Skip to content Skip to footer

Loading Results

Beyond IT: Why the regulatory push toward interoperability requires whole organizational responses from providers, payers

A regulatory push by CMS and the Office of the National Coordinator for Health Information Technology aims to shift the way the healthcare system shares data, moving from a system where healthcare organizations may share data under HIPAA to one where they must share data. This has immediate and long-term implications for payers and providers faced with a healthcare infrastructure not built for interoperability.

Note: Two proposed rules from CMS and the ONC are still under review, but are expected to be finalized in 2020. HRI is monitoring when the final rules are released and will update this page with new developments.

Where federal regulations are heading

In line with the 21st Century Cures Act passed by Congress in 2016, HHS is moving toward a regulatory environment where payers in Medicare Advantage, Medicaid and CHIP Fee-For-Service and managed care, as well as qualified health plans in the federal exchanges, make patient claims and other health information available to 125 million beneficiaries using an application programming interface (API) based on Fast Healthcare Interoperability Resources (FHIR). Industry-developed, FHIR presents a standard for exchanging data between healthcare applications. 

The agencies foresee payers sharing patient information with each other as patients move from plan to plan and also participating in larger trusted health information exchanges. For their part, providers would send notifications to other providers as patients are admitted, transferred or discharged. And basically, anyone certified in health information technology would have to use an application programming interface in their system that makes patient data accessible in a more meaningful format, such as mobile or web-based app.

The compliance concerns are significant, as new processes, investments, priorities and partnerships may be needed depending on where the organization sits in the health ecosystem. The drive to make patient health information more available through apps could fuel new entrants seeking to capitalize on a freer flow of data, leaving behind the companies that collected that data in the first place. Healthcare organizations should look to build proactive, rather than reactive, strategies to succeed.

What does an interoperable system look like?

In the vision sketched out by Congress and regulatory agencies of an interoperable U.S. health system, data moves freely and securely along with the consumer, with vibrant apps connecting patients and their wearables to care teams. Providers and payers share information immediately and fully with traditional competitors and third-party developers, while information blockers holding up care coordination are not only shamed from hoarding data, but possibly punished.

The result? A full patient picture that empowers the healthcare ecosystem to better identify prevention opportunities, eliminate the cost and frustration of duplicate tests and endless forms to fill out, and enable patient data to move seamlessly between providers, and between health plans.

But this vision collides with a reality where only 31 percent of office-based physicians can integrate electronic health information from other organizations without someone manually re-entering the information, according to a 2018 ONC report to Congress. And it’s not clear if providers see sharing data with each other as a priority. In a 2019 PwC Health Research Institute (HRI) survey of provider and payer executives, fewer than 24 percent said data sharing with healthcare providers was a top opportunity to improve the patient experience, ranking below call centers for patients and patient adherence programs.

Share this chart

Who will monetize the data?

The introduction of third-party app developers or digital health companies raises concerns around protection of patient data. While healthcare entities are acting to protect health information under the 1996 Health Insurance Portability and Accountability Act (HIPAA), consumer app developers are not necessarily covered by that law and related regulations. Healthcare IT experts say patients may not understand that when they click ‘yes’ to the terms and conditions for a new health app that pulls information from their electronic health record, the information may not be HIPAA-protected.

The HHS Office of Civil Rights issued guidance in April to clarify the HIPAA-related responsibilities in sharing data with third-party apps, with the agency stating “once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.” This puts the onus on the patient to understand that the application they select may not provide adequate security protections.

Industry groups are also trying to develop consensus for how third parties will use, store and manage consumer health data to prevent it from being used for other purposes, such as marketing or even being sold, without their consent. The CARIN Alliance, a nonpartisan organization that brings together payers, providers, pharma, technology companies and consumer groups, has drafted a code of conduct for companies handling health data outside of HIPAA to make sure consumers can consent to how it is used.


Healthcare companies need to develop whole organizational responses to prepare for the changing regulatory environment.

Key questions for organizations
Share this chart

Identify a leader

This is not just an issue for IT or compliance departments; this demands a cultural and technological shift in healthcare as it moves the system from one where organizations may share data to one where they must share data. A leader is needed within payer and provider organizations who can advocate at the top levels and coordinate involvement of multidisciplinary teams.

In some organizations this may be a chief data or digital officer who can spearhead the organization’s response. Others may determine it’s everyone’s role in the organization to think digitally.

View more

Map out your data to see what’s affected

Payers and providers should assess the state of their data, and consider what unstructured data sets exist. They should classify the data to understand which may contain personal health information targeted by new regulations and where the data flows downstream. Data cleanup efforts and an assessment of how much of the data conforms to industry standards are also important, along with a map of who controls the data, when it is pushed out and to whom.

Now is also a good time to review patient matching processes and develop different methods for crosswalking patient identifiers or demographic information. 

Providers should communicate with vendors about what updates they may have planned for EHR systems to respond to the regulations.

View more

Review business partnerships in this new regulatory environment

Digital health companies and new entrants may help organizations take advantage of the opportunities that achieving interoperability may present. However, the freer flow of information opens up new questions about data privacy, as some companies accessing the data may not be covered under HIPAA. 

Companies should consider the legal risks and take steps to protect their reputations and relationships with customers by thinking through issues of consent and data privacy. Healthcare organizations should review their current policies and consider whether they offer protections for customers under the new processes and what data security risks may emerge. They should also consider whether business associate agreements are due in more situations.   

View more

Prepare for new processes

Healthcare organizations may find that they have entirely new functions to perform that they’ve not performed before, such as notifying other providers of a discharge or making patient data available via API.

Providers and payers should consider not only potential cost implications, but the impact to their workforces and the training that will be needed, to ensure not only compliance, but an effective digital strategy.

View more

Contact us

Glenn Hunzinger

Partner, Pharmaceutical and Life Sciences Consulting Solutions Leader, PwC US

Laura Robinette

Global Engagement Partner, Health Industries Trust Solutions Leader, PwC US

Thom Bales

Partner, Health Services Consulting Solutions Leader, PwC US

Follow us