CLIENT ALERT / INFORMATION BLOCKING / INTEROPERABILITY
February 20, 2026
Read time: 6 min
At a glance
During the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) annual meeting on February 11 – 12, 2026, policy makers emphasized Trump administration priorities, including:
- Support for artificial intelligence (AI) solutions and other innovative technology.
- Sustained government attention to information blocking, including cross-agency participation from the Federal Trade Commission (FTC), US Department of Justice (DOJ), and HHS Office of Inspector General (OIG).
- Support for interoperability solutions leveraging Fast Healthcare Interoperability Resources (FHIR®) standards and the Trusted Exchange Framework and Common Agreement (TEFCA).
Upcoming regulatory developments
- ASTP encouraged annual meeting attendees to submit comments on the Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity (HTI-5) proposed rule. The comment period remains open until February 27, 2026. For more information about the HTI-5 proposed rule, see our client alert or visit McDermott Will & Schulte’s Information Blocking and Interoperability in Healthcare resources page.
- ASTP indicated HTI 6 is anticipated in summer 2026 and is expected to focus on facilitating interoperability with an emphasis on health applications. Tom Keane, assistant secretary for technology policy and national coordinator for health information technology, stated that stakeholders should include ideas for HTI 6 in their HTI 5 comments, even if those ideas may be viewed as “out of scope.”
- ASTP indicated that the Centers for Medicare & Medicaid Services (CMS) plans to launch a national provider directory in March 2026, combining current HHS directories into a single primary source. ASTP also indicated that the directory will be piloted with stakeholders for accuracy and that stakeholders may be able to review and test the information. The directory is expected to include new data fields, including whether providers participate in a CMS-aligned network.
- CMS seeks to modernize the US digital health ecosystem and is focused on providing Medicare beneficiaries with greater access to innovative technologies through its Health Tech Ecosystem initiative, a public-private collaboration between CMS and the healthcare industry. The initiative is organized by seven industry categories, including CMS-aligned networks, electronic health records (EHRs) and providers, payers, patient-facing apps, friends of the ecosystem, patients and/or caregivers, and states. Amy Gleason, acting administrator of US DOGE Service, noted that each category of the Health Tech Ecosystem is expected to announce its minimally viable product on July 4, 2026.
- Presenters indicated that the prescription drug prior authorization proposed rule is expected in March 2026 and is currently at the Office of Management and Budget.
Information blocking signals
- The annual meeting included a half-day information blocking bootcamp with speakers from the FTC Technology Enforcement Division, DOJ Antitrust Division, and the HHS OIG.
- ASTP indicated it is issuing notices of nonconformity to developers of certified health information technology (IT) under its health IT certification authorities.
- While OIG information blocking investigations are underway, ASTP and OIG regulators did not disclose timing for OIG enforcement actions.
- HHS, DOJ, and FTC presenters expressed concern about “dominant tech gatekeepers” using control over access to customers and their data to stifle up-and-coming competitors.
- Similarly, regulators expressed a policy goal of supporting the next generation of health IT innovators, particularly those “realizing the revolutionary potential of AI,” and not “big companies with large compliance teams,” said former HHS deputy secretary Jim O’Neill.
- Michael Lipinski of ASTP stated that the HTI 5 proposed rule’s changes to the “manner exception exhausted” condition of the infeasibility exception would better support “best-in-breed” solutions while not requiring bespoke interoperability elements.
- Lipinski also noted that, consistent with the HTI-5 proposed rule’s preamble guidance, ASTP proposes to remove the TEFCA manner exception because of feedback that the exception discourages TEFCA participation.
TEFCA: Growth, consent, and participation
- ASTP and HHS leadership repeatedly emphasized TEFCA’s growth in participation and exchange, and described TEFCA as a “trusted interoperability backbone.”
- HHS officials stressed the importance of participating in “two lanes,” i.e., both TEFCA and CMS-aligned networks.
- The Social Security Administration is expected to go live with TEFCA by early spring 2026.
- Presenters indicated that the Sequoia Project, the TEFCA recognized coordinating entity, is seeking feedback on its “Operationalizing Automated Consent” paper aimed at improving privacy and consent functionality across TEFCA. The paper is open for public comment.
Electronic prior authorization and real-time benefits
- Presenters highlighted the importance of real-time prescription benefit tools throughout the annual meeting.
- As noted, HHS will likely release the prescription drug prior authorization rule in March 2026. The rule is expected to promote automation that streamlines prior authorizations and reduces administrative burden for providers, with likely compliance implications for payers and technology vendors.
Data standards
- Presenters discussed expanding to USCDI v7 as a further increase to the dataset standard used for interoperability, while also noting stakeholder commentary about slow movement to USCDI v3.
- The discussion of v7 suggests that the administration may move aggressively to expand required data elements in response to complaints that earlier versions exclude data necessary for innovative technology solutions.
Practical next steps
- Directory readiness. Healthcare providers should consider whether their organizations should engage in provider directory testing and assign internal owners for directory data quality ahead of the March 2026 target. Accurate information on the directory could be particularly important as HHS explores changes to national provider identifier registration, which is currently done through the National Plan and Provider Enumeration System.
- Comment strategy. If submitting comments to the HTI 5 proposed rule, consider whether to include forward-looking concepts for the anticipated HTI 6 proposed rule, consistent with Assistant Secretary Keane’s suggestion.
- Information blocking risk mitigation. In light of the administration’s apparent commitment to information blocking enforcement and potential regulatory changes, certified EHR developers and other regulated actors should consider reassessing policies impacting access, exchange, and use of electronic health information; technical restrictions on access; and contracting/fee practices.
- TEFCA posture. TEFCA participants (or those evaluating participation) should consider whether their exchange roadmap aligns with the emphasized “two-lane” reality of TEFCA and CMS-aligned networks. Entities already participating in TEFCA should prepare for greater transparency, including with regard to the volume of exchange occurring across the network.
The McDermott difference
If you have questions about how ASTP’s regulations and policy priorities would affect your organization, or if you would like assistance preparing comments to submit to ASTP, please contact any of the authors of this client alert, your regular McDermott Will & Schulte lawyer, or your regular McDermott+ consultant.
ASTP Final Rule Codifies Requirements for TEFCA-Qualified Health Information Networks
CLIENT ALERT / INTEROPERABILITY
January 15, 2025
Read time: 13 min
On December 16, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) published the Health Data, Technology, and Interoperability: Trusted Exchange Framework and Common Agreement (TEFCA) final rule in the Federal Register as part of its continued focus on improving information sharing among healthcare stakeholders.
Rather than codifying comprehensive substantive and procedural requirements for entities participating in TEFCA, the final rule provides a flexible framework establishing how such decisions will be made in current and future subregulatory documents. It formalizes the relationship between ASTP and the Recognized Coordinating Entity (RCE), establishes baseline procedures and timelines for ASTP and RCE to follow in administering TEFCA, and creates a formal process for ASTP review of certain RCE decisions. This approach is notable in that entities interested in participating in TEFCA must look at sources outside the rule, such as the Common Agreement, to identify ASTP’s purported operational and technical requirements for participation.
ASTP’s approach to the regulation appears designed to achieve the agency’s broader goal of rolling out TEFCA in a staged, flexible, deliberate, and consensus-driven manner. This approach may help TEFCA minimize challenges that previous technology-focused regulations have faced as a result of the pronounced timing differences between the regulatory process and the pace of technology development. TEFCA’s success also depends on stakeholder buy-in and public trust. A regulatory framework that empowers the RCE to remain responsive and adaptive may enable the RCE to address public and stakeholder reservations in a collaborative and constructive way. In a post-Loper Bright era, this flexibility may prove to be a vulnerability if subject to challenge, however.
