Background - News & Events (Landing) 2016

Search NewsRoom

Advanced Search >

All Alerts & Newsletters

CMS Finalizes New Requirements on Health Plans to Release Health Data; Updates Medicare Conditions of Participation for Hospitals to Send Electronic Notifications

March 11, 2020

On March 9th, CMS finalized the long-awaited regulations on Interoperability and Patient Access (the “Patient Access Rule”) to require all CMS Payers to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice.

This rule, released on the same day as the Office of the National Coordinator for Health Information Technology’s (ONC) final rule 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”), uses CMS’ authority to advance interoperability and patient access to electronic health information by imposing standards-based application programming interface (API) access and use requirements on CMS Payers.  The Patient Access Rule also finalizes important Conditions of Participation (CoPs) requiring the transmission of electronic Admission, Discharge, and Transfer (ADT) notifications by Medicare- and Medicaid-participating providers, including hospitals, psychiatric hospitals, and certain Critical Access Hospitals (CAHs).  Together, both the Patient Access Rule and the ONC Rule represent sweeping and transformative changes to the expectations imposed on providers and CMS Payers related to the access and transmission of patients’ electronic health information.

CMS finalized, with minor modification, the proposals that it sought public comment on last year.  Below is a summary of the key provisions of the final Patient Access Rule, noting modifications that you should be aware of as you update organizational policies and procedures in anticipation of compliance with these requirements in 2021 and beyond.  Please contact Jodi Daniel at or any member of our team to learn more about how your organization can prepare for compliance with the Patient Access Rule.

Final Patient Access Rule Requirements

Patient Access API

Beginning on January 1, 2021, Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (collectively, “CMS Payers”) are required to implement and maintain an API to support patient access to their health information (the “Patient Access API”).  The API must be compliant with the HL7 FHIR Release 4.0.1 standard and the health plans’ obligations under the HIPAA Privacy Rule.  The rule is intended to have CMS Payers use functionalities similar to CMS’s Blue Button 2.0 model that allows patients, their representatives, and any third-party apps designated by such patients and representatives (collectively, “Requestors”), to access claims and encounter information (including approved or denied adjudicated claims, encounters with capitated providers, provider remittances, enrollee cost-sharing), and all clinical data, including laboratory results and medication information (if maintained by the CMS Payer).  The final Patient Access API did not finalize the inclusion of provider directory information that is required for compliance with the standalone Provider Directory API standard (described below).

As in the proposed rule, the final Patient Access Rule requires that CMS Payers provide availability of such API access to Requestors no later than one business day after receiving such claims data from providers, including price-related information such as provider remittances and enrollee cost-sharing information.  As we stated in our analysis of the proposed rule, CMS Payers may find compliance with the one business day deadline difficult if they do not receive timely and complete data from their partners and other stakeholders.  CMS finalized this requirement despite receiving comments consistent with this concern. 

In recognition of the assertions by numerous stakeholders that they should be able to deny or discontinue any third-party application’s connection to their API for privacy reasons, CMS finalized its proposal that such denial or discontinuation of access is permissible “if the payer reasonably determines, consistent with its security analysis under 45 CFR part 164 subpart C, that allowing an application to connect or remain connected to the API would present an unacceptable level of risk to the security of protected health information on the payer’s systems and the payer makes this determination using objective, verifiable criteria that are applied fairly and consistently across all applications and developers.”  This is intended to prevent discrimination against competitors or certain types of third-party organizations by recipients of API requests.

There were also significant misgivings expressed regarding whether the Patient Access API provisions sufficiently protected CMS Payers from liability for improper secondary uses of data transmitted to third-party apps.  In response, CMS stated that covered entities and business associates’ can offer “education and awareness or advice regarding concerns related to a specific app”, and provided references to OCR’s FAQ limiting liability for data transfers received by a third-party that are no longer under the control of the covered entity or its business associate, and to the Federal Trade Commission’s enforcement authority over third-party apps.  The Patient Access Rule then finalized provisions regarding required beneficiary and enrollee resources, including “consumer-friendly, patient facing privacy and security information that must be made available” on CMS Payers’ websites.  The final Patient Access Rule emphasizes that policies or procedures for API access should not impose a wholesale ban on sharing data with third-party organizations. 

Provider Directory API

Starting on January 1, 2021, CMS Payers, as already the case for QHPs, will need to implement and maintain a standards-based API conformant with the API technical standards finalized in the ONC Rule (HL7 FHIR Release 4.0.1) to make provider directory information publicly available (the “Provider Directory API”). The Provider Directory API must include the CMS Payer’s network of contracted providers, including names, addresses, phone numbers, and specialties, updated no later than 30 calendar days after providers update their information with the plan.  Medicare Advantage organizations offering Part D plans must also offer the number, mix, and addresses of pharmacies in their networks.  It is expected that these APIs will primarily be used by third-party application developers.

