In March 2020, both the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) released final rules to promote patient access and improve data exchange arrangements under the 21st Century Cures Act.
The new rules support increased interoperability and facilitate patient access to electronic health information. The amendment also strengthens the MyHealthEData initiative, allowing patients to manage and make their own healthcare decisions.
The final rules impact CMS-regulated payers and Qualified Health Plan issuers on federally facilitated exchanges. This means that payers will need to support secure and seamless access, exchange and use of electronic health information, greater innovation and use of technology, increased competition, and increased choice and control over personal health information.
How do these rules impact payers?
CMS Interoperability and Patient Access Final Rule
- Patient Access API: Payers must make patient data available electronically through standards-based (HL7 FHIR Release 4.0.1) application programming interfaces (APIs). This API could be used to integrate a health plan’s information to a patient’s electronic health record (EHR) and will also allow patients to access their data through any third-party application they choose to connect to the API.
How do payers comply?
Payers will need to define and implement a microservices architecture in order to support implementation. They will also need to configure and maintain security functionalities of the API and establish an end-to-end API operating model.
- Provider Directory API: Payers regulated by CMS must maintain and publish provider directory information through standards-based API with the latest updates. This will make it easier for third parties to write apps that help patients find a provider.
How do payers comply?
Payers will need to establish an FHIR-based provider directory API that can help adhere to the rule, as well as enable members to choose the provider and boost engagement further. This directory would include the names of providers, addresses, phone numbers, and specialty.
- Payer-to-Payer Data Exchange: CMS-regulated payers should execute a payer-to-payer data exchange process through portable patient clinical data in the United States Core Data for Interoperability (USCDI) standard. This will enable streamlined information sharing between payers and allow patients to take their information to their new payer and incorporate it into the latest records.
How do payers comply?
Payers will need to implement the processes and technology to facilitate data exchange with other payers and ensure that a standard clinical data set (specifically, the USCDI) is in place.
- Federal-State Data Exchange: Payers must improve the dually-eligible experience by increasing the frequency of federal-state data exchanges from weekly or monthly, to daily exchange.
- Patient Privacy via OAuth 2.0 for Patient EHI Access: The ONC rule relies on this protocol for authorization to ensure security. ID Connect, an overlay developed for the OAuth 2.0 protocol, allows authentication of health plan member information utilizing an authorization server.
How can payers comply with these rules?
How can payer organizations achieve member-centered interoperability and provide greater access to healthcare data? In order to comply in a timely manner, payers need to take four critical steps:
- Ensure payer data connectivity: Payers need to identify source systems and data warehouses containing high-quality data, rapidly connect with data sources, map the data elements to FHIR profiles and resources, and load to target on a set recurring schedule.
- Stand up FHIR server and API gateway: Payers need to launch an admin portal to manage FHIR APIs, third party application workflows and member consent, and deploy access control list (ACL), member authentication & API security protocols.
- Implement third-party application workflows: Payers need to provide developer portal access to support app development, app registration, and app certification steps, with particular focus on consent management, privacy and security provisions.
- Implement member workflows: Payers need to securely authenticate members, stand up member consent processes, and enable the members to make app-specific, granular consent decisions. They need to provide members direct access to their claims and encounter information and enable them to proactively manage their active third-party app connections anytime.
To learn how to improve member-centered interoperability with the industry’s most comprehensive healthcare data platform for payers, get a demo.
For more updates, subscribe.