Background on TEFCA
TEFCA is a set of principles, terms, and technical requirements that aim to facilitate health information exchange by creating a nationwide network of participating health information networks (HINs) that meet all the requirements to exchange data according to TEFCA standards (TEFCA exchange).
TEFCA originated in the 21st Century Cures Act of 2016, which required ASTP to convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement, among HINs nationally. The Cures Act specified that its statutory framework must not be construed to “require” an HIN to adopt or participate in TEFCA (i.e., TEFCA participation must remain voluntary unless the statute is amended to state otherwise).
HINs designated by ASTP to participate in TEFCA exchange are called qualified HINs (QHINs). Entities that contract with a QHIN to access TEFCA exchange are known as participants. Participants can also connect others, known as subparticipants, to participate in TEFCA exchange. The network of participants and subparticipants connected to a QHIN comprise the QHIN’s designated network. To maintain and implement the standards for TEFCA exchange and to oversee the resulting TEFCA network, ASTP may delegate certain authority to one or more RCEs. Currently, the only RCE selected by ASTP is The Sequoia Project.
The standards for TEFCA exchange, requirements for participation, and governance protocols for the TEFCA network are currently set forth in a suite of documents, including the Trusted Exchange Framework and the Common Agreement. The Trusted Exchange Framework describes a common set of foundation principles and practices to facilitate data sharing. The Common Agreement establishes the infrastructure and governing approach for users in different HINs to securely share information with each other. The Common Agreement is a legal contract that is signed by a QHIN and the RCE.
Additional requirements are found in the Standard Operating Procedures (SOPs) and the QHIN Technical Framework (QTF). SOPs are issued by the RCE and provide detailed information or requirements related to the exchange activities under the Common Agreement. The SOPs address governance, privacy, and security requirements; RCE directory services; and QHIN application and designation. The QTF outlines the technical specifications and other technical requirements necessary for QHINs to exchange information.
These documents include the purposes for which information may be requested or sent via TEFCA exchange. There are currently six exchange purposes: treatment, payment, healthcare operations, public health, government benefits determinations, and individual access services (i.e., services permitting individuals to access and obtain their own health data). Currently, QHINs are required to support exchange for any of these purposes, but QHINs, participants, and sub-participants are only required to respond to requests made for treatment or individual access services purposes. ASTP has been clear that it intends to eventually require responses to requests made under any exchange purpose, however.
For more information on TEFCA and for a list of QHINs and candidate QHINs, see The Sequoia Project’s website.
TEFCA Regulations in the Final Rule
With only minor changes from the proposed rule, the final rule creates a new 45 CFR Part 172 with regulations codifying:
- Qualification requirements for QHIN designation
- The processes for QHIN onboarding and designation
- A QHIN attestation process
- QHIN termination and appeals rights
- ASTP’s authority to delegate responsibility to the RCE
The final regulations related to QHIN designation, onboarding, suspension, and termination closely reflect the requirements and processes contained in the Common Agreement and the RCE’s current SOPs. The final rule creates the appeals process for ASTP and RCE decisions and the QHIN attestation process. In the final rule, ASTP added language requiring the RCE to seek and receive ASTP prior authorization before making certain decisions, including QHIN designation decisions, setting and determining QHIN compliance with onboarding requirements, deeming a QHIN designation application withdrawn for failure to respond to requests for more information, and suspending or terminating a QHIN.
Subpart A: Purpose, Definitions, and RCE Authority
Subpart A of the final rule provides the statutory basis for the regulations (Section 3001(c)(9) of the Public Health Service Act) and states that the purpose of the regulations is to promote full network-to-network exchange of health information and to create a voluntary process for QHINs to attest to the adoption of TEFCA. It also defines key terms that mirror the definitions provided in current TEFCA documents. Finally, this subpart lists the responsibilities that ASTP may delegate to the RCE, including QHIN designation and onboarding, suspension, and implementing a QHIN’s self-termination or termination by mutual agreement between the QHIN and the ASTP or the RCE.
Subpart B: Qualifications for Designation as a QHIN
Subpart B contains the required qualifications for designation as a QHIN, which are separated into three categories:
- Ownership requirements
- Exchange requirements
- Designated network services requirements
The first category, ownership, includes requirements for a QHIN:
- To be a US entity
- To not be under foreign control
- To have no director, officers, executives, or owners of 5% or more of the HIN on the US Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or the HHS Office of the Inspector General’s List of Excluded Individuals/Entities
Healthcare data is a critical piece of national infrastructure. According to ASTP, these ownership requirements are intended to protect health data from high-risk actors and ensure that those who control the health information exchanged via TEFCA are subject to US law.
The second category, the exchange requirements, set a floor of technical and operational capabilities that a QHIN must meet. To be designated as a QHIN, an entity must be capable of:
- Exchanging data between two or more unaffiliated parties
- Exchanging all required information (i.e., the electronic health information held by an entity responding to a request via TEFCA exchange that is relevant to a request for a required exchange purpose)
- Exchanging data for at least one exchange purpose
- Receiving and responding to transactions from other QHINs for all exchange purposes
- Initiating transactions for the exchange purposes that the entity will permit its participants and subparticipants to use through TEFCA exchange
The third category of requirements, for designated network services, are meant to ensure that the TEFCA exchange network infrastructure performs at a high level. A QHIN is required to maintain operational and legal authority to operate and govern its designated network. This includes establishing representative and participatory groups that approve network governance processes and participate in governance. QHINs must also maintain dispute resolution procedures and written policies on network oversight and control, security, privacy, data breach response, and change management. QHINs are required to maintain the technical capacity for high volumes of transactions commensurate with the level of TEFCA participants and to maintain secure network-to-network connectivity. Finally, QHINs are required to have adequate financial resources and personnel to support their functions, including maintaining minimum financial reserves or insurance-based cybersecurity coverage.
Subpart B details additional requirements for QHINs offering individual access services to enable patients to gather their own healthcare information, including a requirement to obtain express individual consent and standards for handling individually identifiable information maintained by the QHIN.
Subpart C: The QHIN Designation and Onboarding Process
Subpart C establishes QHIN onboarding and designation processes, including application submission, review, and withdrawal processes. Onboarding is the process of a prospective QHIN becoming operational in the production environment. Designation refers to the written determination that an Applicant QHIN has satisfied all regulatory requirements.
The final regulations include details about what information must be included in a QHIN application and timelines for review of applications. Once an application has been confirmed to be complete, ASTP or the RCE has 60 calendar days to complete its review of an application unless extended by written notice to the applicant. The final rule requires applicants to respond to requests for additional information from ASTP or the RCE and to notify ASTP or the RCE if, following submission of the application, any information in the application becomes untrue or materially changes.
Once approved by ASTP (or the RCE with ASTP’s prior authorization), an Applicant QHIN must submit the signed Common Agreement. The Applicant QHIN has 12 months to complete the onboarding process with ASTP or the RCE, which possess discretion to extend the onboarding period by up to 12 months. During the onboarding process, the Applicant QHIN must regularly check in with ASTP or the RCE to report progress, coordinate technical testing, and address any issues. Once the onboarding requirements are satisfied, the Common Agreement will be countersigned and the Applicant QHIN will receive notice that it has been provisionally designated as a QHIN. The QHIN is then required to submit proof within 30 days of successful completion of a data transaction with all other in-production QHINs according to TEFCA exchange standards and procedures.
