INSIGHT: Interoperability and Patient Access Rule Poses HIPAA Issues

Sept. 4, 2020, 8:00 AM

The Centers for Medicare & Medicaid Services’s interoperability and patient access rule became effective in final form on June 30, 2020. Under the rule, physicians and post-acute care providers will begin to receive information on hospital events for care coordination. Patients and their third-party app providers will receive detailed claims data and clinical information on their care to manage their health-care needs. Although Covid-19 has caused the compliance date to be pushed out, hospitals and health plans need to consider how the rule impacts their HIPAA policies and procedures and their information systems into 2021 and beyond.

Hospital Must Notify Other Providers of Patient ADT Events

As a condition of participation in the Medicare program, hospitals, including psychiatric and critical access hospitals, will need to send electronic event notifications upon a patient’s admission, discharge, or transfer from the hospital, an observation unit, or emergency department (ADT notifications) to the extent the law permits and the patient has not objected to the notification. Only hospitals using certified EHR with the technical capacity to send ADT notifications must send them, as those systems are certified to conform to the current HL7® ADT messaging standard.

Beginning May 2, 2021, hospitals must use “reasonable efforts” to collect the information required and send ADT notifications to post-acute care service providers and suppliers as well as to primary care and other practitioners with whom the patient has an established relationship. Hospitals must send patient name, treating practitioner, and the hospital name at first registration in the emergency department or observational unit, again if admitted to the hospital, and then on discharge or transfer from the hospital, ED, or observation unit. Patient diagnosis is not required but is strongly recommended if not prohibited by other applicable law. Hospitals may use intermediaries such as health information networks and exchanges to deliver the ADT notifications.

Health Plans Must Support Application Programming Interfaces (APIs) to Exchange Data With Patients

Beginning July 1, 2021, certain CMS-regulated payers will be required to support beneficiary access to and exchange of data via API technologies. API technologies allow the patient to access, through third-party software, certain clinical and payment information that CMS-regulated payers hold. Most patients will access their data from CMS-regulated payors through applications on common electronic devices such as their smart phone.

Those CMS-regulated payors are Medicare Advantage (MA) organizations, state Medicaid agencies and Medicaid managed care plans, Children’s Health Insurance Program (CHIP) agencies and CHIP managed care plans, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs) offering more than stand-alone dental plans or QHPs in the facilitated Small Business Health Options Program. By Jan. 1, 2021, CMS-regulated payers (except for QHP issuers on the FFEs) must fully implement a provider directory that makes accessible standardized information on their provider network. At a minimum, these payers must make available provider names, addresses, phone numbers, and specialties.

By July 1, 2021, data from patient services provided on or after Jan.1, 2016, must be available on the patient access API within one business day of the payer receiving the following data:

  1. adjudicated claims (including provider remittances and enrollee cost-sharing);
  2. encounters with capitated providers; and
  3. clinical data, including clinical laboratory results maintained by the payer.

By Jan. 1, 2022, MA organizations, Medicaid managed care plans, CHIP managed care plans, and QHP issuers on the FFEs must send certain patient information to another payer as directed and approved by the patient.

Update Notices of Privacy Practices and Enrollment Materials to Communicate These Changes to Patients and Health Plan Members

Hospitals and CMS-regulated payors not only must bear the cost of implementing APIs, but also routinely test and monitor APIs to ensure ongoing privacy and security requirements are met. CMS is careful to note that data sharing under the interoperability and patient access rules follow all existing federal, state, local and tribal privacy and security laws. Hospitals and CMS-regulated payers need to take stock of HIPAA and applicable laws for sharing information. To the extent that data is shared between covered entities for treatment, payment, or health-care operations purposes such as care coordination and quality improvement, many transfers can be made consistent with the HIPAA rules without the need for a HIPAA authorization.

However, other laws besides HIPAA relating to behavioral health, substance use disorder, or sensitive data regulated under state law may be implicated. The CMS interoperability and patient access rule does not modify those privacy rules. Rather, due to the interaction with state law and in the case of psychiatric hospitals, the federal part 2 rules governing substance use disorders, hospitals will want to consider whether consent is necessary, collect current contact information on other practitioners involved in the patient’s care during the intake process, and clarify their data sharing practices in their notice of privacy practices.

Given the need for CMS-regulated payers to undertake complex data mapping for the prior five years and the fast approaching enrollment periods, health plans also will need to get a head start. CMS-regulated payers must provide patients with information regarding selecting an application to access the API, safeguarding their privacy and security, and submitting complaints to the HHS Office for Civil Rights or the Federal Trade Commission. As a result, they will need to consider this communication in their enrollment materials and update their Notice of Privacy Practices for any material changes.

Here is a summary timeline of the new policies taking effect to account for the compliance date delays due to the Covid-19 pandemic:

  • ADT notifications—effective May 2, 2021
  • Patient access API—effective July 1, 2021
  • Provider directory API—effective July 1, 2021
  • Payer exchange networks—effective Jan. 1, 2022

Part 1 of this series covered implementation considerations for the HHS information blocking rule and a timeline of the compliance dates.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Amy Leopard is a partner in Bradley’s Healthcare Practice Group and co-chairs the firm’s Cybersecurity and Privacy team. She advises health-care providers, health IT companies, and service providers on legal strategies at the intersection of health law, policy and information technology. She is a fellow in HIMSS and certified information privacy professional (CIPP/US).

Elliot Bertasi is a member of Bradley’s Healthcare Practice Group, as well as the Cybersecurity and Privacy team. Elliot serves clients in the health-care industry on transactional, operational and regulatory matters, including mergers and acquisitions and privacy and data security compliance matters.

Jordan Stivers Luke is a member of Bradley’s Healthcare Practice Group, where she assists clients in the health-care industry with regulatory, operational, and transactional matters. She advises health-care providers on HIPAA and HITECH compliance, day-to-day privacy and security operational issues, and data breach response. She is a certified information privacy professional (CIPP/US).

To read more articles log in.

Learn more about a Bloomberg Law subscription.