On March 9, the U.S. Department of Health and Human Services issued final rules aimed at enhancing information flows in healthcare and improving patient access to their health records.  The two rules, one issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the other issued by the Centers for Medicare & Medicaid Services (CMS), are aimed at advancing health data system interoperability and patient access, including the MyHealthEData initiative, which is intended to improve patient access by making it easy for patients to control their own health data from the device or application of their choice. The ONC rule is available here and the CMS rule is available here.


As for interoperability, the ONC rule implements computing standards and APIs (application programming interface requirements), which, when adopted by providers, will improve data flows among health care providers, and among providers and patients.  It is anticipated that mobile apps, developed in conformity with the new standards, will give patients near complete and immediate access to their health records from all providers.  The rule also addresses information blocking and seek to remove barriers to information sharing across diverse platforms.

Health Plans are also Covered:

Payors are covered by the new rules as well.  Beginning January 1, 2021, Medicare Advantage, Medicaid, CHIP, and plans on the federal exchanges will be required to make claims data and other health information available to patients in compliant and secure format. We note that at the Healthcare Information and Management Systems Society (HIMSS) Annual Conference in Las Vegas, the Administrator of the Centers for Medicare & Medicaid Seema Verma specifically called on all healthcare insurers to follow CMS’s lead and give patients access to their claims data in a digital format. We anticipate that other payors will adopt the federal access standards even though not all of their products are not directly subject to the new rules.  In other words, if a plan is required to invest and comply for its Medicare Advantage product, it would make sense for it to roll out the interoperability and patient access across all of its products, and spread the costs over its full product line.

New COP for Hospitals:

An additional part of the new CMS rule adds a new Condition of Participation for hospitals.  It requires them to send an electronic notification to other healthcare facilities and providers whenever a patient is admitted, discharged, or transferred to another level of care from the hospital.  It is anticipated that these notifications will encourage more timely communication between the patient and the out-of-hospital providers who also care for the patient, not leaving it to the patient to provide such notification about their health status.

Patient Consent Issues:

Finally, the new rules heighten app and data base owners (providers) obligations to make more explicit the privacy policies and opt-out processes for patients to manage and secure their health information against unconsented disclosure.  The rules seek to make sure that data cannot be shared with third parties without the explicit and knowledgeable consent of the patient.  These new rules are intended to address the potential downside of the new data sharing standardization protocols, namely that patient data (which is valuable for research, analytics, and marketing, among other things) may be more easily shared by everyone who has access, not just the patient.  The rules seek to introduce a required patient consent before data is sent to any outside analytics or marketing company.   Many have already commented that these rules may not go far enough, so there is perhaps the chance additional regulation will be forthcoming.

Nelson Hardiman lawyers are experts in the new regulatory framework advancing interoperability and patient access, and we are happy to address any questions you may have about these new rules.  For more information, please contact Lara Compton (lcompton@nelsonhardiman.com),  Kathryn Edgerton (kedgerton@nelsonhardiman.com), or Rob Fuller (rfuller@nelsonhardiman.com).