If a QHIN submits satisfactory proof, its QHIN designation becomes final 60 days after submission. If unsuccessful, a QHIN must submit an explanation for why it was unable to complete the required transactions and a plan and timeline for addressing any issues. ASTP (or the RCE with ASTP’s prior authorization) would then review the plan within five business days. If a QHIN fails to submit its plan, or if ASTP (or the RCE with ASTP’s prior authorization) rejects the plan, the QHIN’s designation will be revoked.
The final rule permits an Applicant QHIN to withdraw its application any time before designation by providing written notice to ASTP or the RCE. If an application is withdrawn for a failure to respond to a request for information, or if it is rejected, an Applicant QHIN must wait six months before submitting a new application.
Subpart D: Suspension of QHINs, Participants, and Subparticipants
Subpart D includes the circumstances under which a QHIN, participant, or subparticipant may be suspended from participating in TEFCA exchange. Under the final rule, a QHIN may be suspended if the QHIN is responsible for a threat condition. A threat condition exists in the following circumstances:
- A material breach of a Framework Agreement that has not been cured within 15 days of receiving notice of the breach
- A TEFCA security incident
- An event that the ASTP, RCE, QHIN, participant, or subparticipant has reason to believe will disrupt TEFCA exchange
- Any event that could pose a risk to national security interests
ASTP (or the RCE with ASTP’s prior authorization) may also order a QHIN to suspend participants and subparticipants for doing or failing to do something that results in a threat condition. ASTP or the RCE is required to make a reasonable effort to notify the affected parties in advance of a suspension. The final rule also specifies conditions and requirements for a QHIN to suspend sharing data with another QHIN because of reasonable concerns about the privacy or security of the information exchanged.
Subpart E: Termination of a QHIN
The final rule permits a QHIN to voluntarily terminate its designation with 90 business days prior written notice. ASTP (or the RCE with ASTP’s prior authorization) may also immediately terminate a QHIN for a material breach of any applicable regulatory requirements and failure to remedy that breach within 30 days, unless extended by another 30 days by ASTP or the RCE, or for a material breach of the Common Agreement that cannot be remedied.
Subpart F: Review and Appeal of RCE or ASTP Decisions
This subpart establishes a process for review of ASTP’s or the RCE’s decisions, including appeals rights. ASTP retains the authority to review an RCE’s decision at its sole discretion. Applicant QHINs may appeal the denial of their applications, and QHINs can appeal a decision to suspend a QHIN, participant, or subparticipant or terminate a QHIN’s Common Agreement. If ASTP provided prior authorization for a decision, no ASTP personnel involved in the prior authorization may participate in the review of the decision.
A notice of appeal must be submitted electronically to ASTP within 15 days of receiving notice of the decision being appealed. The initial notice of appeal is only required to include the information necessary to apprise ASTP of the appeal. The appealing QHIN will then have 30 calendar days from submission to provide a more fulsome description of the facts supporting its appeal and any documentation it would like considered during the appeal.
ASTP may exercise first review of the RCE’s determination, but a QHIN or Applicant QHIN may seek subsequent review by a hearing officer appointed by the HHS Secretary. An appeal will not stay a decision to suspend or terminate unless ordered by a hearing officer. Review of the RCE’s determination is de novo, and the appealing QHIN or Applicant QHIN has the burden of supporting its appeal by a preponderance of the evidence. The hearing officer is required to issue a written determination of the appeal.
Subpart G: QHIN Attestation Process
Section 4003(b) of the Cures Act requires HHS to establish a process for HINs to attest to adoption of the Trusted Exchange Framework and the Common Agreement. This subpart details the process for QHINs to submit an attestation, ASTP’s review of the attestation, and requirements for the creation and maintenance of a directory of designated QHINs.
The McDermott Difference
If you have questions about how the final rule may affect your organization, please contact any of the authors of this On the Subject, your regular McDermott lawyer, or your McDermott+ consultant.
ASTP Proposes Certification Criteria for Patient, Payer and Provider APIs
CLIENT ALERT / INTEROPERABILITY
August 8, 2024
Read time: 7 min
On August 5, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) published the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) Proposed Rule in the Federal Register as part of its continued focus on improving information sharing among health care stakeholders through the Health IT Certification Program.
This On the Subject discusses the proposals related to payer, provider and patient application programming interfaces (APIs). For information on the proposed rule’s information blocking provisions, see our separate On the Subject. We will also release a publication summarizing the rule’s Trusted Exchange Framework and Common Agreement proposals.
The deadline for submitting comments to ASTP regarding the proposed rule is October 4, 2024, at 5:00 pm EDT.
Key Proposed Changes to the Certified API Requirements
- The proposed rule outlines a new set of certification criteria focused on facilitating the exchange of clinical and coverage information, drug formulary information and prior authorization information among patients, providers and payers.
- Health information technology (IT) certified to these criteria includes requirements for specific Implementation Guides (IGs) that were not previously outlined in related rulemaking by the Centers for Medicare & Medicaid Services (CMS).
Intersection With CMS Rulemaking
CMS previously issued two separate final rules that leverage APIs to improve interoperability and data exchange across certain payers, providers and patients. The 2020 CMS Interoperability and Patient Access Final Rule required impacted payers to implement and maintain a patient access API to facilitate patient access to claims, encounter, clinical and other data. That same rule required impacted payers to implement payer-to-payer data exchange, but CMS subsequently subjected that requirement to enforcement discretion. The rule also required payers to adopt a provider directory API. The 2024 CMS Interoperability and Prior Authorization Final Rule then expanded on the 2020 rule and required implementation of three additional APIs: a provider access API, a payer-to-payer API and a prior authorization API.
These CMS rules apply to a subset of payers, specifically Medicare Advantage organizations, Medicaid fee-for-service (FFS) programs, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) FFS programs, CHIP managed care entities and qualified health plan issuers on the federally facilitated exchanges. Although compliance dates vary based on payer type, impacted payers must generally implement the API provisions beginning on January 1, 2027.
While CMS required payers to comply with certain technical standards in the two final rules, the agency merely recommended compliance with relevant IGs that provide more specificity. CMS decided to provide more flexibility, initially, and to allow the IGs to be voluntarily updated as future improvements are made. However, CMS also reserved the right to make compliance with the more detailed IGs mandatory in future rulemaking.
More information on the CMS rules is available here, and the CMS-recommended IGs for each API type are detailed in the chart below.
API Certification Proposals
ASTP’s proposed rule outlines a set of health IT certification criteria for the patient, provider, payer and other APIs. ASTP notes in the proposed rule that although CMS only recommended use of certain IGs, ASTP would require certain IGs as part of its health IT certification criteria. While ASTP would require these IGs for health IT certification purposes, it cannot mandate that developers obtain certification for their API technology or that impacted payers covered under the CMS rules use certified technology. Certification is voluntary, but those seeking to be certified would need to comply with the HT1-2 proposals, if finalized, including the required IGs. It is also possible that CMS, in future rulemaking, could require impacted payers to use certified technology to meet the API requirements. The new API certification criteria would be included in the condition and maintenance of certification requirements.
The proposed rule outlines the proposed certification criteria for each API as follows:
- Patient Access API: The certification criteria specify requirements to enable patients to access health and administrative information using an application of their choice. The proposal would require certified health IT modules to enable patient access to payer drug formulary information and to patient clinical, coverage and claims information, including provider remittances and enrollee cost-sharing.
