Calling them “the most extensive healthcare data sharing policies the federal government has implemented,” the U.S. Department of Health and Human Services (HHS) has finalized two major rules aimed at spurring data sharing between payers, providers, and patients. The rules stem from the 2016 passage of the 21st Century Cures Act, which contained provisions to prohibit “information blocking.”
Together, the pair of rules issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC):
- Require CMS-regulated payers including Medicare Advantage, Medicaid, CHIP, and Qualified Health Plans participating in the federal exchanges to share claims data electronically with patients in a secure and user-friendly format.
- Compel CMS-regulated payers to exchange certain clinical data with each other at the member’s request, allowing patients to take their data with them when they move plans.
- Mandate that providers offer electronic health information to patients via smartphone app.
- Establish new rules to prevent information blocking by providers, health IT developers, health information exchanges, and health information networks.
- Define eight exceptions that do not constitute information blocking related to preventing harm, privacy, security, infeasibility, health IT performance, content and manner, fees, and licensing.
Industry groups representing both payers and providers reacted swiftly to the news. In a statement, America’s Health Insurance Plans (AHIP) noted that payers share the goals of healthcare interoperability and expanded data access for their members, but also expressed major reservations around security and privacy:
“We remain gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws. Individually identifiable health care information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors. Consumers will ultimately have no control over what data the app developers sell, to whom or for how long.”
The American Hospital Association expressed similar concerns:
“America’s hospitals and health systems support giving patients greater access and control over their health data. In fact, nearly all hospitals and health systems have made health information available to patients electronically. However, today’s final rule fails to protect consumers’ most sensitive information about their personal health. The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals. This could lead to third party apps using personal health information in ways in which patients are unaware.”
Additional resources are available from CMS here and ONC here. Stay tuned for further insights and analysis from Cotiviti as we break down the impacts of these regulations.
How is Cotiviti helping payers better leverage their data to improve both financial and clinical outcomes? Get up to speed on Caspian Insights, our unique data and analytics ecosystem that represents the most comprehensive and diverse longitudinal health data set available.