Compliance with the new Interoperability and Patient Access final rule (CMS-9115-F) requires payers to meet significant requirements by the end of 2020. Meeting the 2021 Patient Access API and Provider Directory API deadline is more than a technical challenge; payers must coordinate interoperability compliance activities across their entire organization.
Given interoperability’s vast scope, it will be all too easy to overlook crucial dependencies and belatedly identify potential gaps that can delay efforts. To help, we’ve assembled a 25-point checkpoint plan based on our two years of experience assisting early-adopting organizations in applying the final rule. The figure below offers a quick roadmap; the list itself follows. For even more detail, see our white paper, “Ensure Compliance: A 25-Point Inspection Plan for Interoperability Initiatives.”
Understand the requirements
Understand the new interoperability rules.
Start by fully comprehending these details within the Centers for Medicare and Medicaid Services’ (CMS) Interoperability and Patient Access final rule and CMS’s Act final rule:
The use of Health Level Seven International (HL7) Fast Healthcare Interoperability Resources (FHIR).
The US CORE FHIR profiles involved.
Terminology standards identified.
Education, testing and monitoring requirements and resources.
Has your team analyzed this information in detail — engaging IT, the business, compliance and legal? Have you created interoperability requirements documentation with traceability to the sections and paragraphs of these rules?
Understand the rules in light of other laws and regulations.
The Interoperability and Patient Access final rule indicates that existing laws and regulations go unchanged. Points to check:
Relation to existing federal, state, tribal and local regulations.
Age of consent.
State laws such as the California Consumer Privacy Act.
Has your analysis examined these in detail? Have you created interoperability requirements documentation with traceability to the sections and paragraphs of applicable laws?
Develop a strategy and align the organization
Make decisions based on interpretation of the rules.
How to best inform patients of their rights and risks.
How to engage application developers.
Know which FHIR resources and profiles to implement.
Define third-party app denial reasons, and more.
Do you have an interoperability governance group that spans IT, the business, legal and compliance? Do you have a decision log on interpretive decisions, with sign-off from affected stakeholders?
Determine an interoperability strategy.
Payers may create a unique strategy based on their vision, objectives and market position. Consider:
Minimum compliance approach vs. proactive market positioning.
Which processes to improve and uplift.
Which new experiences to empower, and more.
Do you have an interoperability vision statement? Does it align with your corporate mission? Does it help prioritize your decisions?
Align your organization.
Transformational programs often fail when some roles and functions aren’t aligned with key activities and goals. Points to consider:
Vision and strategy.
Tools and technologies.
Definition of success.
Roles and responsibilities.
Have you conducted an interoperability vision workshop or similar exercise? Have alignment activities involved IT, the business, compliance and legal?
Revisit budgets and priorities.
Some elements necessary for interoperability may already be on organization roadmaps. Examine:
Inflight initiatives reassessment.
Master data management.
Have you factored in reusability of existing assets in defining your solution? Have you adjusted project scope, requirements and a schedule for components that can be used?
Plan for the milestones
Publish a patient-access API.
This is one of the priorities for this year. Considerations include:
Deadline: January 1, 2021 (deferred enforcement date: July 1, 2021).
Includes administrative and clinical data after January 1, 2016, available within one day.
Use of OAuth 2.0 and OpenID; FHIR; U.S. Core Data for Interoperability (USCDI); and CARIN Common Payer Consumer Data Set (CPCDS).
Do you have a detailed project plan to meet this deadline? Does that plan identify all dependencies?
Publish a provider directory API.
The final rule mandates that insurers publish directory data via API. Considerations:
Deadline: January 1, 2021 (deferred enforcement date: July 1, 2021), data within 30 days.
No authentication and authorization.
Public discovery and access.
Use of data formatting and terminology standards.
Do you have a detailed plan to meet this deadline? Does that plan identify all dependencies?
Enable payer-to-payer data exchange.
Payers must, at members’ request, send data to any other payer that currently covers the individual or any payer designated by the member. Payers must also be able to receive such data. Considerations:
Deadline: January 1, 2022.
Within five years of member leaving the plan.
Eligible data: all collected after January 1, 2016.
Must incorporate data into the member record.
Must provide data from prior plans.
Do you have a detailed project plan to meet this deadline? Does that plan identify all dependencies?
Master key skills
Master FHIR (and more).
FHIR is central to all requirements of the interoperability rule. Complementary technology and disciplines to learn:
FHIR, USCDI and DaVinci.
Security: OAuth 2.0, OpenID.
Terminologies such as SNOMED CT, ICD-10 and RxNorm.
Do you have a training plan to master FHIR, related security standards, and the health informatics standard? Is your team able to effectively use these skills in your initiative’s planning and execution?
Implement solution components
Implement an API gateway.