- Provider Access API: The proposed rule outlines “client” and “server” certification criteria to support provider access to payer information. This information would facilitate access to patient clinical, coverage and claims information, including information about patient encounters; dates of service; diagnoses; laboratory results; information from admit, discharge and transfer messages; information received from immunization registries; and information related to medications from pharmacy networks.
- Payer-to-Payer API: The proposed rule would support the electronic exchange of data when a patient switches insurance plans. The criteria would facilitate sharing of payer claims and encounter data (excluding provider remittances and patient cost-sharing information).
- Prior Authorization API: The proposed rule outlines certification criteria for payers and providers to conduct electronic prior authorization. Technology certified to these criteria would support the ability to request and populate prior authorization templates and to submit and respond to prior authorization requests.
- Provider Directory API: The proposed rule specifies requirements for health IT that payers can use to publish information regarding the providers that participate in their networks. Technology certified under these criteria would help patients understand which providers, facilities and pharmacies are covered by their current (or future) health plan.
Action Items and Next Steps
Impacted payers generally have until January 1, 2027, to adopt the previously finalized CMS API requirements. While not mandatory, the additional certification criteria included in the ASTP proposed rule provide more detail on how to implement and operationalize those requirements for certain health IT modules seeking certification. Based on prior experience, payers likely will have to invest significant time and effort in developing the technology, policies and practices required to meet CMS’s standards and to achieve certification under ASTP’s complementary criteria (including implementation of the IGs), if finalized. While other commercial payers are not covered under the CMS rules, they may also choose to implement these APIs and seek specific certifications to improve electronic data sharing.
The McDermott and M+ Difference
If you have questions about how the ASTP’s proposals would affect your organization if finalized, or if you would like assistance preparing comments to submit to ASTP, please contact any of the authors of this On the Subject or your regular M+ consultant or McDermott lawyer.
ONC’s HTI-1 Final Rule Adopts New Health IT Certification Requirements
CLIENT ALERT / INTEROPERABILITY
January 12, 2024
Read time: 14 min
On December 13, 2023, the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule to update ONC Health IT Certification Program requirements and amend the information blocking regulations that ONC issued under the 21st Century Cures Act (Cures Act). The HTI-1 final rule substantially finalizes policies ONC set forth in the HTI-1 proposed rule but does not finalize the controversial proposal on patient-requested restrictions for certain data uses and disclosures (sometimes referred to as data segmentation).
This On the Subject discusses the final rule’s updates to select standards, criteria and requirements of the Health IT Certification Program that apply to health IT developers of certified health IT (certified health IT developers), including:
- Adoption of the United States Core Data for Interoperability (USCDI) Version 3 to replace USCDI Version 1 as the baseline USCDI standard beginning January 1, 2026
- New requirements for the standardized application programming interface (API) for patient and population services certification criterion, including requirements for issuing refresh tokens and revoking access privileges
- Implementation of the Cures Act’s EHR Reporting Program provisions to require certain health IT developers to report on interoperability metrics through the new Insights Condition and Maintenance of Certification
- Requirements for new privacy functionality that enable an internet-based method for a patient to request a restriction on the use and disclosure of their electronic health information (EHI)
We will release a separate publication summarizing the algorithmic transparency framework and the revised decision support interventions certification criterion. We also separately published a summary of the final rule’s information blocking provisions, which includes a discussion of new and expanded exceptions to the information blocking prohibition. Note that the HTI-1 final rule includes other updates and additions to the Health IT Certification Program that are not discussed in this On the Subject.
Discontinuing Year-Themed Editions for ONC Certification Criteria for Health IT
One noteworthy structural change to the Health IT Certification Program finalized by HTI-1 is that ONC will no longer maintain an edition naming convention for its health IT certification criteria. Previously, ONC bundled updates to certification criteria into editions and required certified health IT developers to test and certify health IT modules to applicable certification criteria. ONC last released a new edition in 2020, when it updated the 2015 Edition certification criteria with the Cures Update.
Following the HTI-1 final rule, ONC may now update individual certification criterion through notice and comment rulemaking. As a “Condition of Certification,” certified health IT developers must commit to rolling out updated versions of health IT modules that meet ONC’s adopted changes to applicable certification criteria. Failure to do so would result in the certified health IT developer losing its certification for non-updated health IT modules.
Without editions, all certification criteria within the Health IT Certification Program are renamed to “ONC Certification Criteria for Health IT.” ONC believes that maintaining a single set of certification criteria will create more stability for healthcare providers and other users of health IT and Health IT Certification Program stakeholders, such as the Centers for Medicare and Medicaid Services, as well as make it easier for certified health IT developers to maintain product certification over time. Some certified health IT developers noted in their comment letters, however, that edition-less certification could increase the frequency of burdensome certification updates. Certified health IT developers and healthcare providers will need to stay up to date on future ONC rulemakings that update certification criteria and should consider participating in ONC-facilitated public forums to provide input on the development and implementation timeframes for such updates.
Key Revised Standards and Certification Criteria
USCDI Version 3 Updates
USCDI is the standard for data required to be accessible through certified health IT for numerous certification criteria. In the industry, USCDI is also considered the minimum data set required for interoperability. The data set is updated on an annual cycle with federal agency and industry input. In the HTI-1 final rule, ONC finalized, as proposed, USCDI Version 3 (USCDI v3) as the new baseline standard of data classes and constituent data elements for certified health IT but changed the effective date from January 1, 2025, to January 1, 2026. This change requires health IT modules certified to criteria that reference USCDI to update to USCDI v3 by the new deadline. (See the chart below for certification criteria that reference USCDI.) The USCDI v3 standard incorporates data elements on patient demographics (e.g., sexual orientation and gender identity) that were not included in prior USCDI versions and social determinants of health. Expanding the data elements and data classes included in the required version of USCDI increases the amount of data available to be used and exchanged for patient care. However, a significant number of the data elements included in USCDI v3 lack a vocabulary standard. Note that ONC has already published USCDI Version 4 and is now reviewing public comments on USCDI Version 5.
| Certification Criteria Referencing USCDI | |
|---|---|
| § 170.315(b)(1): Transitions of care | § 170.315(g)(6): Consolidated CDA creation performance |
| § 170.315(b)(2): Clinical information reconciliation and Incorporation | § 170.315(g)(9): Application access—all data request |
| § 170.315(b)(9): Care plan | § 170.315(g)(10): Standardized API for patient and population service |
| § 170.315(e)(1): View, download, and transmit to 3rd party | |
Standardized API for Patient and Population Services
The HTI-1 final rule also includes revisions to the standardized API for patient and population services certification criterion aimed at improving the security of patient APIs by requiring quicker expiration of the tokens issued to applications when a patient or provider enters a correct username and password. Specifically, certified health IT modules must ensure that:
- Their authorization server issues a refresh token according to a new implementation specification
- For health IT modules that allow short-lived access tokens to expire, such access tokens must be permitted to expire within one hour of the request (instead of immediate revocation)
Additionally, ONC finalized amendments to the API Condition and Maintenance of Certification requirements by specifying that certified health IT developers that have adopted a certified API must meet the publication requirements associated with service base URLs according to a specified format. This change is aimed at making it easier for patient-facing apps to access certified health IT developer APIs through more predictable service base URLs.
ONC also adopted the Substitutable Medical Apps, Reusable Technologies (SMART) App Launch Implementation Guide Release 2.0.0 (SMART v2 Guide), which replaces the SMART Application Launch Framework Implementation Guide Release 1.0.0 (SMART v1 Guide). ONC’s adoption of the SMART v2 Guide impacts the standardized API for patient and population services certification criterion. The SMART v2 Guide includes new features and technical revisions based on industry consensus, including features that reflect security best practices. Beginning January 1, 2026, the SMART v2 Guide will replace the SMART v1 Guide as the only version of the implementation guide available for use in the Certification Program.
