June 9, 2020

On March 9, 2020, the Centers for Medicare & Medicaid Services (CMS) issued the Interoperability and Patient Access final rule (Final Rule) aimed at enhancing interoperability and increasing patient access to health information.[1] Specifically, the Final Rule establishes policies that break down barriers in the nation’s health system to enable better patient access to their health information, improve interoperability, and unleash innovation while reducing burden on payers and providers. Significantly, on April 21, 2020, CMS released a follow-up announcement regarding the Final Rule issued in March. This announcement provided additional time for providers and organizations to develop and implement some of the required policies under the Final Rule due to the COVID-19 pandemic. The following is a summary of the key provisions included in the Final Rule as well as their deadlines.


Following the Proposed and Final Rule, organizations expressed concern over potential privacy issues. In response, CMS has explained that the privacy and security of patient information is a top priority. CMS, in partnership with the Office of the National Coordinator for Health Information Technology (ONC), has identified Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the foundational standard to support data exchange via secure application programming interfaces (APIs). Furthermore, CMS is adopting the standards for FHIR-based APIs being finalized by HHS in the ONC 21st Century Cures Act rule at 45 CFR 170.215.


The Final Rule modifies the Conditions of Participation (CoPs) to require hospitals, including psychiatric hospitals and critical access hospitals (CAHs), to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer (ADT) from the hospital to certain providers. The new CoPs require Medicare and Medicaid participating hospitals that utilize an electronic medical records system, or other electronic administrative system, to demonstrate the following:

•     The patient’s registration in the hospital’s emergency department.

•     The patient’s admission to the hospital’s inpatient services.

•     To the extent permissible under applicable federal and state law and regulations, and not inconsistent with the patient’s expressed privacy preferences, the system sends notifications either immediately prior to, or at the time of:

–     The patient’s discharge or transfer from the hospital’s emergency department.

–     The patient’s discharge or transfer from the hospital’s inpatient services.

•     The hospital has made a reasonable effort to ensure that the system sends the notifications to all applicable post-acute care services providers and suppliers, the patient’s established primary care practitioner, primary care practice group or entity, or any other provider that the patient indicates is primarily responsible for his or her care, which need to receive notification of the patient’s status for treatment, care coordination, or quality improvement purposes.

Please note that these requirements are only applicable to those hospitals that use a system conformant with the HL7 2.5.1 content exchange standard, which indicates a system has the basic capacity to generate information for patient event notifications. Thus, hospitals without an EHR system with the technical capacity to generate information for electronic patient event notifications, defined as a system conformant with the ADT messaging standard (HL7 2.5.1), will not be subject to this section of the Final Rule.

Lastly, the timeline for this part of the Final Rule was intended to be applied within six months of publication of the Final Rule in the Federal Register. However, as a result of COVID-19, the timeline has been extended to 12 months from publication. During this time, eligible hospitals should analyze the abilities of current IT systems and the capability of sending electronic notifications as dictated by the modified CoPs.


Beginning in late 2020, and starting with data collected for the 2019 performance year data, CMS will publicly report eligible clinicians, hospitals, and CAHs that may be information blocking based on how they attested to certain Promoting Interoperability Program requirements found in 42 CFR 414.1375(b)(3)(ii). CMS discusses that it will benefit the public knowing which providers may have attested, as that information can help patients choose providers more likely to support electronic access to their health information.

Additionally, CMS will begin publicly reporting those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES) in late 2020. This includes providing digital contact information such as secure digital endpoints like a Direct Address and/or a FHIR API endpoint. The purpose behind making the list of providers who do not provide this digital contact information publicly is to encourage providers to make this information easily accessible in order to facilitate care coordination and data exchange.


In the Final Rule, CMS-regulated payers, specifically Medicare Advantage organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans,[2] CHIP FFS programs, CHIP managed care entities, and QHP issuers on the Federally-facilitated Exchanges, are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice.

More specifically, CMS is requiring that the Patient Access API must, at a minimum, make available adjudicated claims (including provider remittances and enrollee cost-sharing); encounters with capitated providers; and clinical data, including laboratory results (when maintained by the impacted payer). The data must be made available no later than one business day after a claim is adjudicated or encounter data are received. Under the Final Rule, CMS is requiring that beginning July 1, 2021, impacted payers make available through the Patient Access API the specified data they maintain with a date of service on or after January 1, 2016. CMS hopes that these policies facilitate the creation and maintenance of a patient’s cumulative health record with their current payer.


The CMS-regulated payers noted above, with certain exceptions, are required by the Final Rule to make provider directory information (including provider names, addresses, phone numbers, and specialties) publicly available via a standards-based API. Payers must make standardized information about their provider networks available by July 1, 2021. CMS hopes that by making this information broadly available in this way will encourage innovation by allowing third-party application developers to access information so they can create services that help patients find providers for care and treatment, as well as help clinicians find other providers for care coordination, in the most user-friendly and intuitive ways possible. 


As of January 1, 2022, CMS-regulated payers are required to exchange certain patient clinical data (specifically the U.S. Core Data for Interoperability version 1 data set) at the request of a patient. This will allow patients to take their information with them as they move from payer to payer over time and help create a complete health record with their current payer. CMS believes having a patient’s health information in one place will facilitate informed decision-making and efficient care, and ultimately lead to better health outcomes.


Given the timely deadlines in the Final Rule, health plans, hospitals, and organizations will need to assess their systems and policies and procedures to ensure that the necessary and required procedures systems in place are aligned with the new requirements under the Final Rule.

If you would like assistance in complying with the new requirements, please contact a member of Hancock Daniel’s Reimbursement team.

Click here for a full copy of this advisory.

The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel & Johnson, P.C., is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel & Johnson, P.C. be liable for any direct, indirect, or consequential damages resulting from the use of this material.

[1] The Final Rule was released the same day as the ONC final rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.

[2] Excluding issuers offering only stand-alone dental plans and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program.

Print Friendly, PDF & Email