CMS Expands on Patient Access and Interoperability Requirements for Health Plans

On December 10, 2020, CMS released a new Notice of Proposed Rulemaking (NPRM) that would expand machine-readable access to health plans’ data, building on requirements finalized in March 2020 (see our blog on the CMS Final Rule). The NPRM proposes a second phase of application programming interface (API) development for certain impacted health plans that would allow patients—and now providers—to access prior authorization data in addition to claims, encounters, and clinical data in a standardized format.

Comments are due on January 4, 2020. This rapid timeline signals CMS’s likely intent to publish a final regulation before the January 20 inauguration. CMS proposes that these phase two updates to the APIs would be required January 1, 2023. Several extension and exemption processes are proposed for impacted plans.

The NPRM only impacts Medicaid state agencies, Medicaid Managed Care, CHIP proposals, and Qualified Health Plans on the federally-facilitated exchange. Notably, it omits Medicare Advantage organizations (MAOs). But this omission likely is because Medicare Advantage rules require a 60-day comment period. We expect CMS to follow this NPRM with parallel recommendations for MAOs.

Key proposals include:

• An enhanced Patient Access API, which would be updated to include pending and active prior authorization decisions, and a new requirement that plans implement a privacy and security attestation process (which was previously optional).
  • Prior Authorization: Notably, prior authorization data will not extend to decisions about prescription drugs and/or covered outpatient drugs at this time; however, we anticipate that CMS could include these as “items or services” in future rulemaking, as CMS as specifically requested comments on this topic. The timeline for availability of prior authorization data is one business day after initiation of the request or change in status, consistent with the one business day timeline for the other required data categories from the Final Rule.
  • Privacy Attestation: CMS notes that it has received substantial commentary from the public related to privacy concerns about how third-party applications are using patients’ data. To address this, CMS proposes to require plans to establish a process for third-party application developers to attest to certain privacy policy provisions prior to retrieving patient data, and to inform patients when the third-party apps respond with “positive, negative, or no response, with a clear explanation of what each means.” Plans also would be required to share information about the attestation process and the requisite privacy provisions in the required enrollee resources, including the enrollees’ rights regardless of the response by the third-party apps. Essentially, this would require plans to take on the responsibility of identifying the key privacy practices that third-party apps should have to protect patients’ data. Stakeholders may wish to comment on the ramifications of this requirement, including the tight turnaround time for collecting and delivering this information to patients (24 hours).
• A new Provider Access API, to allow for more seamless payer-to-provider access to claims, clinical, encounter, and prior authorization data. CMS envisions that providers would be able to access data both on an individual basis and in bulk, such as when a group of new patients enrolls in a plan after an open enrollment period. Access to this API would be available broadly to providers who have a treatment relationship with the individual in question and cannot be limited to only providers in the plan’s contracted network. CMS references its Data at the Point of Care Pilot as an example of how this is already working today.
  • Intersection with HIPAA: CMS notes that access through this API would be for treatment purposes under HIPAA. But CMS is also proposing that a patient be offered the opportunity to opt-in to this data sharing; this would be inconsistent with HIPAA’s provisions that treatment, payment, and operations activities can be accomplished without patient authorization/opt-in.
• An update to the Payer-to-Payer Exchange requirement, including that such exchange occur via a standard API and include claims and encounter data as well as clinical data and prior authorization data.
• Quarterly public reporting on prior authorization data access metrics, with the goal of supporting ongoing assessment of how the prior authorization process is functioning in the market. CMS suggests that this reporting data could inform development of future quality measures or STAR ratings.

CMS’s vision is a framework within which all API requirements on plans are consistent, leveraging the FHIR standard and exchanging the same categories of data—now including prior authorization. This vision is supported by an additional proposal within the rule by ONC, on behalf of HHS, to propose its API standards and implementation specifications (45 CFR 170.215) as the default for “a nationwide health information technology infrastructure” ostensibly across multiple health care industry stakeholders, including payers, providers, and developers of certified health IT.

Additionally, the NPRM will require the use of certain technical implementation guides (IGs) and standards, as opposed to suggesting their use as optional. Stakeholders may wish to comment on the pros and cons of this approach, such as balancing the benefits of mandated consistency against the difficulty of modifying or updating regulations to keep pace with quickly changing technical standards. CMS proposes that plans would be able to use an updated version of any required IGs, so long as such use does not impact an API user’s ability to access the data.

The NPRM also includes several Requests for Information, including on the following topics:

• Enabling patients and providers to control sharing of health information: For example, whether patients should be able to direct the sharing of some but not all of their record, withholding particularly sensitive data classes such as Part 2 information. Notably, the CMS Final Rule’s provisions on the Patient Access API adopt an “all or nothing” approach, meaning that patients can only direct all of their data to a third-party application, or none at all—there is no requirement for plans to build in more granular data sharing, such as “medications only.” ONC, on the other hand, has long included a specific requirement that certified health IT support a “data category request.”
• Electronic exchange of behavioral health information: CMS seeks comments on how to encourage greater electronic exchange among behavioral health providers and other types of providers. Many types of behavioral health providers were ineligible for the original EHR Incentive Program (“meaningful use”) and so their adoption of health IT systems has lagged behind the rest of the industry. The Senate has passed legislation to address this gap; however, although the House passed a related but not identical measure, the two chambers never came together to negotiate a merged version of the bill and it has not been reintroduced in Congress since.
• Reducing provider burden and improving electronic exchange of prior authorization data: CMS seeks input on how the industry approaches electronic prior authorization today and whether it would be appropriate to create an Improvement Activity to address this under the Merit-Based Incentive Payment System (MIPS). CMS would like to know whether patients’ new impacted payers could consider information from previous payers to make new prior authorization determinations and is seeking comment on the extent to which impacted payers should be limited from requiring patients to undergo repeat evaluations for the purposes of reaffirming coverage or prior authorization decisions without first reviewing the medical records and notes of the previous payer. CMS is also asking for input about including prescription drug and/or covered outpatient drug prior authorization data in the API provisions.
• Reducing the use of fax machines: CMS asks for suggestions on how electronic data exchange could replace the fax machine. This is the latest in multiple calls from the agency to “axe the fax,” a goal which remains elusive for the health care industry.
• Accelerating adoption of standards for social determinants of health: CMS seeks to understand how “social risk data” can be standardized and more freely exchanged to better serve patients and address these issues. “Social risk data” includes indicators relating to risk factors such as lack of stable housing, transportation, food insecurity, and other social determinants of health.