Redox logo

5 big questions still to be answered by the final ONC and CMS healthcare interoperability rules

Nov 12, 2019

With the CMS and ONC final healthcare interoperability rules under review at OMB, it’s time to look closely at the proposed rules and reflect on what the biggest outstanding questions are. 

Question #1: When will various parts of the rules take effect? 

There is a lot going on and being proposed - here are some key features and when the proposed rules have them taking effect:

  • Information Blocking - technically took effect 30 days after 21st Century Cures was signed into law (December 2016). The big thing to look for will be whether or not any enforcement is taken on events that occurred between then and now.

  • CMS Requirements for Payers - The CMS rule has many requirements including the ability to electronically tell someone near you when a patient is admitted in order to receive CMS dollars, starting on January 1, 2020. With that date quickly approaching, it’s likely to get pushed back, but by how much will be something to watch. Regulations directly tied to payments tend to drive the fastest actions. 

  • CEHRT program changes - Requirements such as using FHIR are expected to be met within 24 months of the final rule coming out. Many commenters thought this was not enough time, but waiting until 2022 to use FHIR is equally unappetizing. We will see if they find a middle ground.

Question #2: Will data blocking be limited to USCDI? 

A theme of many comments was the breadth of data considered for data blocking. Commenters such as the Electronic Health Record Association called for it to be restricted to a constrained set of data such as USCDI. 

Also worth noting, is the new “full export” criteria. Essentially, certified EHR technology are required to give a full dump of all patient data, including billing, administrative, and other non-clinical data. EHR vendors will no doubt struggle to implement this, but such functionality is already available from Google and Facebook due to GDPR regulations motivated by privacy concerns. Watch the final rule for any subtle changes to these criteria. 

Question #3: Will there be any specific mention of TEFCA? 

The Trusted Exchange Framework and Common Agreement (TEFCA) was hamstrung when congress put it into the 21st Century Cures Act because its use was made voluntary. In these latest rules, there is nothing to stop either CMS or ONC from requiring participation in TEFCA, say for data blocking. From the ONC rule: 

We request comment as to whether certain health IT developers should be required to participate in the TEFCA as a means of providing assurances to their customers and ONC that they are not taking actions that constitute information blocking or any other action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).

Both the CMS and ONC rules have requirements for joining networks, whether or not they make a TEFCA Qualified Health Information Networks (QHIN) a requirement is to be determined. While no QHINs exist yet, the Sequoia Project was selected to run the QHIN certification program in September.

Question #4: Which version of FHIR will be in the final rule? 

The proposed rule requires the use of FHIR DSTU2 which was officially standardized in 2015. The latest FHIR release (R4) has the first-ever normative resources - meaning they won’t be subject to change in future releases. The ONC acknowledges as much in the proposed rule but asks for public comments. Keeping DSTU2 as the version will be a nod to EHRs that were early adopters of FHIR, moving to R4 would mean more work for everyone but demonstrate that ONC is pushing the standard forward. 

Question #5: Will any of the foundations of the data blocking exceptions be changed? 

Everything is data blocking unless it falls into one of 7 specific but somewhat large buckets:

  1. Patient harm/corrupt data

  2. Privacy (HIPAA still applies)

  3. Security (An API might be taken offline if a breach happens)

  4. Recovering reasonable costs incurred (with some exceptions to the exception)

  5. Infeasibility (The actor could only comply with the request by incurring costs or other burdens that are clearly unreasonable. In this scenario, the actor must respond in a timely manner and work with the requestor to identify and provide a reasonable alternative.)

  6. Ability to protect IP (Reasonable and Non-discriminatory terms)

  7. Maintenance and performance (the system can go down under certain rules)

Some of the exceptions were more controversial than others - EHR vendors, for example, didn’t like #4 and #6. We’ll be looking to see if this list changes at all in the final rule, or if changes will just involve more clarification. 

Ready or not, the final ONC and CMS healthcare interoperability rules are on the way. As with all wide-ranging regulations, the ripple effect on our industry promises to be immense. We will keep a close eye on how things develop and share our thoughts on the final decisions when that information is made available. Until then, interesting questions to ponder!

If you have thoughts you'd like to share, we encourage you to join our public Slack community. With over 1,000 healthcare developers, you're sure to find a captive audience.