CMS and ONC Propose New Rules for Interoperability

Tag Archives: DHHS

CMS and ONC Propose New Rules for Interoperability

Rules for Interoperability and Patient Access to Electronic Health Information

The U.S. Department of Health and Human Services (HHS) recently proposed new rules to support seamless and secure access, exchange, and use of electronic health information (EHI). The rules were issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC). The intention of the rules is to increase choice and competition, which will be realized by:

  • Improving secure patient access to their health information
  • Giving patients more control over their health information
  • Requiring that patient access to the EHI be free to patients

ONC’s Proposed Rule

Electronic Health Information and Patient Access

ONC’s rule promotes secure and (more) immediate access to health information. This applies to both patients and their providers. The rule calls for the adoption of standardized application programming interfaces (APIs). APIs will enable patients to access their data using their smartphones and other mobile devices.

Additionally, the rule implements the information blocking provisions outlined in the 21st Century Cures Act. This will support access and exchange of electronic health information . The rule included seven proposed exceptions to the definition of information blocking, as well.

ONC also proposes patients be able to access their EHI at no cost. This would help patients see the prices they are paying for their healthcare.

Finally, ONC’s proposed rule would modify the 2015 Edition health IT certification criteria and program to advance interoperability, enhance health IT certification, and reduce burden and costs.

CMS’s Proposed Rule

CMS’ proposed changes to the healthcare delivery system support the MyHealthEData initiative. The goal of the changes is to increase the flow of health information, reduce burden on patients and providers, and foster innovation. In 2018, CMS finalized regulations that use potential payment reductions for hospitals and clinicians to encourage providers to improve patient access to their electronic health information. CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges provide patients with immediate electronic access to medical claims and other EHI by 2020.

CMS would also require these health care providers and plans to implement open data sharing technologies to support transitions of care as patients move between these plan types. By ensuring patients have easy access to their information, and that information follows them on their healthcare journey, redundant procedures and testing will be eliminated. Thus, clinicians will have the time to focus on improving care coordination and, ultimately, health outcomes.

CMS Administrator Seema Verma said, “By requiring health insurers to share their information in an accessible format by 2020, 125 million patients will have access to their health claims information electronically. This unprecedented step toward a healthcare future where patients are able to obtain and share their health data, securely and privately, with just a few clicks, is just the beginning of a digital data revolution that truly empowers American patients.”

Combined, these proposed rules address technical and industry factors that create barriers to interoperability and limit a patient’s ability to access their health information. Aligning these requirements for payers, health care providers, and health IT developers will help drive an interoperable health IT infrastructure across systems. This ensures providers and patients have access to health data when and where it is needed.

Additional Resources:

Fact sheet on the CMS proposed rule (CMS-9115-P)

Fact sheets on the ONC proposed rule

To read all 724 pages of the HHS’s new rules


Like this blog? Share it!

DHHS recommends healthcare providers migrate from legacy EHR to more secure cloud environments

cloud security

In the June 2017 “Report on Improving Cybersecurity in the Health Care Industry” published by the Department of Health and Human Services Health Care Industry Cybersecurity Task Force, it was noted that many healthcare agencies are still running patient records databases on legacy systems. And not only are these systems subject to more successful hacking, but the agencies also do not have the proper funding to hire adequate personnel to maintain the cybersecurity measures required. The report states that cybersecurity is “a key public health concern that needs immediate and aggressive attention!”

One of the key report details addresses Legacy EHR systems. “In addition to the workforce limitations, a majority of these health care providers still have legacy EHR systems, aging infrastructure, poor disaster recovery capabilities, and capital investment limitations.” It goes on to say, “By moving to a secure cloud environment, health care providers will have increased security and the ability to effectively use their clinical resources to support patients without having to worry about maintaining their on-premises infrastructure and systems.” And at many older facilities it will likely free up your basement or closet space as well!

The federal government has mandated the use of a federally certified EHR. In addition, be sure you have a “complete EHR” not a “modular” system of which many legacy systems are structured. Suggested action items to improve the security were spread across the government, the health insurance providers and the industry. As follows:

  • The federal government should evaluate incentive options, such as grants, to encourage industry to develop secure options for supporting health care organizations. Additional incentive options, including tax incentives, to encourage health care providers migrate to more secure environments including hosted services or cloud service providers.
  • The Federal regulatory agencies should provide additional guidance to service providers (including HHS-compliant Business Associate Agreements) that wish to align their security management practices with HIPAA and create increased awareness among health care providers that alternative technologies exist to store, access, share, and process their data.
  • Industry should develop use cases and contracts tailored for these small and medium-size organizations.
  • Insurance companies should provide more incentives to encourage health care service providers who migrate to a more secure environment than the one in which they currently operate.

Understand HIPAA violations to prevent them from happening to you

Prevent HIPAA Violations

By now most people are familiar with the term HIPAA (Health Insurance Portability and Accountability Act). It has been around since 1996, and even more enforced since 2001 with the onset of the Privacy Rule. It has become a critical factor in protecting patients’ health information.
There are thousands of breaches filed every year, most of which were not intentional, however breaches nonetheless. 95% of these case are resolved by the Office of Civil Rights (OCR) and usually the OCR will require the covered entity to revise its policy and/or other corrective actions as justified per breach. Intentional misuse or disclosure of PHI is a different situation. These cases are referred to the Department of Justice for criminal investigation.
According to the Department of Health and Human Services, the top 5 issues investigated by the OCR fall into the following categories:
1. Impermissible use and disclosure of PHI (protected health information)
2. Lack of safeguards of PHI
3. Lack of patient access to their PHI
4. Lack of administrative safeguards of electronic PHI
5. Use or disclosure of more than the minimum necessary PHI
Understanding how to avoid common mistakes can help prevent huge fines and disruption to your agency.