identified through voluntary consensus, the proposed rule lays out four standards that would be imposed directly:

  1. Removing the Common Clinical Data Set (CCDS) and replacing it with USCDI, Version 1(v1). Citing limitations of the CCDS in today’s operating context, ONC proposes the full and uniform adoption of the USCDI as a “standard” that is defined as a “technical, functional, or performance-based rule, condition, requirement, or specification that stipulates instructions, fields, codes, data, materials, characteristics, or actions.”
  2. Use of the government-unique API Resource Collection in Health (ARCH) implementation specification.
  3. Specific operating standards for APIs as defined in regulation.
  4. Replacing the HL7 Quality Reporting Document Architecture (QRDA) standards with government-unique standards that better support reporting of electronic Clinical Quality Measures (eCQMs) to CMS.

All standards identified and codified into regulation would have to be implemented in full. Thus, certification would require all mandatory elements of a given standard to be present, while leaving room for voluntary elements as an option for the applicable HIT products.

Modifications to the ONC health IT certification program

The proposed rule makes a number of technical corrections and modifications to the regulatory language supporting the ONC health IT certification program, and the operational parameters for ONC-ACBs that oversee the certification process. The technical changes relate to auditable privacy and security events and integrating the revised certification criteria into the 2015 edition privacy and security certification framework.

The proposed rule also establishes a series of principles of proper conduct for ONC-ACBs, including:

  • Retaining records for the life of a certification edition, and three years after the edition’s retirement
  • Changing the allowable tools and test procedures so that they no longer have to be tested in an ONC authorized testing laboratory (ONC-ATL) in order to receive ONC approval
  • Accepting test results from any ONC-ATL in good standing, provided that they are certified by the National Voluntary Laboratory Accreditation Program (NVLAP)
  • Revising mandatory disclosures related to certifications

Health IT for the care continuum

The proposed rule conveys an established principle that HIT should help support patient populations, specialized care, transitions of care, and practice settings across the care continuum. To that end, the current 2015 edition for certification was intended to account for care settings beyond the limited ambulatory and inpatient settings originally enumerated under the Meaningful Use program.

The proposed rule would establish a set of principles for ongoing stakeholder engagement, as well as a recommendation for the voluntary certification of HIT for pediatric care. The proposal covers a set of pediatric-specific clinical criteria for HIT certification and specifies how these criteria would be integrated into the revised 2015 edition certification protocols.

This section also would establish a new criterion for pediatric-specific APIs, new Data Segmentation for Privacy and Consent Management (DS4P) criteria, electronic prescribing (eRx) certification, and clinical elements under the USCDI.

Conditions and maintenance of certification

The Cures Act requires that HHS establish conditions and maintenance of certifications for the program related to information blocking. The conditions must specifically address “appropriate exchange, access, and use of electronic health information; communications regarding health IT; application programming interfaces (APIs); real-world testing for interoperability; attestations regarding certain conditions and maintenance of certification requirements; and submission of reporting criteria under the EHR reporting program.”

While the HHS OIG has a statutory responsibility to enforce information blocking provisions of the Cures Act, as well as investigating false attestation claims, all other conditions and maintenance of certification requirements are administered by ONC itself.

For the ONC-enforced provisions, the proposed rule identifies a process for developers to take corrective actions and establishes penalties limited to certification bans for a consistently non-compliant HIT developer.

The proposed rule would establish or revise several subject areas within its certification provisions:

Information blocking: The conditions would require assurances from IT developers that they will not take any action that constitutes information blocking as defined in the statute, or take any other action that could be a barrier to the exchange, access, and use of electronic health information. The proposed rule provides substantive examples of actions that would violate the condition on information blocking, including imposing limitations on the use of certified capabilities once deployed, or requiring further developer assistance to enable the capabilities, as well as failure to provide documentation, support, or other assistance needed to enable a module’s certified capabilities.

Assurances: The Cures Act requires that a HIT developer provide assurances to the HHS secretary that it will not take any action that constitutes information blocking, or any other actions that may inhibit the appropriate exchange, access and use of EHI.

Communications: The Cures Act requires that a HIT developer not restrict communication on:

  • The usability of the health information technology
  • The interoperability of the health information technology
  • The security of health information technology
  • Relevant information regarding users' experiences when using health information technology
  • The business practices of developers of health information technology related to exchanging electronic health information
  • The manner in which a user of the health information technology has used such technology

The proposed rule also would prohibit contract clauses in which a HIT developer restricts the disclosure of information about a HIT product, including a customer or user’s opinions on the product’s performance. Such communications would be considered “protected” under the proposed rule.