Electronic Case Reporting
In the HTI-1 proposed rule, ONC proposed to replace the functional requirements of the existing electronic case reporting certification criterion with industry standards. ONC finalized revisions to the “transmission to public health agencies — electronic case reporting” criterion to require health IT modules to adopt consensus-based, industry-developed standards for electronic case reporting. Specifically, the revised certification criterion requires health IT modules to create a case report for electronic transmission, consume and process a case report response, and consume and process electronic case reporting trigger codes. Previously, the electronic case reporting criterion did not have a named standard associated with these functions. Under HTI-1, certified health IT developers will now need to implement certain HL7 electronic case reporting standards to obtain certification.
Patient-Requested Restrictions
ONC finalized a requirement for health IT modules certified to the “view, download, and transmit to 3rd party” certification criterion to support an internet-based method for a patient to request that a restriction be applied for electronic protected health information contained in the data elements in the required version of USCDI. Health IT modules certified to this criterion must comply by January 1, 2026.
Notably, in the HTI-1 proposed rule, ONC proposed a certification criterion that would have required support for the right of an individual to request restrictions on uses and disclosures of certain electronic protected health information. Many commenters raised concerns about implementation feasibility, patient safety and potential provider burden associated with ONC’s proposal. Based on the feedback received, ONC decided not to finalize the bulk of its proposals for patient-requested restrictions at this time. ONC’s certification criterion does not specify that a patient’s request for a restriction must be accommodated.
Requirement for Certified Health IT Developers to Update Certified Health IT
ONC finalized a requirement for certified developers with technology certified to any of the current certification criteria to update their previously certified health IT modules to meet revised certification criteria. Certified developers must also provide updated health IT to customers using their previously certified health IT according to the dates established for that criterion and any applicable standards.
Assurances Condition and Maintenance of Certification
ONC strengthened the Assurances Condition and Maintenance of Certification requirement to require certified health IT developers to provide an assurance that they will not interfere with a customer’s timely access to interoperable certified health IT. This Condition of Certification also includes two accompanying Maintenance of Certification requirements that require certified health IT developers to:
- Update a health IT module, once certified to a certification criterion, to all applicable revised certification criteria including the most recently adopted capabilities and standards in the revised certification criterion
- Provide all health IT modules certified to a revised certification criterion to their customers of such certified health IT, all within timeframes established and specified in the final rule, with a 12-month timeframe for new customers
Insights Condition and Maintenance of Certification
Section 4002 of the Cures Act required ONC to establish an electronic health record (EHR) reporting program to provide transparent reporting on certified health IT in certain categories, including interoperability, usability and user-centered design, security, and conformance to certification testing. The Cures Act directed ONC to develop reporting criteria for certified health IT developers to submit responses with respect to their certified health IT. The HTI-1 final rule partially implements this Cures Act requirement through the new Insights Condition and Maintenance of Certification (Insights Condition), which requires certified health IT developers to report on certain interoperability metrics with respect to their certified health IT. ONC opted not to use the Cures Act term “EHR reporting program” for this new certification requirement. ONC intends for the Insights Condition’s reporting requirements to:
- Provide transparency through reporting
- Address information gaps in the health IT marketplace
- Provide insights on the use of specific certified health IT functionalities
- Provide information about the use of certified functionalities by end users
Which Certified Health IT Developers Must Report on the New Measures?
The finalized Insights Condition requires a certified health IT developer to report on a measure if it has each of the following:
- At least 50 hospital sites or 500 individual clinician users across its certified health IT
- Any health IT certified to the certification criteria specified in each measure
- Any users using the certified health IT associated with the measure
Certified health IT developers that do not meet the qualifications above must submit a response (an attestation) to indicate that they do not meet the minimum reporting qualifications for a measure.
What Are the Reporting Measures and When Is Reporting Required?
The HTI-1 final rule adopts seven reporting measures across four topic areas related to interoperability: individuals’ access to EHI, public health information exchange, clinical care information exchange, and standards adoption and conformance. ONC will require implementation of the Insights Condition requirements in three phases over three years.
Insights Condition Reporting Measures and Metrics
| Topic Area | Measure | Related Certification Criteria | Metrics | Initial Data Collection Year / Reporting Deadline |
|---|---|---|---|---|
| Individual Access to EHI | Individuals’ Access to Electronic Health Information Through Certified Health IT |
Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) View, download, and transmit to 3rd party – 45 C.F.R. § 170.315(e)(1) Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) OR View, download, and transmit to 3rd party – 45 C.F.R. § 170.315(e)(1) |
|
Year 1 January to December 2026 / July 2027 |
| Clinical Care Information Exchange | Consolidated Clinical Document Architecture (C-CDA) Problems, Medications, and Allergies Reconciliation and Incorporation Through Certified Health IT | Clinical information reconciliation and incorporation – 45 C.F.R. § 170.315(b)(2) |
|
Year 2 January to December 2027 / July 2028 |
|
Year 3 January to December 2028 / July 2029 |
|||
| Standards Adoption & Conformance | Applications Supported Through Certified Health IT | Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) |
|
Year 1 January to December 2026 / July 2027 |
| Standards Adoption & Conformance | Use of FHIR in Apps Through Certified Health IT | Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) |
|
Year 1 January to December 2026 / July 2027 |
|
Year 2 January to December 2027 / July 2028 |
|||
| Standards Adoption & Conformance | Use of FHIR Bulk Data Access Through Certified Health IT | Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) |
|
Year 2 January to December 2027 / July 2028 |
| Public Health Information Exchange | Immunization Administrations Electronically Submitted to Immunization Information Systems Through Certified Health IT | Transmission to immunization registries – 45 C.F.R. § 170.315(f)(1) |
|
Year 1 January to December 2026 / July 2027 |
|
Year 2 January to December 2027 / July 2028 |
|||
| Public Health Information Exchange | Immunization History and Forecasts Through Certified Health IT | Transmission to immunization registries – 45 C.F.R. § 170.315(f)(1) |
|
Year 2 January to December 2027 / July 2028 |
|
Year 3 January to December 2028 / July 2029 |
Certified health IT developers must also provide a percentage of their total customers (e.g., hospital sites and individual clinician users) represented in the data provided for each response. In addition, they must submit documentation on the data sources and the methodology used to generate the data. Responses and submitted documentation will be made publicly available via ONC’s website.
While the finalized reporting measures focus on interoperability, ONC indicated it intends to explore the other Cures Act reporting categories (e.g., security, usability and user-centered design, and conformance to certification testing) in future years. ONC published specification sheets with additional details about the metrics associated with each Insights Condition measure on its website (also linked in the table above).
If you have questions about how the final rule affects your organization, contact your regular McDermott lawyer or any of the authors of this On the Subject.
California’s new reproductive privacy laws AB 352 and AB 254 create complexities for health information sharing
CLIENT ALERT / INTEROPERABILITY
November 17,2023
Read time: 12 min
In the wake of the Supreme Court of the United States’s decision in Dobbs v. Jackson Women’s Health Organization and the adoption of laws outside California that criminalize most abortions as well as gender affirming care, California Governor Gavin Newsom recently signed Assembly Bill 352 (AB 352) and Assembly Bill 254 (AB 254) into law on September 27, 2023.
