The interoperability rule on patient access to healthcare data is more than a regulation; it’s a catalyst for igniting significant and sustainable change in healthcare quality, delivery and payment. It also gives consumers an enormous amount of power over how they manage their healthcare. Payers that approach compliance with the rule as an investment in digitally transforming their businesses will be well positioned to reap its many potential benefits.
The final rule encompasses managed Medicare, managed Medicaid and individual Federally Facilitated Exchange (FFE) qualified health plans. As expected, the rule requires these plans to publish a third-party developer application programming interface (API) using Fast Healthcare Interoperability Resources (FHIR) and terminology normalization. This API must provide not only claims data, but also other administrative data and even select clinical data. It uses specified standards to support Substitutable Medical Applications and Reusable Technologies (SMART) on FHIR so that every plan’s API is similar. This API must be in production by Jan. 1, 2021.
The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) did make a few key modifications to the rule. One is a change to the plan-to-plan data exchange, where a plan must share clinical data with another plan under certain circumstances at the request of a member. This requirement now has a delayed deadline of Jan. 1, 2022. Another requirement, that health plans join a Trusted Exchange Network, has been deferred for future rulemaking.
CMS also clarified some items. As one example, we now know that the data to be provided by the API, and the plan-to-plan exchange, will only include data related to dates of service since Jan. 1, 2016; earlier data is not mandated.
Putting the interoperability rule in context
Even as payers digest the interoperability rule requirements, they must be aware of other regulations likely to emerge over the next few years. Some potential regulations may complement interoperability processes; others may require unique strategies. Payers that stay on top of the potential rules and opt for more flexible technologies and methods to achieve interoperability will find it easier to develop coherent, cost-effective compliance strategies. Proposed rules and legislation may include the following:
Updates to data standards and formats. Additional refinements are likely to the HL7 Fast Healthcare Interoperability Resource (FHIR) standard in the API for exchanging health data electronically. Further, updates and additions to the data classes and elements with the U.S. Core Data for Interoperability (USCDI) standard will need to be incorporated into the API. Building updates into regular API maintenance will help payers stay current as new requirements are adopted.
New rules around the enterprise master patient index (EMPI). The industry initially will be executing EMPI requirements without government guidance. When a clear EMPI methodology is prescribed, payers will be better equipped to avoid false positives and false negatives when matching member file data. That will expedite compliance with interoperability data release requirements while helping payers avoid accidentally releasing confidential health information.
Extension to all lines of business. We expect all types of health insurance, not just government programs, eventually to be included under this rule. Payers should design their compliance approaches under the assumption that the rule’s scope soon will expand, perhaps by executive order.
Addressing the transparency rule. The transparency directive for payers has different deadlines, technology and requirements than interoperability, so payers initially will find few compliance synergies between them. However, from a business perspective, both transparency and interoperability erode the ability of payers to compete on allowable amounts and network and benefit design, because each rule will make those components increasingly obvious to other payers and providers.
Added provider-side interoperability. We expect CMS to require providers to implement interoperability in the same ways as payers, meaning the same API and orchestration of both electronic medical record (EMR) and non-EMR data available within one day, among other requirements. When this occurs, every physician, hospital, clinic, etc., will be using the same formats and meeting the same reporting deadlines. Payers can plan now to make the most of this true industry-wide interoperability.
National privacy and security regulations. Congress may eventually act on consumer concerns about who collects their data and how it is used by creating a national privacy rule analogous to the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). Payers’ security solutions for interoperability must be flexible and extensible to whatever new privacy regulations emerge.
Taking care of business now
Interoperability requires all payer government lines of business to share the same data in the same timeframes, so payers can now evaluate and plan for the impact of interoperability on their business models. To start, payers must address how interoperability partially negates their current value proposition. For the last two decades, payers have competed by reducing claims adjudication costs and on increasingly competitive network design. Now, payers will be able to analyze data released under the rule to see how competing plans have structured their networks and rates. That transparency will blunt the value of physician networks as a competitive edge.
The irony is that the rule also enables payers to build new business models. With data flowing easily, payers should create new value propositions based on such qualities as frictionless service; member experiences; better care management and outcomes; and improvements to the medical cost of care.
Regarding member enrollment, the rule does not immediately call for payers to address that business function. Yet obtaining member data-sharing consent as part of the enrollment process can improve process efficiency and care delivery. With consent, a health plan could gather member data from previous health plans, either via a payer-to-payer transmission or through the new API the rule requires for third-party access. Payers then could immediately analyze the data to determine what care management is appropriate, evaluate data needed for risk adjustments or HEDIS measures, and assign an accountable care organization, medical home or primary care physician — all as part of a new enrollment workstream. Members could receive a level of personalized service and care in mere hours instead of the months it now takes for payers to collect and analyze similar data.
