Q&A on upcoming federal rules on interoperability

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

March 06, 2020

As the healthcare industry awaits the final version of interoperability rules proposed by CMS and the Office of the National Coordinator for Health Information Technology (ONC) that would transform the way the healthcare industry shares data, HRI talks with PwC Managing Director Lisa Gallagher about the implications for payers and providers (read HRI’s report examining the potential impacts of the rules here). Gallagher also was co-chair of the Health IT Standards Committee of ONC, as well as vice president of HIMSS.

PwC Health Research Institute (HRI):

The proposed rules would require healthcare companies to make patient data available through APIs so consumers can access their data via apps. What new processes or workflows might these rules require of healthcare companies?

Lisa Gallagher, Managing Director, PwC Cybersecurity and Privacy

Initially, many people interpret compliance with these regulations as a technical implementation. Not only is this a technical exercise, but there are significant administrative and workflow processes that need to be implemented or modified.

For example, for providers, they will have to have the ability to intake a request from the patient to access their data through their chosen API. As they intake and process the request, they have to identity-proof the patient (verify the patient is who they claim to be) and match that patient to the appropriate record. And they may have to inform them of the privacy and security risks because the patient is accessing their data through a third-party app that likely is not covered by HIPAA.

Additionally, there is a requirement for the providers to create a new electronic notice of ADT [admissions, discharge or transfers of patients] and push that notice, along with all clinical information, to the patient’s primary care physician, care manager or other key healthcare provider (such as a long-term care facility).

And for payers, there are very similar challenges. In addition to the connection of the API and those administrative processes that I mentioned, HHS requires plans to support “patient mobility,” that is, when a patient changes from one plan to another, the original plan will have to implement an active push of all of the patient’s plan data―the patient clinical data, claims history and encounter data—to the member’s new plan, following a specific industry technical standard, the US Core Data for Interoperability (USCDI) standard.

The plans will also have a requirement to establish connectivity with and actively exchange electronic health information through a national Trusted Exchange Framework and Common Agreement (or TEFCA) network, a specific instance of a national-level health information exchange called out in the regulation. These are new requirements for many plans.

HRI: These rules have created a gray area regarding HIPAA that is prompting much concern. How should healthcare companies address this gray area?

Lisa Gallagher: We have a construct to cover how business partners of healthcare companies are using data if they are technically “business associates” under the HIPAA regulations. The HIPAA regulations apply directly to covered entities that are payers, providers or clearinghouses.

In order for an organization to be a business associate, they have to be doing services for, or on behalf of, a covered entity. In this case, the API vendor is not necessarily performing services on behalf of the covered entity. They are most likely performing services for the patient, at the patient’s request, through the patient-selected API. So technically they may not be considered a business associate of a covered entity―the payer or the provider―and therefore not directly covered by the HIPAA regulations.

So the regulations require payers and providers to allow access to that information by a patient through an API where the API, and the associated vendor or producer of the app, may not be covered by HIPAA.

Organizations are concerned about doing that and feel that at minimum, they are going to need to notify the patient that “you are connecting to this app at your own risk and you are utilizing the services of a company that is not covered by the regulation.”

This is a space to watch. But for healthcare companies, the privacy and security concerns with these transactions are not completely resolved.

Many people interpret compliance with these regulations as a technical implementation. Not only is this a technical exercise, but there are significant administrative and workflow processes that need to be implemented or modified.

HRI: Do you foresee that these rules would require sizable investments from healthcare companies?

Lisa Gallagher: For providers, things like creating a system to notify other providers, changing discharge procedures, intaking patient requests and connecting APIs are all going to have significant administrative, process and cost implications and any newly created regulatory compliance programs will also have to get included in that cost.

For the payers, they have to look at the cost for reviewing their processes and procedures and their own ability to pass along full claims history and encounter data about the right patient and connect to the national [health information exchange].

The overall cost impact and structure is important to look at too, because downstream, how is it going to affect plan premiums and other things that directly affect the patients? So as the regulations are released, an assessment of the current state, putting in place a road map and managing the cost of a response to these requirements in a very short time is something that can be a challenge as well.

Read our research

Contact us

Trine K. Tsouderos

HRI Regulatory Center Leader, PwC US

Tel: +1 (312) 241 3824

Crystal Yednak

Senior Manager, Health Research Institute, PwC US

Erin McCallister

Senior Manager, Health Research Institute, PwC US

Follow us