Through these new laws, California seeks to mitigate the risk of out-of-state prosecution of individuals seeking abortions or gender affirming care. These bills include significant changes to California privacy and health information interoperability laws that will impact health care providers, health plans, employers, electronic health record (EHR) developers and digital health companies handling medical information related to gender affirming care, abortion, abortion-related services, sexual health, fertility or contraception.
KEY TAKEAWAYS
- EHR developers and digital health companies storing or maintaining medical information for California health care providers, health plans, pharmaceutical companies, employers and certain contractors must develop new privacy, security and data segmentation functionality, policies and procedures by July 1, 2024.
- Health care providers must take steps to limit out-of-state medical information disclosures or cooperation with out-of-state inquiries or investigations consistent with AB 352, with enforcement for noncompliance beginning January 31, 2026.
- Digital health companies, employers and other businesses offering reproductive or sexual health digital services to individuals are subject to certain requirements in the California Confidentiality of Medical Information Act (CMIA) beginning January 1, 2024.
- The California laws are consistent with other states that have adopted special protections for reproductive health information. For example, Maryland enacted a law earlier this year that generally limits health information exchanges and electronic health networks from disclosing information related to abortion care other than for the adjudication of claims or to a specific treating provider with an appropriate written consent.
AB 352
AB 352 adopts privacy protections for information about gender affirming care, abortion, abortion-related services and contraceptives, and it attempts to prevent out-of-state prosecution against individuals who come to California for abortion or reproductive health-related medical services or gender affirming care.
New Health Information Technology Capabilities, Policies and Procedures
AB 352 amends the CMIA to require EHR developers, digital health companies and other businesses that electronically store or maintain California individuals’ medical information on the provision of sensitive services on behalf of health care providers, health plans, pharmaceutical companies, contractors or employers to develop capabilities, policies and procedures by July 1, 2024, to enable the following:
- Limitations on user access privileges to information systems that contain medical information related to gender affirming care, abortion, abortion-related services and contraception only to those persons who are authorized to access the medical information
- Prevention of the disclosure, access, transfer, transmission or processing of such information to any person or entity outside of California
- Segregation of medical information related to gender affirming care, abortion, abortion-related services and contraception from the rest of a patient’s medical record
- Ability to automatically disable access to segregated medical information related to gender affirming care, abortion, abortion-related services and contraception by individuals and entities in another state
The requirement to segregate a subset of medical information from the rest of a patient’s medical record creates both technical and compliance challenges for health IT developers, digital health companies and other businesses that electronically store medical information. While federal interoperability regulations emphasize the sharing of complete medical records, AB 352 would require the creation of certain data silos that could impact the completeness of an individual’s medical record when viewed by certain users or disclosed to health care providers in other states. AB 352’s data segmentation, access control and disclosure restriction requirements may necessitate complex software development. No algorithm or standardized computational methodology currently exists to automate the reliable classification of medical information related to the provision of sensitive services such as reproductive or gender affirming care. There is a potential for health IT developers to require end-user clinicians and staff to provide context to manually segment and restrict sensitive data elements within a health IT system, which could place a significant burden on these end users.
Notably, AB 352 applies these requirements to businesses that electronically store or maintain medical information on behalf of a wide range of health care industry organizations but not to the health care providers that deploy EHRs and otherwise electronically store or maintain medical information.
In connection with these requirements, California health care organizations should be prepared for potential workflow/functionality changes and fees from health IT developers as they develop new technical capabilities for compliance. AB 352 allows EHR and other health IT developers to charge cost-based fees for the new capabilities consistent with the fees exception to the federal information blocking regulations adopted by the Office of the National Coordinator for Health Information Technology. Interestingly, AB 352 limits the ability of all impacted health IT and digital health companies to charge fees for new capabilities necessitated by AB 352 consistent with federal information blocking regulations, even if a company is not a regulated actor under the information blocking regulations. For more information about the federal information blocking regulations, see our Special Report.
Out-of-State Data Disclosures, Inquiries or Investigations
AB 352 further amends the CMIA to prohibit health care providers, health care service plans, contractors and employers (each as defined by CMIA) from cooperating with any inquiry or investigation—or otherwise disclosing medical information—to anyone or any entity from another state that would identify an individual and is related to that individual seeking or obtaining an abortion or abortion-related services that are lawful under California law unless authorized under any of the following conditions:
- In accordance with a written authorization that is valid under CMIA and clearly states that medical information on abortion or abortion-related services may be disclosed, and only to the extent and for the purposes expressly stated in the authorization
- Under the CMIA’s preexisting billing and payment-related confidentiality exceptions to the extent necessary to allow responsibility for payment to be determined and payment to be made or to the extent that it is not further disclosed by the recipient in a way that would violate the CMIA
- Under the CMIA’s preexisting confidentiality exceptions for certain quality-related activities for the purpose of accreditation, in reviewing the competence or qualifications of health care professionals, or in reviewing health care services with respect to medical necessity, level of care, quality of care or justification of charges
- Under the CMIA’s preexisting confidentiality exception for bona fide research, provided that institutional review boards must consider the potential harm to the patient and the patient’s privacy when the research uses data that contains information related to abortion or abortion-related services and is performed out of California
This provision does not prohibit compliance with an investigatory request related to activity that is punishable as a crime in California and took place in California. The provision also does not impact disclosures of medical information to patients or their representatives, even while the requesting individual is out of state. Health care organizations will need to carefully consider how they respond to such patient access requests to ensure that disclosures to third parties, as directed by a patient, comply with AB 352’s authorization requirements.
Prior to January 31, 2026, health care providers will not be subject to liability for damages or to civil or enforcement actions for failure to meet the disclosure prohibitions if the provider is working diligently and in good faith to come into compliance. This provision gives providers time to determine the best path to compliance but notably excludes the other entities subject to the disclosure prohibitions, including health plans, pharmaceutical companies, contractors and employers.
Impact on Health Information Exchange
AB 352 prohibits health care providers, health care service plans, contractors and employers from “knowingly” disclosing or transmitting medical information in an EHR system or through a health information exchange (HIE) that would identify an individual seeking, obtaining, providing, supporting or aiding a lawful abortion to out-of-state individuals, unless authorized. Accordingly, health care providers will need to evaluate the types of medical information transmitted to other EHR systems and HIEs, determine where that information is going and determine how to withhold medical information that cannot be shared by law. This evaluation will be particularly important for health care organizations that participate in national or regional HIEs.
Impact on the California Data Exchange Framework
AB 352 amends the California Health and Safety Code section that authorizes the California Data Exchange Framework (DxF) to provide that its requirement for DxF participants to share health and social services information does not apply to the exchange of health information related to abortion and abortion-related services. Health care organizations and other entities that signed the DxF data sharing agreement are required to exchange data on or before January 31, 2024, so it is unclear how they will operationalize AB 352’s data-sharing restrictions while their health IT developers work to comply with the July 1, 2024, deadline for data segmentation and related privacy functionality. Any fees charged by EHR vendors to enable a regulated entity’s compliance with the DxF are required to be reasonable and consistent with the federal information blocking regulations.
On a related note, AB 352 directs the DxF stakeholder advisory group to consider whether standards for including EHR vendors in the DxF would be appropriate and, if determined to be appropriate, develop those standards. If the stakeholder advisory group develops standards for including EHR vendors in the DxF, AB 352 would require EHR vendors to sign the DxF data sharing agreement within 12 months of the completion of those standards.
For more information about the California DxF, see our On the Subject, “10 Things Providers Should Know About California’s Data Exchange Framework.”
