CMS final rule poses big hurdles for payers
Payers and health plans will face challenging deadlines for achieving information exchange under the recently released final rules on interoperability and information blocking.
An organization representing health plans contends that timelines for meeting requirements under the rules will be difficult to achieve, suggesting that the standards needed to achieve data exchange are immature and not proven to support the scale of interoperability that will be needed.
The rules – issued this past week by the Centers for Medicare & Medicaid Services – seek to fulfill the interoperability and information blocking provisions of the 21st Century Cures Act, laying out requirements for several segments of the healthcare industry.
By Jan. 1, 2021, the CMS rule requires Medicare Advantage, Medicaid (both fee-for-service and managed care), Children's Health Insurance Programs (both fee-for-service and managed care) and Qualified Health Plans in federally facilitated exchanges to deploy application programming interfaces (APIs) that can share patients' data with any third-party app selected by a patient.
In general, payers must share data as requested by the patient, unless the payer conducts a security analysis and determines connecting to the app via the API presents an unacceptable level of risk to the security of PHI in transit or in the payer's systems, according to an analysis by Audacious Inquiry, a health information technology and policy company.
That deadline will be challenging to meet, said Danielle Lloyd, senior vice president of private market innovations and quality initiatives for clinical affairs at America's Health Insurance Plans, the national association representing organizations that provide coverage for healthcare and related services.
"A lot will have to go in to meeting that deadline, starting with absorbing the rules; health plans will have to put out [requests for proposals], then there's vendor selection, getting documentation and [repeated testing]" to ensure complete accuracy, Lloyd said. "It's overly ambitious to begin with, and then you have to mix in the national response to COVID-19," which is likely to divert health plans' resources over the coming months.
Lloyd also notes that information exchange will be based on use of APIs built on the latest version of HL7's Fast Healthcare Interoperability Resources. Version 4.0 of FHIR became normative only last year, but Lloyd said it's not "fully mature" and unproven in uses such as that envisioned by the final rule.
"The standards are not fully baked yet, and still going through reconciliation and testing," she contended. "It's a little hard to put out an RFP and build a technology when the standards are not fixed in stone. We'll see more technical challenges as health insurance plans go through this process."
The final CMS rule also stipulates that "through the Patient Access API, payers must permit third-party applications to retrieve [patient] data … the API, must, at a minimum make available adjudicated claims, including provider remittances and enrollee cost sharing; encounters with capitated providers; and clinical data, including laboratory results."
That data must be made available no later than one day after a claim is adjudicated or encounter data is received, according to the rule, setting a Jan. 1, 2021, deadline for compliance. That will loom as a large technical challenge for health plans, and releasing the information could be confusing for consumers and counterproductive for the industry, Lloyd contended.
Releasing claims information through open APIs will require "a lot of cross referencing, a lot of research into implementation guides, and a lot of reading and connecting the dots," she said. Because CMS does require claims information and negotiated rates to be released, AHIP is "concerned that proprietary negotiated rates will be put out, and this will end up distorting the healthcare markets."
Health plans also are concerned about protecting the privacy of patients, whose data will flow through third-party apps produced by developers that are not covered under current HIPAA statutes.
Another major deadline comes Jan. 1, 2022, when Medicare Advantage plans, Medicaid and CHIP managed care plans, and QHPs will be required to share patient data with other payers. Payers must respond to requests from a patient to share their data, up to five years after their coverage ends, the Audacious Inquiry analysis noted.
"Payers are under no obligation under this rule to update, validate or correct data received from another payer. They also do not need to seek out and obtain data if they do not already have it. A payer is only required to send data received under this payer-to-payer data exchange requirement in the electronic form and format it was received."
CMS allows payers to use multiple methods for the electronic exchange of this information, including use of APIs or an HIE. CMS notes that future rulemaking may require this payer-to-payer data exchange to occur via FHIR-based APIs only.
The CMS final rule did result in one delay for health plans – based on public comment, the agency did not finalize a proposal to require payers to participate in a trusted exchange network, "given the concerns that commenters raised regarding the need for a mature Trusted Exchange Framework and Common Agreement (TEFCA) to be in place first," the rule noted.
"The big thing, at the end of the day, is that we have to have an adequate time to thoroughly test all of this technology before it's adequately deployed," Lloyd concluded. "There's so much technology that lies behind all of this, and we have to make sure we have monitoring tools, so that data from the right patient is going through the right app to the right destination.
"Health insurance providers support getting more data into the hands of consumers. Health plans have already gone down this path of providing [price information to consumers] through web-based tools," she added. "Health plans are committed to working with the administration and rest of healthcare stakeholders to where data can seamlessly be shared. The devil is in the details."
Fred Bazzoli is a contributing writer to Healthcare IT News.
Healthcare IT News is a HIMSS Media publication