Further, if plans could obtain data-sharing consent from consumers while they are still shopping for plans — before they join — plans could improve and personalize the shopping experience. Payers could apply the historic claims data from the incumbent payer to the coverage options the shopper is considering and generate more accurate projections of, for example, potential co-pays, deductibles and co-insurance. Shoppers would receive better data to evaluate coverage options and assess their financial accountability.
Similarly, group underwriting can become more accurate with greater historical data. It is not clear yet whether employers can give consent on behalf of a group. However, if all plans received standardized, normalized data from employers, underwriting would be faster and more uniform, with same fees matched to same terminology.
Interoperability can also reshape utilization management (UM). In the near term, payers can create rules that preemptively authorize care based on data they receive from new members’ previous health plans. Improved continuity of service for new members reduces friction and creates a better experience.
If it comes to pass that providers also must follow the interoperability rule, payers can increase their use of UM while reducing provider and member friction by calling data directly from the providers’ EMRs via the standardized API. Payers can use inexpensive computer cycles instead of people to process that data against their own authorization rules — essentially automating a fully touchless UM process and eliminating phone calls, faxes and emails as well as unnecessary care.
Payers also can plan to use historic data to identify and stratify social determinants of health (SDoH) needs among new members. As providers adopt the USCDI data standard, payers can mine the freeform notes in patient records using tools such as natural language processing. FHIR formats also are being developed to support SDoH. The combination of more data and data standards enables algorithms to work efficiently to identify SDoH factors, further advancing their use in care management.
Finally, payers should accept that interoperability can allow other organizations to take control of the member experience. If the quality and value of payer websites and apps don’t significantly improve, other entities may step in and provide a better experience for members, which can have major implications for the payer.
Immediate steps to take
Interoperability compliance requires an organization-wide effort. For example, supporting an API gateway for third-party developers creates new technical and business workflows as new entities interact with plan members. Whether IT, compliance or business, all functions must ensure not only compliance with the rule, but exploitation of its possibilities. Here are immediate areas to address:
Payer legal counsel and compliance departments should interpret how the rule applies to the organization. Payers should not rely on system or solution vendors’ assessments of the rule and should investigate potential liability issues related to releasing inaccurate health data or a failure to send data. Remediation plans can include changes to people, process, and technology or, perhaps, additional insurance coverage.
IT remediation should be under way. Data capture, orchestration and labeling are all major issues. It’s critical to trace and verify data provenance, understanding where, how and by whom data originated, and how it has been used, modified and processed by other people and systems. For example, a pulse rate collected from a hospital may be treated differently than one reported by a member’s Fitbit tracker. Metadata issues must be addressed, especially identification and tagging of sensitive data, such as HIV status.
Analyze third-party relationships that involve data access. Under the rule, payers must deliver clinical data collected on members. However, if a payer contracts with a service provider for UM, fulfilling the data vending requirement becomes complex. It’s usually the service provider that has permission to access a provider EMR, not the payer. Yet the spirit of the rule says a member should be able to see whatever data the plan used when it decided on the appropriateness of care. It’s important to evaluate these relationships and determine how member data requests will be fulfilled under them.
Address new areas of privacy. Much of the current privacy infrastructure is not adequate for the safe execution of the rule’s requirements. As one example, consent management is now transaction-driven and requires new business processes and technology tools to manage successfully. Payers must be able to evaluate whether consent is legitimately established, manage the details of the consent, and have workflows to make changes, which might range from self-management on a website to inbound calls to the CSR team. As another example, the creation of an API that’s external to the gateway greatly increases potential exposure to intrusion attacks.
Decide which areas in the value chain could be reimagined with interoperability. Competition from new industry entrants is increasing. Apple, Amazon, Best Buy, Walmart and others will combine member data with their existing expertise, whether technological, logistical, physical footprint, or in other areas. The results likely will produce new options for care delivery, such as Walmart’s flat-price no-insurance clinics. Payers can hold their own by using compliance efforts to retool processes and imagining new services built on members controlling their own health data.
Payer organizations that build strong interoperability capabilities now will be well positioned when that day comes — or when Amazon offers “Healthcare Prime.” By pulling data out of silos, payers can use tools such as evolutionary AI to pre-emptively identify patients who need care and deliver that care faster, cheaper and with better quality. There will be winners and losers created by the responses to this major rule. Payers that approach interoperability as a tool for reshaping healthcare will benefit from it most; those that treat it as a compliance-only matter will lose market share as employers and patients seek better experiences with better value.
FHIR HL7 is the registered trademark of Health Level Seven International and the use does not constitute endorsement by HL7. The Healthcare Effectiveness Data and Information Set (HEDIS) is a registered trademark of NCQA.
How to Optimize Returns from Investing in Healthcare Interoperability