Skip to content Skip to footer

Loading Results

Providers, payers must prepare to share patient data with third-party apps in final interoperability rules

Crystal Yednak Senior Manager, Health Research Institute, PwC US March 13, 2020


Long-awaited final interoperability rules released from CMS and the Office of the National Coordinator for Health Information Technology (ONC) this week push healthcare industry stakeholders to share more data with each other and with patients. Among other things, CMS-regulated payers will have to help make patient information available through smartphone apps and to exchange patient information with other health plans. They must also make provider directory information available via API in January 2021.  

When first proposed in February 2019, the Trump administration’s rules drew fiery backlash from industry stakeholders who raised concerns about the accelerated timeline for compliance; the burden on industry of implementing new technology and processes and meeting new standards; and what a freer flow of patient health data would mean for patient privacy.

In the finalized version, the administration tried to address some of the industry concerns, but ultimately most of the main provisions of the proposal are moving forward, with the first of the new requirements in effect within six months of the rules’ publication. The rules were published amid widespread preparations around COVID-19 by healthcare providers and payers.

What the rules mean for payers:

  • Starting in January 2021, payers regulated by CMS such as Medicare Advantage, Medicaid and the Children’s Health Insurance Program (CHIP) will have to make patient claims and encounter, cost and some clinical information available through a Patient Access application programming interface, or API.
  • Payers must also make provider directory information available via API in January 2021.
  • By January 2022, payers regulated by CMS will have to use the US Core Data for Interoperability standard to exchange patient clinical data when the patient requests it or changes plans. Payers will have to send information going back to Jan. 1, 2016, but will only have to share data in the electronic form and format in which it was received.

What the rules mean for providers:

  • Hospitals, psychiatric hospitals and critical access hospitals participating in Medicare or Medicaid will have to send electronic admission, transfer and discharge (ADT) notifications to other applicable providers such as post-acute care centers or primary care practitioners when a patient is admitted, discharged or transferred. This takes effect within six months of the rule’s publication.
  • Providers and technology vendors face public reporting for information blocking activities. Clinicians and groups that cannot positively answer three statements around information blocking for CMS’ Merit-Based Incentive Payment System, also known as MIPS will be publicly reported on the CMS website Physician Compare. Hospitals that cannot attest to three statements related to information blocking under the Medicare fee-for-service Promoting Interoperability Program will be publicly reported on a CMS website by late 2020. 
  • Certified electronic health records (EHR) systems must implement required API capabilities required by the 21st Century Cures Act within 24 months of the rule’s publication.
  • The ONC rule prohibits information blocking practices, with some exceptions for “reasonable” activities, by providers, health IT developers and health information exchanges. The rule also allows for providers to share screenshots and video of patient EHRs, with limitations.

The agencies dropped a proposal to require payers to participate in trusted health information exchange networks. CMS said it was responding to industry concerns that a mature Trusted Exchange Framework and Common Agreement should be in place first and said that work is ongoing on that effort.

The rules are effective 60 days after their publication in the Federal Register.

HRI impact analysis

The regulations require a whole organizational response from providers and payers, as many of these provisions require new processes, workflows, investments, strategies and considerations of new risks that could emerge in this new environment.

While some of the regulations are extremely technical in nature, they are aimed at transforming the way the industry shares patient data and the way consumers access their health information.

The rules have drawn vocal concern from industry stakeholders who worried that the involvement of third-party app developers could mean that patient data could be misused, as the Health Insurance Portability and Accountability Act (HIPAA) would not apply in all cases.

The final rule does allow payers to ask third-party app developers to confirm that they are following certain privacy practices, such as attesting that their privacy policy specifies any secondary uses for patient data.

Healthcare organizations are allowed to educate members about potential risks to their privacy when authorizing apps to access their data, but they cannot prevent the exchange of that data.

Some provisions of the rules take effect within six months of publication, or by January 2021, which could present a tight timeline for organizations that were not already preparing for implementing APIs or making sure their data was in a clean state to meet the new standards.

The rules also arrive as hospitals, physicians and insurers try to respond to the growing public health emergency of COVID-19 and unknown questions of how their facilities, members, employees and patients will be hit by the virus in the coming weeks and months.

Read our research

Contact us

Trine K. Tsouderos

Business Insights, Sectors Leader and Health Research Institute Leader, PwC US

Tel: +1 (312) 241 3824

Crystal Yednak

Senior Manager, Health Research Institute, PwC US

Follow us