AB 254
The CMIA imposes privacy requirements on certain health care providers, pharmaceutical companies, California health care service plans and other entities. It does not regulate all California businesses.
The CMIA prohibits regulated entities from disclosing “medical information” in their possession regarding a patient, enrollee or subscriber without the individual’s prior authorization unless an exception applies. The CMIA further requires those entities to create, maintain, store or destroy medical information in a manner that preserves its confidentiality. As discussed below, effective January 1, 2024, AB 254 revises the CMIA to regulate companies providing reproductive or sexual health digital services and data considered to be reproductive or sexual health application information.
Expansion of CMIA-Regulated Entities
AB 254 amends the CMIA to add a new class of regulated entities. Specifically, AB 254 requires “any business that offers a reproductive or sexual health digital service to a consumer” to comply with the CMIA requirements applicable to health care providers. A reproductive or sexual health digital service is a mobile-based application or internet website that collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer. This could include services individuals use to manage or track their menstrual, fertility, or pregnancy information, or other sexual health data. These services include mobile applications or websites that collect reproductive or sexual health application information from consumers. This expansion is significant for digital health companies and employers offering reproductive or sexual health digital services in California that might not have previously addressed the CMIA’s requirements in their privacy compliance programs.
As a result of this expanded scope, entities offering reproductive or sexual health digital services must comply with the CMIA’s:
- Prohibition on the disclosure of medical information, except as permitted by one of the CMIA’s disclosure exceptions or an individual’s authorization
- Requirement to not “intentionally share, sell, use for marketing, or otherwise use medical information for a purpose not necessary to provide health care services to the patient,” except to the extent expressly authorized by the individual
Consequently, AB 254 limits the ability of a reproductive or sexual health digital service to collect and sell the data collected from individuals. To the extent that a mobile application or website also collects other types of medical information, AB 254 will impose a burden upon them to bifurcate data (especially reproductive or sexual health information) from California individuals to comply with the CMIA.
Expansion of the Definition of Medical Information
The CMIA currently defines “medical information” to include individually identifiable information about an individual’s medical history, mental health application information, mental or physical condition or treatment. Effective January 1, 2024, AB 254 adds “reproductive or sexual health application information” to that definition. Reproductive or sexual health application information is information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive or type of sexual activity collected by a reproductive or sexual health digital service, including information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity or gender identity. Consequently, health care providers and other CMIA-regulated entities must begin protecting reproductive and sexual health application information as they would other types of medical information protected by CMIA.
NEXT STEPS
- Health IT developers and digital health companies that serve organizations in California will need to begin evaluating their technical capabilities, policies and procedures to determine how they will comply with the data segmentation and other privacy requirements of AB 352. These entities should also carefully calculate any fees for new functionality or technical capabilities required under AB 352 for compliance with limitations in the federal information blocking regulations.
- Health care providers and health plans in California will need to map their data flows, especially those that result in out-of-state disclosures of medical information, and to take steps to “diligently and in good faith” comply with the disclosure prohibitions in AB 352.
- Health care providers, health plans, pharmaceutical companies, contractors and employers should reach out to their IT vendors to inquire about the vendors’ plans to comply with the requirements in AB 352 before the July 1, 2024, compliance deadline. Entities participating in the California DxF will need to evaluate how to meet their information-sharing commitments beginning on January 31, 2024, given the potential functionality gap to support the special handling of data related to reproductive health and gender affirming care.
- Digital health companies and employers that offer reproductive or sexual health digital services to individuals in California should evaluate their compliance with the CMIA’s requirements for health care providers, including certain limitations on the use and disclosure of medical information.
If your organization has questions about how AB 352 and AB 254 (or other similar state laws) impact your privacy or interoperability compliance plans, please contact one of the authors or your McDermott lawyer.
California DxF Policies and Procedures Released for Public Comment
CLIENT ALERT / INTEROPERABILITY
January 27, 2023
Read time: 11 min
On January 17, 2023, the California Health and Human Services Agency (CalHHS) released updated drafts of four policies and procedures (P&Ps) under the California Data Exchange Framework (DxF) to support the implementation of the Data Sharing Agreement (DSA) among DxF participants for public comment:
- California Information Blocking Prohibitions
- Technical Requirements for Exchange
- Real-Time Exchange
- Early Exchange
In light of the upcoming January 31, 2023, deadline for certain California health care organizations subject to the DxF to execute the DSA, and January 31, 2024, deadline to begin sharing health and social services information (HSSI), which is defined broadly n the DSA, affected health care organizations should consider whether to submit comments to the draft P&Ps and evaluate their compliance obligations if the P&Ps are finalized as proposed.
This On the Subject discusses key requirements and implications of the draft P&Ps and potential areas for comment. For more information on the DxF, please see our On the Subject concerning 10 things providers should know about the DxF.
CalHHS Requests Public Comments by February 14, 2023
CalHHS has requested comments regarding the four draft P&Ps and an amendment to the Privacy Standards and Security Safeguards P&P (that addresses the destruction of information about an individual that a participant receives in error) by February 14, 2023. Stakeholders are encouraged to suggest revisions and express any concerns related to the P&Ps. Additionally, CalHHS has developed a list of questions for public input related to the requirements and content of the P&Ps. For example, CalHHS asks whether participants that engage in the early exchange of HSSI before January 31, 2024 should be required to comply with the P&Ps (which do not take effect until January 31, 2024). The answer to this question and others posed by CalHHS will have material impacts on how organizations participate in and comply with the DxF. If you would like help developing comments on the draft P&Ps or responding to the questions posed by CalHHS, please contact Daniel Gottlieb or your regular McDermott contact.
California Information Blocking Prohibitions Borrow from Federal Guidelines, but Differ in Key Regards
Like prior drafts of the California Information Blocking Prohibitions P&P, the latest draft broadly prohibits participants from undertaking any practice that is likely to interfere with access, exchange or use of HSSI for the required purposes listed in CalHHS’s Permitted, Required and Prohibited Purposes P&P. The draft P&P incorporates by reference the information blocking exceptions under the final rule (ONC Final Rule) adopted by the US Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) under the information blocking provisions of the 21st Century Cures Act subject to certain differences discussed below. For more information about the ONC Final Rule, see our Special Report.
As of the prior Information Blocking Prohibitions P&P draft, CalHHS created two categories of participants:
- Participants that are already subject to the ONC Final Rule
- Participants that are not subject to the ONC Final Rule.
Participants That Are Subject to the ONC Final Rule
Under the Information Blocking Prohibitions P&P, a participant that is subject to the ONC Final Rule is deemed in compliance with the P&P if the participant meets an information blocking exception to the ONC Final Rule with respect to HSSI, except that the P&P specifically excludes its Fees and Licensing Exceptions.
As a result, participants may not rely on the Fees Exception to charge fees for the exchange or use of electronic health information (EHI), as defined in the ONC Final Rule, or other HSSI. In addition, it appears that CalHHS intends to prohibit participants from relying on the Licensing Exception to charge royalties or other fees for licenses to application programming interfaces (APIs) and other interoperability elements to exchange or use HSSI. In its list of questions for public input, CalHHS notes that the draft P&P does not permit participants to use the Licensing or Fees Exceptions to withhold HSSI requested for required purposes, and asks if there are any circumstances under which a participant should be able to charge fees to license technology needed for the exchange of HSSI that is required under the DSA or charge fees to another participant in connection with required HSSI exchange.