Payer-to-Payer Data Exchange

As of January 1, 2022, CMS Payers must comply with patients’ requests to send their clinical data, inclusive of the elements defined in the United States Core Data for Interoperability (USCDI) version 1 data set, to other CMS Payers, to ensure that the new payer has patients’ complete records if they change plans. USCDI version 1 includes high-level clinical data including allergies, clinical notes, patient goals and health concerns, immunizations, laboratory tests and results, medications, procedures, and vital signs.  As expected, the USCDI standard aligns with the ONC Rule’s definition and exceptions for information blocking and the same API standard for exchanging patients’ electronic health information.

Dual Eligible Coordination

Starting on April 1, 2022, state agencies will be required to exchange Medicare and Medicaid dual enrollee data on a daily basis with CMS. Currently states are only required to exchange this data on a monthly basis.

Public Reporting of Information Blocking Practices and Noncompliance With Digital Contact Information Requirements

Beginning in late 2020, the Patient Access Rule enables CMS to publicly list clinicians, hospitals, and CAHs that are determined to be engaged in information blocking based on information disclosed by such clinicians and entities as part of the “Promoting Interoperability” reporting requirements imposed under CMS’s Quality Payment Program (QPP), and to publicly report such entities that do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES).  Digital contact information is intended to include secure digital endpoints like a Direct Address or FHIR API endpoint where USCDI-compliant data would be received from or sent at a patient’s request. Public reporting related to the information blocking requirements will be included on the Medicare Physician Compare website, but CMS has not finalized where public reporting related to digital contact information will be placed.

Admission, Discharge, and Transfer (ADT) Notifications

Starting in September 2020 (6 months after the publication of the final rule), CMS’s Medicare CoPs for hospitals and CAHs will require that they send electronic patient ADT event notifications to other health care facilities or community providers (including primary care practitioners or practice group, or post-acute services providers). In contrast to the proposed rule, this requirement includes event notification requirements for any patient who accesses services in hospital emergency departments or any inpatient hospital services.  The ADT notifications must include, at a minimum, the patient’s name, the treating provider’s name, and sending institution’s name, sent electronically directly or through a health information exchange or health information network, to the patient’s primary care provider/practice, applicable post-acute care provider, or any other provider identified by the patient.  The Patient Access Rule does not include the proposed requirement that the notifications include diagnosis information, although hospitals may decide to include diagnosis or additional information beyond the minimum required.

Other Provisions Not Finalized

While the final Patient Access Rule was fairly consistent with the proposed rule from February 2019, CMS abandoned the following proposals based on public comments and feedback.

  • The Care Coordination through Trusted Exchange Networks proposal, which would have required CMS payers to participate in a health information network that met the Trusted Exchange Framework and Common Agreement (TEFCA) requirements, which are currently under development. Commenters expressed concern that because the TEFCA is still in draft form, this requirement should not be implemented until it has been vetted and finalized completely.  CMS agreed. 
  • The Advancing Interoperability in Innovative Models proposal, which did not reference any proposed regulatory changes. CMS originally sought public comment on promoting interoperability among model participants and other healthcare providers as part of the design and testing of innovative payment and service delivery models, in line with its plans to promote interoperability across the healthcare spectrum through model testing focused on using emerging standards, models leveraging non-traditional data and technology-enabled patient engagement platforms.  No additional information has been released from the CMS Innovation Center about these plans, and CMS did not propose any new regulations for comment in the Patient Access Rule.

Compliance Considerations For Stakeholders Implementing the Patient Access Rule

Eligible hospitals seeking to comply with the Promoting Interoperability requirements only have until the fall of 2020 to assess whether their patient health information sharing practices are in compliance with information blocking prohibitions.  CMS Payers have less than a year to prepare for the Patient Access and Provider Directory API requirements, which go into effect January 1, 2021.  These two short-term deadlines should be top of mind as CMS Payers and Medicare providers review their ADT and clinical data transfer capabilities, and prepare for the 2021 managed care bidding and contract negotiations with CMS and state Medicare/CHIP agencies.  Although CMS Payers have until January 1, 2022 to prepare for payer-to-payer exchange of USCDI data for shared patients, members, or beneficiaries, preparing for the one-day transmission deadline under the Patient Access Rule will require significant preparation and planning.   

Crowell & Moring’s Digital Health team is here to help your organization understand and respond to these proposals.

Special thanks to Lisa Bari, outside consultant and former Health IT and Interoperability Lead at CMS Innovation Center, for her contributions to this alert.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Jodi G. Daniel
Partner & CHS Managing Director – Washington, D.C.
Phone: +1.202.624.2908