While the rule does not specifically mention an API gateway, payers should implement one that offers:
Have you identified an API management solution? Does your interoperability solution utilize the best practices of API management?
Implement an orchestration hub.
An orchestration hub does more than an API gateway or a FHIR server alone. Consider how to manage:
Support for API orchestration and data consolidation.
Points of integration (e.g., patient and provider matching).
Does your interoperability solution orchestrate APIs and the required data? Does it enable the governance of APIs and required data?
Implement a privacy engine.
This engine is responsible for ensuring privacy: managing consents, tagging sensitive data and auditing based on sensitive data disclosure. Separate from the API gateway and orchestration hub, the privacy engine is responsible for ensuring features such as:
Consent management (with extensibility).
Sensitive data labeling, tagging and segmentation.
Access and disclosure logging and auditing.
Sensitive data filtering masking (future).
Does your interoperability solution provide a component to manage consents? Does it provide a component to log and analyze access, ensuring privacy?
Empower new capabilities
Improve data management practices.
Interoperability will expose data management practices to the outside world. Organizations should review how they manage:
Data quality and currency.
Member and provider identity and crosswalks.
Have you identified which data management practices must be uplifted to provide patients with quality data, and which must be accelerated to meet the “one business day” requirement?
Normalize data into standard terminologies.
Interoperability requires using standardized vocabularies for sharing different types of information. These terms include:
ICD-10, SNOMED CT and RxNorm.
NDC, LOINC and CPT.
Have you identified gaps in consistent terminology use? Do you have the means to normalize terminologies to required standards?
Label highly sensitive data.
“All or nothing” consent for the interoperability API does not reduce audit and reporting requirements or risk management measures. Payers must still comply with all laws and requirements governing sensitive data, such as:
Alcoholism and/or drug abuse or dependence.
Mental health and rehabilitation.
Is your interoperability solution able to label highly sensitive data? Will it enable “data segmentation” by data type and sensitivity should CMS require such in the future?
Strengthen your privacy and security practices.
The benefits of increased data portability greatly outweigh new security risks when payers take care to ensure that they are following best practices in:
Identity and access management.
Enterprise data protection, application security and threat management.
Have you analyzed the new threat vectors with interoperability? Have you defined security changes to manage these risks?
Facilitate new experiences
Manage developers and apps.
HIPAA does not extend to third-party apps and their use. Payers must consider:
Review apps’ AUPs.
Disapprove apps for certain reasons.
Need for developer portal and support program.
Have you defined processes for supporting application developers and lifecycles? Have you detailed processes and criteria for monitoring apps’ use of data?
The CMS plans to help with materials, covering topics such as:
Members’ understanding of rights and risks.
App and usage recommendations.
Anticipating emergent scams and abuses.
Have you identified how you’ll educate members at key moments (enrollment, login, etc.)? Have you defined processes for authoring and editing content, including signoff?
Establish new consent management processes.
Consent is “all or nothing” for an API, so collecting and tracking consent data is critical. Consider:
Members can still exercise rights in traditional channels.
Need for centralized consent management process.
Need for handling failures, grievances, etc.
Have you defined processes for how members inquire or change their consents? Have you made interoperability app consent management processes seamless with existing authorization processes?
Add customer support processes.
Payers must be clear about how they will handle these member-facing issues:
How to handle app questions.
How to grant and revoke consents.
How to see data shared.
How to raise interoperability support issues.
Have you identified the operating model and business processes for supporting members through the contact center? Have you identified what content and features will be provided in the member portal?
Deliver with quality
Test, test, test.
The rule mandates routine testing and monitoring. Additional test planning should cover the need for:
End-to-end process testing.
Performance and penetration testing.
Does your test plan include end-to-end business process testing, addressing complex scenarios such as the rights of minors? Does your plan check for attacks and that data cannot be exposed to the wrong party?
Charter a new future
Balance data protection with data sharing.
Expect the emphasis on data sharing to increase:
CMS describes this rule as a “first step.”
The Cures Act enables much more.
HHS’s declared goal is to drive disruption.
Have you identified steps your organization will take beyond compliance? Are you tracking all proposed regulation and identifying scenarios that could impact your organization?
Consider what competitors and other actors can do with this data.
Interoperability effectively reveals competitive differentiators such as network design and benefits. Payers must analyze business strategies in light of these questions:
What might competitors do with this data?
What might other bad actors do?
Have you analyzed how you’ll monitor the egress of data from your organization? Have you identified data exposure risks and how to respond?
Reimagine what your organization can do with this data.
Interoperability creates opportunity for new efficiency and value creation across such areas as:
Enrollment and high-value “Day 2” activities: consents, primary care physician assignment, program enrollment, wellness, etc.
Utilization management and care management continuity.
Have you identified how and when you will excel at obtaining patient consents? Have you prioritized which processes will benefit most from the injection of interoperability data?