Beyond IT: Why the regulatory push toward interoperability requires whole organizational responses from providers, payers

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

A regulatory push by CMS and the Office of the National Coordinator for Health Information Technology aims to shift the way the healthcare system shares data, moving from a system where healthcare organizations may share data under HIPAA to one where they must share data. This has immediate and long-term implications for payers and providers faced with a healthcare infrastructure not built for interoperability.

Final rules make certain patient health data available via apps 

In line with the 21st Century Cures Act, HHS' final regulations require CMS-regulated payers, such as those in Medicare Advantage, Medicaid and CHIP Fee-For-Service and managed care, as well as some qualified health plans in the federal exchanges, to make patient claim, encounter, cost and some clinical data available to beneficiaries using an application programming interface (API) based on Fast Healthcare Interoperability Resources (FHIR). Industry-developed, FHIR presents a standard for exchanging data between healthcare applications. 

In addition, according to the final rules:

  • These payers must also make provider directory information available via API and use the US Core Data for Interoperability standard to exchange patient clinical data when the patient requests it or changes plans. 

  • Hospitals, psychiatric hospitals and critical access hospitals participating in Medicare or Medicaid will have to send electronic admission, transfer and discharge (ADT) notifications to other applicable providers such as post-acute care centers or primary care practitioners when a patient is admitted, discharged or transferred. 

  • Certified electronic health records (EHR) systems must implement required API capabilities required by the 21st Century Cures Act within 24 months of the rule’s publication.

  • The ONC rule prohibits information blocking practices, with some exceptions for “reasonable” activities, by providers, health IT developers and health information exchanges. 

The final rules will require new processes, workflows, investments and partnerships depending on where the organization sits in the healthcare ecosystem. 

The drive to make patient health information more available through apps could fuel new entrants seeking to capitalize on a freer flow of data, leaving behind the companies that collected that data in the first place. Healthcare organizations should look to build proactive, rather than reactive, strategies to succeed.

Who will monetize the data?

The introduction of third-party app developers or digital health companies raises concerns around protection of patient data. While healthcare entities are acting to protect health information under the 1996 Health Insurance Portability and Accountability Act (HIPAA), consumer app developers are not necessarily covered by that law and related regulations. Healthcare IT experts say patients may not understand that when they click ‘yes’ to the terms and conditions for a new health app that pulls information from their electronic health record that the information may not be HIPAA-protected.

The HHS Office of Civil Rights issued guidance in April to clarify the HIPAA-related responsibilities in sharing data with third-party apps, with the agency stating “once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.” This puts the onus on the patient to understand that the application they select may not provide adequate security protections.

The final rules allow payers and providers to educate consumers on their websites and elsewhere of the potential risks of data transfers with third parties outside of HIPAA. They can caution consumers to be sure they understand any secondary data use policies the app may have. But “such efforts generally must stop at education and awareness or advice regarding concerns related to a specific app,” the rule states. 

Healthcare organizations still have an interest in protecting both their relationships with consumers and their reputations. This raises questions of when, where and how payers and providers are to properly educate patients and inform them of the risks of sharing their data. It’s not clear that consumers would make the legal distinction about a provider or payer’s role should patients find their sensitive health information misused. 


Healthcare companies need to develop whole organizational responses to prepare for the changing regulatory environment.

Key questions for organizations
Share this chart

Identify a leader

This is not just an issue for IT or compliance departments; this demands a cultural and technological shift in healthcare as it moves the system from one where organizations may share data to one where they must share data. A leader is needed within payer and provider organizations who can advocate at the top levels and coordinate involvement of multidisciplinary teams. Compliance deadlines for certain provisions that require new operations could pose a tight timeline for some companies.

View more

Map out your data to see what’s affected

Payers and providers should assess the state of their data, and consider what unstructured data sets exist. They should classify the data to understand which may contain personal health information targeted by new regulations and where the data flows downstream. Data cleanup efforts and an assessment of how much of the data conforms to industry standards are also important, along with a map of who controls the data, when it is pushed out and to whom.

Now is also a good time to review patient matching processes and develop different methods for crosswalking patient identifiers or demographic information. 

Providers should communicate with vendors about what updates they may have planned for EHR systems to respond to the regulations.

View more

Review business partnerships in this new regulatory environment

Digital health companies and new entrants may help organizations take advantage of the opportunities that achieving interoperability may present. However, the freer flow of information opens up new questions about data privacy, as some companies accessing the data may not be covered under HIPAA. 

Companies should consider the legal risks and take steps to protect their reputations and relationships with customers by thinking through issues of consent and data privacy. Healthcare organizations should review their current policies and consider whether they offer protections for customers under the new processes and what data security risks may emerge. They should also consider whether business associate agreements are due in more situations.

View more

Prepare for new processes

Healthcare organizations may find that they have entirely new functions to perform that they’ve not performed before, such as notifying other providers of a discharge or making patient data available via API.

Providers and payers should consider not only potential cost implications and new workflows, but also the impact to workforces and the training that will be needed to ensure not only compliance but an effective digital strategy.

View more

Contact us

John Rich

Health Services Principal, PwC US

Chris Van Pelt

Principal, US Health Industries, PwC US

Lisa Gallagher

Managing Director, PwC US

Vaughn Kauffman

Principal, Health Industries, PwC US

Benjamin Isgur

Health Research Institute Leader, PwC US

Follow us