Skip to main content Skip to footer

The average U.S. healthcare payer is probably not ready to share five years’ worth of a member’s clinical data with a competitor on demand. Yet, that’s one of the key requirements in the two new complementary interoperability and access rules that the Centers for Medicare & Medicaid (CMS) and the Office of the National Health Coordinator (ONC) introduced this past February for payers and providers under the 21st Century Cures Act. The stated goal: To advance interoperability and make it easy and simple for healthcare consumers to access their own medical data.

While the rules are not yet final, they have the potential to fundamentally change the use of data and technology by all industry stakeholders. The rules will certainly have a nearly immediate, deep and wide impact on payer operations, IT planning and business strategy. Here are five key aspects of the rules that healthcare executives must quickly understand and address.

1    The rules have a very wide scope.

These are large, complex rules, with the CMS and ONC each requiring specific provisions as well as joint requirements. The rules will have a greater impact on healthcare organizations than the transition to ICD-10. Health plans must quickly add compliance activities for the rules to their roadmaps and calculate their effects on IT budgets, future IT development, and existing privacy, security and data management policies.

The rules call for payers to give patients and patient-approved third parties, including providers and competing payers, immediate access to claims and clinical data. This immediate data request is to be extracted via application programming interfaces (APIs) based on the HL7 Fast Healthcare Interoperability Resources (FHIR) standard. Clinical data elements stored by payers that are extracted through the API must be in the new U.S. Core Data for Interoperability (USCDI) 2.0 standard to ensure they are usable by other systems and applications.

The rules require payers to build the necessary environments for external third parties to develop these APIs. Further, a payer must review and register applications created in its API environment, akin to how Google and Apple vet apps in their online stores. Payers also will need to validate third-party access to data on behalf of their members.

Another requirement is that payers participate in a Trusted Exchange Network (TEN). The rules explain the TEN is an on-ramp or gateway to all health information networks, country-wide, that abide by the Common Agreement. Most thriving health information exchanges (HIEs) will transition into TENs.

The proposed Interoperability and Patient Access rules require payers to securely release personal health information (PHI) on demand to consumers, and in certain cases to providers, competitors or other third-party organizations, using CMS and ONC-mandated standard APIs and data elements. It requires payers to build a third-party API development environment as well as participate in a national data exchange network and to comply with most of these requirements by the start of 2020.


Figure 1

2    The rules’ tight deadlines won’t slip by much, if at all.

The proposed rules call for Medicare Advantage (MA), Medicaid Managed Care Organizations (MCOs) and Qualified Health Plans (QHP) data to be available via open API by January 1, 2020. Medicaid and Children’s Health Insurance Program (CHIP) data must be available through the API by mid-2020. Additional legislation proposed in May would extend this to all commercial insurance. Unlike the ICD-10 transition, CMS will be tighter with these rules’ deadlines for several reasons. Interoperability and portability of patient data has widespread bipartisan support in Congress and from the Administration. The federal government is also looking to its own example: the CMS FHIR-based Blue Button 2.0 API contains four years of Medicare Part A, B and D data for 53 million Medicare beneficiaries. Finally, CMS cites the maturity of API functionality and the need to prevent organizations from adopting alternative standards as reasons for accelerating deployment of its specified API technology.

3    Payers must become experts in achieving open access without compromising security.

Healthcare organizations hold PHI very tightly today and only release it via proprietary portals and processes. Complying with the rules’ requirements for open APIs will give patients and other entities with patient consent the ability to easily retrieve data to which they always had legal access.

The primary challenge in complying with open APIs is that the proposed rules do not ease any of the privacy, security or state compliance requirements that payers must meet. It requires payer organizations to achieve an unprecedented level of openness while still ensuring privacy and security. Furthermore, payer-based policies that protect sensitive health information, such as rules that protect a battered spouse’s current address, must also be enforced. Payers will need to excel at opening their data stores, identifying data covered under the rule, such as lab results, and then releasing it only to authorized parties.

4    Information blocking carries stiff penalties and bad publicity.

CMS will prohibit non-compliant payers from selling Medicare Advantage plans or administering managed Medicaid offerings and may fine them $1 million per blocking instance. CMS also will publish lists of providers and payers that are found to have blocked access. It’s uncommon for a rule to include this level of enforcement detail, which is indicative of how serious the government is about this provision.

5    True data interoperability will create exciting opportunities and tough competition.

While the compliance demands of the interoperability rules are extensive, it’s important to consider their positive impact. The rules release data from silos into a truly interoperable format so multiple parties can combine data from different sources. This creates a new, data-rich environment that can support never-before-possible process efficiencies, use cases and business models. It also will open the door to new competition.

Standardized administrative and clinical data in the hands of app developers can become actionable by members, patients, providers and authorized third parties. Payers can also profoundly reengineer their clinical and administrative processes with access to such data. Today, a payer needs approximately one year’s worth of PHI data on a new plan member to appropriately stratify their care coordination. Under the rules, when new members arrive bearing five years of clinical data, the new plan can quickly accomplish granular stratification and start delivering member-centric care coordination immediately.

Also, Healthcare Effectiveness Data and Information Set (HEDIS) compliance can be streamlined. Instead of paying providers to pull charts for review, payers can use APIs to collect standardized FHIR CDI-based streams of data from providers and use analytics and machine learning to analyze and collate findings and deliver more comprehensive and accurate quality reports.

Interoperability will also create new competition and upset current competitive differentiation. A payer can gain consent from a member to obtain claims and clinical data from past payers, which could be reverse-engineered to reveal closely guarded details about provider networks, benefit structures, contract rates and more.

Disruptive data uses will also emerge. For example, Amazon could offer to waive its Amazon Prime fee for customers who authorize access to their health claims data, which it would use to target purchase suggestions. Large pharmacy chains with access to a consumer’s claims data could tout their ability to prevent adverse drug interactions and then use the data to target retail coupons for that customer. Life insurance companies could ask prospects for permission to use claims data available from the payer’s API with the customer’s consent, instead of paying for a nurse to visit the home.

Take action now

Payers must be ready to play in this new sandbox. The things to do today are:

  • Focus your compliance team on the breadth and the timing of the new rules, so you can adequately plan.
  • Initiate updates to your data privacy and security policies that incorporate the new data flows.
  • Initiate IT diligence on the impact of the new requirements and conduct build/buy analysis for the new technology components.
  • Examine your IT roadmap and funding to determine the impact of the new work.
  • Educate your fellow executives about the scope and the short timelines of this new compliance exercise.

While tackling these immediate tasks, make time for one more critical effort: Consider the impact of the new world of data access and interoperability on your organization’s strategy. The rules will create operational and strategic opportunities. Payers that plan now to seize these opportunities will have an advantage in the marketplace once the regulations go into effect. It’s not impossible to achieve open yet secure data interoperability.

For more, read part 2 of this installment, “Three Ways Payers Will Use CMS Interoperability Requirements to Connect with Healthcare Consumers”, or visit the Healthcare and Interoperability solutions sections of our website, or contact us.

The Healthcare Effectiveness Data and Information Set (HEDIS) is a registered trademark of NCQA.