Healthcare Information Technology (Health IT) in the United States has undergone considerable change since the HITECH Act came into effect in 2009, promoting the use of Health IT in line with strong privacy and security practices. Wide adoption of Health IT has led to significant increases in the access to and sharing of health data, and has impacted the nature of such sharing. The pace of change is set to increase further as enforcement of the CMS Interoperability and Patient Access Rule (“CMS Rule”) and the ONC Cures Act Final Rule (“ONC Rule”) commences in February 2021.
Overview of the Rules
The fundamental objective of the CMS Rule and the ONC Rule – both of which are regulated by the Department of Health and Human Services (HHS) – is to provide patients with easy access to their health data in a manner that incorporates appropriate privacy and security safeguards. While the two rules share a common objective, they differ in terms of the businesses and systems to which each applies.
The CMS Rule requires most CMS-regulated payers to implement and maintain a secure, standards-based Application Programming Interface (API) that allows patients to easily access their claims and “encounter data”. The CMS Rule also requires participating Medicare and Medicaid providers to send electronic notifications of a patient’s admission, discharge, and/or transfer to a patient’s new health care facility, community provider or practitioner.
The ONC Rule applies to Health IT systems, as well as healthcare providers, health information exchanges (HIEs) and health information networks (HINs) that use such systems. The Rule requires the systems to implement standardized APIs to allow patients and their healthcare providers easy access to electronic health information (EHI) using smartphone applications. A central component of the Rule is its information blocking provisions, which prohibit activities that interfere with access to and exchange of EHI (with specific privacy and security exceptions).
Privacy and Security: Readiness Considerations
The CMS and ONC Rules put a strong focus on privacy and security. In order to prepare for the phased enforcement beginning early next year, organizations impacted by the rules (payers, providers, Health IT developers or system vendors, HIEs, HINs and third-party app developers) should immediately undertake planning and implementation work led by privacy and security teams in close collaboration with IT and clinical/business operations. The following privacy and security planning activities should be considered in readiness efforts.
- Privacy and Security by Design and Default
For most covered organizations, compliance with the CMS and ONC Rules will require significant changes to existing systems or process, or implementations of new systems or processes. Privacy and security teams must be involved from the planning and design stages in order to facilitate the inclusion of privacy and security requirements. Considerations in the design phase should include establishing protocols to ensure data minimization, as well as to authenticate patients and establish secure connections prior to transfers. Planning and design considerations must also include detailed steps related to the privacy and security exceptions to information blocking requirements, which will allow blocking of the access to or exchange of EHI in order to safeguard the EHI or protect the privacy of the individual.
Third-party health apps represent a significant concern in the context of the CMS and ONC Rules. The apps – and their providers – are generally not highly regulated, yet can potentially collect and share health data in an improper manner. To alleviate these concerns, app developers should implement common privacy safeguards such as providing clearly communicated notice and obtaining patient consent (where required) for accessing and sharing of EHI. Privacy notice (made available prior to collection of EHI) should inform patients whether the system or app is covered by HIPAA and provide details of how their EHI is accessed, processed, and shared or sold. It should also provide transparency into the system or application’s capabilities, including the ability to access other information on the patient’s device and how to disable such access.
It is critical that the operations of the systems or apps are consistent with statements made in the privacy notice. In addition to the CMS and ONC Rules, a lack of alignment between practices and notice provided to patients may result in FTC scrutiny for unfair or deceptive practices under Section 5 of the FTC Act. Developers should also be prepared to demonstrate compliance with applicable state data protection regulations (e.g., California Confidentiality of Medical Information Act).
- HIPAA Security, Privacy and Breach Notification
Any organization that is currently a HIPAA Covered Entity (CE) or a Business Associate (BA) must continue to comply with HIPAA Security, Privacy and Breach Notification Rules. Neither the CMS Rule nor the ONC Rule impact obligations under the HIPAA rules in any manner. As such, CEs and BAs that are engaged in activities covered by the CMS Rule and/or the ONC Rule should undertake appropriate privacy and security assessments to identify remediation tasks that will be required with regard to APIs used to share patient data or smartphone apps collecting, processing and transferring patient data. In addition, third-party applications developers that are not HIPAA BAs will need to be prepared to comply with the FTC Health Breach Notification Rule.
- Security Testing
Health IT developers and the users of their systems (e.g., healthcare providers) will need to conduct appropriate security testing of their APIs and interfaces to confirm that there are no security vulnerabilities. Existing security vulnerability or application security programs will need to expand their scope to provide ongoing assurance regarding the APIs and associated technology components and operations.
Enforcement timelines vary for different provisions of the two rules. HHS has announced enforcement delays due to the impact of COVID-19. The revised enforcement dates are reflected below:
|ONC Rule Requirement||Enforcement Date|
|Information Blocking – No actions may be taken that constitute information blocking or that inhibit access, exchange, and use of EHI (subject to privacy and security exemptions).||February 2, 2021|
|Application Programming Interface – Compliance by Certified API Developers with Health IT certified to current API criteria.|
|CMS Rule Requirement||Enforcement Date|
|Admission, Discharge, and Transfer transmissions by Medicare and Medicaid participating healthcare providers.||May 2, 2021|
|Patient Access API implementation by CMS regulated payers.||July 1, 2021|
|Provider Directory API implementation by CMS regulated payers.|
Taking the Next Steps Toward Interoperability
The CMS and ONC Rules together provide a regulatory framework for the immediate future of patient access to, and sharing of, EHI. While giving patients access and the power to decide with whom they will share EHI is a positive step forward, there are inherent risks to privacy and the security of the health data. Organizations developing APIs, as well as Health IT systems and applications, must act now to determine the scope and extent of necessary readiness efforts. HIPAA CEs and BAs, as well as third-party app developers not subject to HIPAA, should immediately undertake readiness initiatives to identify gaps in technologies, operations and governance relative to the new requirements and determine appropriate updates to design, engineering and operations of the technologies and compliance programs.