Beyond providing definitions and exceptions to these new conditions of certification related to communications, the proposed rule would require HIT vendors to take immediate steps to revise their ongoing contracts in compliance with the proposed conditions.

Developers would be required to notify all entities with which they have contracts within six months of the effective date of a final rule that any provision of existing contracts that is non-compliant with these conditions would not be enforced. Additionally, vendors would be required to provide subsequent annual notifications of this change, and formally voiding such provisions within two years from a final rule’s effective date.

APIs: The Cures Act requires HIT developers to publish APIs that allow “health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, as provided for under applicable law.” The proposed rule’s approach to the API portion of certification focuses on the “without special effort” language in the statute, naming three attributes that are necessary for developers seeking certification:

  1. Standardized: Developers would be required to implement the same technical API capabilities in their products (using modern, computing standards such as RESTful interfaces and XML/JSON).
  2. Transparent: Developers would need to make the specific business and technical documentation necessary to interact with the APIs in production freely and publicly accessible.
  3. Pro-competitive: Developers would need to abide by business practices that promote efficient access, exchange, and use of EHI to support a competitive marketplace that enhances consumer value and choice. This includes granting health care providers the authority to use the API to work with a third party without any significant action from the developer. Additionally, patients should be able to access their EHI via any API-enabled app without special effort.

Regarding security, APIs would be required to:

  • Be able to establish a secure and trusted connection with apps that request data, provided that the apps are registered in advance to verify its authenticity
  • Allow health care providers to retain control over how their stakeholders authenticate their identities when working with the API, in order to harmonize authentication policies with other policies in place for their electronic systems
  • Not allow any app to have access to patient credentials
  • Allow patients to limit the data that an app may access

The proposed conditions of certification for APIs address transparency of API policies permitted fees, and policies to promote openness and competitiveness.

The proposed rule also identifies several strategies it could employ related to the technical specifications behind certified APIs, including various releases of FHIR profiles and functions, presenting combinations FHIR profiles 2, 3 and 4. ONC requests comment on which option or combination of options to pursue in the final rule, and when the requirements should take effect.

The rule also solicits comment on several distinct categories of requirements within FHIR, such as server connection protocols, authentication, and app registration.

Developers with API technology certified under the new requirements would be required to provide all API Data Providers with a fully certified API within 24 months of a final rule’s effective date.

Testing: The proposed rule would require that HIT developers test the real-world use of technology for interoperability in a setting that is substantively similar to the one in which they intend to market the product. As ongoing maintenance of certification, developers would be required to submit prospective testing plans on an annual basis, as well as any retrospective results. Developers would be permitted to voluntarily adopt newer versions of adopted standards.

Reporting on the testing plan would be required by December 15 of an applicable year, by way of a publicly accessible hyperlink. The plan would include all HIT certified to the 2015 edition through August 31 of the preceding year. The proposed rule acknowledges that if a final rule does not provide adequate time for developers to prepare for these requirements, ONC may consider 2020 as a pilot year for testing.

Attestation: Developers would be required to attest to their compliance with all certification requirements every six months, with a 14-day attestation period occurring twice a year, and contains provisions for developers to provide corrective action plans as needed.

Future EHR reporting criteria submission: The Cures Act requires that HIT developers submit reporting criteria to ONC on how the technology interfaces with EHRs. Future rulemaking will implement a reporting program in accordance with the statute, adding EHR reporting as an additional condition and maintenance of certification requirement.

Trusted Exchange Framework and the Common Agreement (TEFCA): The rule contains a request for information on how ONC should work with stakeholders in developing a TEFCA, as required under the Cures Act. Specifically, the rule asks for information on what categories of HIT developer would be best suited to participate in TEFCA, citing the limited value of internal clinical decision support systems being involved in matters pertaining to the external exchange of data.

Request for information on pricing data

The proposed rule includes an RFI on whether and how to include price information as part of regulated EHI, including whether such information would further the goal of transparency on health care prices for the general public. More specifically, the RFI asks whether such information should come in the form of amounts charged or collected and whether it should be based on discrete charges, diagnosis-related groups (DRGs), or other bundles, how insurance interacts with prices, and whether the inclusion of a reference price such as the Medicare rate for a given item would be useful.

ONC also asks whether EHI can be used to give patients quotes on services in advance and whether such information could be useful to prevent surprise billing from out-of-network providers.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Contact us

Anne Phelps

Deloitte Risk and Financial Advisory
US Health Care Regulatory leader
Deloitte & Touche LLP


Daniel Esquibel
Senior manager

Deloitte Risk and Financial Advisory
Deloitte & Touche LLP


Ethan Joselow

Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?