Health care information technology in the U.S. has undergone considerable change since the Health Information Technology for Economic and Clinical Health Act came into effect in 2009, promoting the use of health IT in line with strong privacy and security practices. Wide adoption of health IT has led to significant increases in the access to and sharing of health data and impacted the nature of such sharing. The pace of change is set to increase further as enforcement of the CMS Interoperability and Patient Access Rule and ONC Cures Act Final Rule commences in February 2021.

Overview of the rules

The fundamental objective of the CMS and ONC rules — both of which are regulated by the Department of Health and Human Services — is to provide patients with easy access to their health data in a manner that incorporates appropriate privacy and security safeguards. While the two rules share a common objective, they differ in terms of the businesses and systems to which each applies.

The CMS Rule requires most CMS-regulated payers to implement and maintain a secure, standards-based application programming interface that allows patients to easily access their claims and “encounter data." The CMS Rule also requires participating Medicare and Medicaid providers to send electronic notifications of a patient's admission, discharge and/or transfer to a patient’s new health care facility, community provider or practitioner.

The ONC Rule applies to health IT systems, as well as health care providers, health information exchanges and health information networks that use such systems. The rule requires the systems to implement standardized APIs to allow patients and their health care providers easy access to electronic health information using smartphone applications. A central component of the rule is its information-blocking provisions, which prohibit activities that interfere with access to and exchange of EHI with specific privacy and security exceptions. 

Privacy and security: Readiness considerations

The CMS and ONC rules put a strong focus on privacy and security. To prepare for the phased enforcement beginning early next year, organizations impacted by the rules (payers, providers, health IT developers or system vendors, HIEs, health industry numbers and third-party app developers) should immediately undertake planning and implementation work led by privacy and security teams in close collaboration with IT and clinical/business operations. The following privacy and security planning activities should be considered in readiness efforts.

Privacy and security by design and default

For most covered organizations, compliance with the CMS and ONC rules will require significant changes to existing systems or process or implementations of new systems or processes. Privacy and security teams must be involved from the planning and design stages to facilitate the inclusion of privacy and security requirements. Considerations in the design phase should include establishing protocols to ensure data minimization, as well as to authenticate patients and establish secure connections prior to transfers. Planning and design considerations must also include detailed steps related to the privacy and security exceptions to information blocking requirements, which will allow blocking of the access to or exchange of EHI to safeguard the EHI or protect the privacy of the individual.

Transparency

Third-party health apps represent a significant concern in the context of the CMS and ONC rules. The apps and their providers are generally not highly regulated yet can potentially collect and share health data in an improper manner. To alleviate these concerns, app developers should implement common privacy safeguards such as providing clearly communicated notice and obtaining patient consent (where required) for accessing and sharing of EHI. Privacy notice (made available prior to collection of EHI) should inform patients whether the system or app is covered by the U.S. Health Insurance Portability and Accountability Act and provide details of how their EHI is accessed, processed and shared or sold. It should also provide transparency into the system or application’s capabilities, including the ability to access other information on the patient’s device and how to disable such access.

It is critical that the operations of the systems or apps are consistent with statements made in the privacy notice. In addition to the CMS and ONC rules, a lack of alignment between practices and notice provided to patients may result in U.S. Federal Trade Commission scrutiny for unfair or deceptive practices under Section 5 of the FTC Act. Developers should also be prepared to demonstrate compliance with applicable state data protection regulations (e.g., California Confidentiality of Medical Information Act). 

HIPAA security, privacy and breach notification

Any organization that is currently a HIPAA-covered entity or business associate must continue to comply with HIPAA Security, Privacy and Breach Notification Rules. Neither the CMS Rule nor the ONC Rule impact obligations under the HIPAA rules in any manner. As such, covered entities and business associates that are engaged in activities covered by the CMS Rule and/or the ONC Rule should undertake appropriate privacy and security assessments to identify remediation tasks that will be required with regard to APIs used to share patient data or smartphone apps collecting, processing and transferring patient data. In addition, third-party application developers that are not HIPAA business associates will need to be prepared to comply with the FTC Health Breach Notification Rule.

Security testing

Health IT developers and the users of their systems (e.g., health care providers) will need to conduct appropriate security testing of their APIs and interfaces to confirm that there are no security vulnerabilities. Existing security vulnerability or application security programs will need to expand their scope to provide ongoing assurance regarding the APIs and associated technology components and operations.

Enforcement timelines

Enforcement timelines vary for different provisions of the two rules. HHS has announced enforcement delays due to the impact of COVID-19. The revised enforcement dates are reflected below:

ONC Rule Requirement Enforcement Date
Information Blocking – No actions may be taken that constitute information blocking or that inhibit access, exchange, and use of EHI (subject to privacy and security exemptions). February 2, 2021
Application Programming Interface  – Compliance by Certified API Developers with Health IT certified to current API criteria.
 
CMS Rule Requirement Enforcement Date
Admission, Discharge, and Transfer transmissions by Medicare and Medicaid participating healthcare providers. May 2, 2021
Patient Access API implementation by CMS regulated payers. July 1, 2021
Provider Directory API implementation by CMS regulated payers.

Details of additional timelines beyond July 2021 are available on the ONC and CMS websites.

Taking the next steps toward interoperability 

The CMS and ONC rules together provide a regulatory framework for the immediate future of patient access to and sharing of EHI. While giving patients access and the power to decide with whom they will share EHI is a positive step forward, there are inherent risks to privacy and the security of the health data. Organizations developing APIs, as well as health IT systems and applications, must act now to determine the scope and extent of necessary readiness efforts. HIPAA covered entities and BAs, as well as third-party app developers not subject to HIPAA, should immediately undertake readiness initiatives to identify gaps in technologies, operations and governance relative to the new requirements and determine appropriate updates to design, engineering, and operations of the technologies and compliance programs.

Photo by Hush Naidoo on Unsplash