The proposed Interoperability and Patient Access rules require payers to securely release personal health information (PHI) on demand to consumers, and in certain cases to providers, competitors or other third-party organizations, using CMS and ONC-mandated standard APIs and data elements. It requires payers to build a third-party API development environment as well as participate in a national data exchange network and to comply with most of these requirements by the start of 2020.
Figure 1
2 The rules’ tight deadlines won’t slip by much, if at all.
The proposed rules call for Medicare Advantage (MA), Medicaid Managed Care Organizations (MCOs) and Qualified Health Plans (QHP) data to be available via open API by January 1, 2020. Medicaid and Children’s Health Insurance Program (CHIP) data must be available through the API by mid-2020. Additional legislation proposed in May would extend this to all commercial insurance. Unlike the ICD-10 transition, CMS will be tighter with these rules’ deadlines for several reasons. Interoperability and portability of patient data has widespread bipartisan support in Congress and from the Administration. The federal government is also looking to its own example: the CMS FHIR-based Blue Button 2.0 API contains four years of Medicare Part A, B and D data for 53 million Medicare beneficiaries. Finally, CMS cites the maturity of API functionality and the need to prevent organizations from adopting alternative standards as reasons for accelerating deployment of its specified API technology.
3 Payers must become experts in achieving open access without compromising security.
Healthcare organizations hold PHI very tightly today and only release it via proprietary portals and processes. Complying with the rules’ requirements for open APIs will give patients and other entities with patient consent the ability to easily retrieve data to which they always had legal access.
The primary challenge in complying with open APIs is that the proposed rules do not ease any of the privacy, security or state compliance requirements that payers must meet. It requires payer organizations to achieve an unprecedented level of openness while still ensuring privacy and security. Furthermore, payer-based policies that protect sensitive health information, such as rules that protect a battered spouse’s current address, must also be enforced. Payers will need to excel at opening their data stores, identifying data covered under the rule, such as lab results, and then releasing it only to authorized parties.
4 Information blocking carries stiff penalties and bad publicity.
CMS will prohibit non-compliant payers from selling Medicare Advantage plans or administering managed Medicaid offerings and may fine them $1 million per blocking instance. CMS also will publish lists of providers and payers that are found to have blocked access. It’s uncommon for a rule to include this level of enforcement detail, which is indicative of how serious the government is about this provision.
5 True data interoperability will create exciting opportunities and tough competition.
While the compliance demands of the interoperability rules are extensive, it’s important to consider their positive impact. The rules release data from silos into a truly interoperable format so multiple parties can combine data from different sources. This creates a new, data-rich environment that can support never-before-possible process efficiencies, use cases and business models. It also will open the door to new competition.
Standardized administrative and clinical data in the hands of app developers can become actionable by members, patients, providers and authorized third parties. Payers can also profoundly reengineer their clinical and administrative processes with access to such data. Today, a payer needs approximately one year’s worth of PHI data on a new plan member to appropriately stratify their care coordination. Under the rules, when new members arrive bearing five years of clinical data, the new plan can quickly accomplish granular stratification and start delivering member-centric care coordination immediately.
Also, Healthcare Effectiveness Data and Information Set (HEDIS) compliance can be streamlined. Instead of paying providers to pull charts for review, payers can use APIs to collect standardized FHIR CDI-based streams of data from providers and use analytics and machine learning to analyze and collate findings and deliver more comprehensive and accurate quality reports.
Interoperability will also create new competition and upset current competitive differentiation. A payer can gain consent from a member to obtain claims and clinical data from past payers, which could be reverse-engineered to reveal closely guarded details about provider networks, benefit structures, contract rates and more.
Disruptive data uses will also emerge. For example, Amazon could offer to waive its Amazon Prime fee for customers who authorize access to their health claims data, which it would use to target purchase suggestions. Large pharmacy chains with access to a consumer’s claims data could tout their ability to prevent adverse drug interactions and then use the data to target retail coupons for that customer. Life insurance companies could ask prospects for permission to use claims data available from the payer’s API with the customer’s consent, instead of paying for a nurse to visit the home.
Take action now
Payers must be ready to play in this new sandbox. The things to do today are:
- Focus your compliance team on the breadth and the timing of the new rules, so you can adequately plan.
- Initiate updates to your data privacy and security policies that incorporate the new data flows.
- Initiate IT diligence on the impact of the new requirements and conduct build/buy analysis for the new technology components.
- Examine your IT roadmap and funding to determine the impact of the new work.
- Educate your fellow executives about the scope and the short timelines of this new compliance exercise.
While tackling these immediate tasks, make time for one more critical effort: Consider the impact of the new world of data access and interoperability on your organization’s strategy. The rules will create operational and strategic opportunities. Payers that plan now to seize these opportunities will have an advantage in the marketplace once the regulations go into effect. It’s not impossible to achieve open yet secure data interoperability.
For more, read part 2 of this installment, “Three Ways Payers Will Use CMS Interoperability Requirements to Connect with Healthcare Consumers”, or visit the Healthcare and Interoperability solutions sections of our website, or contact us.
The Healthcare Effectiveness Data and Information Set (HEDIS) is a registered trademark of NCQA.