We expect this question to elicit a wide range of contradictory comments from stakeholders, including stakeholders that are not participants but may be contractually required by participants to comply with DxF requirements, such as electronic health record (EHR) vendors or interoperability software developers. If a participant does not execute an agreement with a qualified health information organization (QHIO), as defined in the DSA, and instead elects to execute an agreement with an EHR vendor, interoperability software developer or other entity that facilitates health information exchange to meet the participant’s obligations under the DxF, the DSA requires the participant to obtain reasonable assurances from the entity that the entity will enable the participant to comply with the minimum requirements for data exchange in the P&Ps.
EHR vendors typically charge license fees for APIs and other technology used to access and share HSSI and may object to the DxF’s fee restrictions. On the other hand, health plans, mobile health app developers, and other software and service companies that seek HSSI to provide data-enabled services to health care providers will likely support the fee restrictions to avoid obligations to pay revenue shares and other fees to access and use HSSI.
Participants That Are Not Subject to the ONC Final Rule
Participants that are not covered actors under the ONC Final Rule are deemed to be in compliance with the P&P if they meet one of the ONC Final Rule exceptions to the information blocking prohibition, other than the Fees and Licensing Exceptions, and subject to some minor definitional changes to the Preventing Harm Exception and a requirement that any denial of access under the Privacy Exception be consistent with applicable law and/or the Individual Access P&P.
Availability of the ONC Final Rule’s Content and Manner Exception
While the Information Blocking Prohibitions P&P does not allow either category of participant to rely on the Fees or Licensing Exceptions, the P&P does allow all participants to rely upon the ONC Final Rule’s Content and Manner Exception. The Content and Manner Exception requires covered actors that fulfill a request for EHI in a manner other than the manner requested by the party seeking EHI to ensure that their fees for fulfilling the request satisfy the Fees Exception and that any license of interoperability elements in relation to the request satisfies the Licensing Exception. This inconsistency may indicate that CalHHS will permit participants and requestors an opportunity to mutually agree on the terms and associated fees for access to HSSI in the manner sought by the requestor. Participants should consider seeking guidance from CalHHS to understand its intent with respect to the Content and Manner Exception either as part of a general comment or in response to CalHHS’s specific question discussed above.
Technical Requirements for Exchange P&P May Be Burdensome for Participants
CalHHS intends for its draft Technical Requirements for Exchange P&P to define recommended and required exchanges of HSSI among participants and the technical standards to be used in those exchanges.
Required Exchange
Under the draft P&P, participants must exchange data with other participants in the following scenarios using nationally and federally adopted standards:
- In response to a request for HSSI from a participant
- When HSSI is created and becomes available electronically in connection with an order or request for services and delivery of those services by a participant
- When a participant requests admit, discharge or transfer (ADT) event notifications from a participant that is a hospital.
In addition, participant hospitals must notify at least one QHIO of an ADT event using HL7 Version 2.5 ADT messages or a later, compatible version. Participants may be able to meet this requirement through their EHRs.
Person Matching
A participant must use a standardized set of attributes and identifiers to determine whether electronic HSSI is appropriately linked to the correct patient (Person Matching) when it sends HSSI to or requests HSSI from another participant. Participants must use the following data attributes when requesting HSSI or responding to such requests: name; date of birth; home and/or mailing address, including previous addresses if known; phone numbers; and email addresses. Data attributes for Person Matching must also follow the guidelines established by the United States Core Data for Interoperability (USCDI) Version 2.
A participant that makes electronic requests for electronic HSSI from a participant using a health information network or health information exchange framework with a nationwide scope, including California, must make the requests using the Integrating the Healthcare Enterprise (IHE) Cross-Community Patient Discovery (XCPD) exchange profile for Person Matching and the IHE CrossCommunity Access (XCA) exchange profile to retrieve HSSI.
Interoperability Technical Standards
The draft Technical Requirements for Exchange P&P requires or encourages participants to use specific interoperability standards to exchange HSSI. For example, the draft P&P encourages participants to support electronic requests and electronic responses to requests for electronic HSSI using HL7 FHIR Release 4 and the US Core implementation guide. As highlighted in a recent letter from the HIMSS EHR Association to CalHHS Secretary Mark Ghaly, the associated compliance costs, short timeframes to comply with technical standards, and addressing gaps in the standards could prove burdensome.
Real-Time Exchange P&P Timeliness Requirements May Be Unrealistic
The draft Real-Time Exchange P&P requires participants to send HSSI to other participants in a “timely manner.” CalHHS has explained that the meaning of the phrase “timely manner” varies based on the DxF transaction pattern and its associated clinical context. Generally, the draft P&P expects participants to respond to HSSI requests associated with diagnostic, health or social services without delay. Practically, it is unclear what timeframes CalHHS would consider timely for HSSI exchange. The draft P&P does not acknowledge that response times will vary depending on the size or complexity of an HSSI data set or the technical capabilities of a requestor.
Stakeholders should consider commenting on the variables that might affect the timeliness of data exchange and recommending to CalHHS that it may be more practical to apply the real-time exchange requirements to a more focused scope of data or subset of HSSI, such as the data classes and elements in USCDI Version 2.
Compliance With the Early Exchange P&P Would Be Difficult
The Early Exchange P&P is the fourth draft P&P released by CalHHS for public comment. It allows participants to choose to engage in early exchange under the DSA by executing the DSA, verifying that their exchange partners have also executed the DSA, and complying with all published P&Ps. Under the draft P&P, early exchange participants must comply with new or updated P&Ps within 10 days of their publication date, regardless of the effective date written in the P&P. The short timeframe that early exchange participants would have to comply with new or updated P&Ps could be challenging, especially for more technical P&Ps that require participants to alter transaction patterns or adopt different technical or data standards or technology for data exchange. Stakeholders might consider requesting CalHHS to allow early exchange participants more time and flexibility to comply with new or updated P&Ps, especially given the uncertainty around the timing for finalization of the P&Ps.
The Penalties for Failure to Execute the DSA Remain Unclear
Neither California Health & Safety Code § 130290, the authorizing statute for the DxF, nor existing CalHHS guidance specify a penalty or consequence if a “mandatory” signatory refuses or fails to sign the DSA. While some observers expected Governor Newsom’s proposed budget to address penalties for failure to execute the DSA, the proposed budget released on January 10, 2023, was silent on the DxF. Governor Newsom may include a penalty for failure to execute the DSA in the May 2023 revision to the proposed budget, which will come after the deadline to sign the DSA on January 31, 2023.
Action Items
As CalHHS continues to develop the DxF, hospitals and other health care organizations required to participate in the DxF should consider the following steps:
- Review the draft P&Ps and the list of questions from CalHHS to determine whether to submit comments directly or through their representatives.
- Raise concerns with CalHHS about how the DxF Information Blocking Prohibitions P&P may complicate their ability to rely on certain exceptions in the ONC Final Rule and create compliance challenges.
- Contact trade associations, such as the California Hospital Association and California Medical Association, to share their concerns about the DxF and coordinate coalitions for more effective engagement with CalHHS.
- Evaluate interoperability solutions and other tools available through EHR and digital health vendors and nationwide networks or frameworks to identify options for exchanging HSSI in compliance with the P&Ps.
- Attend public webinars on the DxF to stay informed on P&P updates and new P&Ps.
10 Things Providers Should Know About California’s Data Exchange Framework
CLIENT ALERT / INTEROPERABILITY
December 20, 2022
Read time: 9 min
By January 31, 2023, general acute care hospitals, clinical labs and certain physician organizations and medical groups in California are required to enter into the Single Data Sharing Agreement (DSA) to participate in the California Health and Human Services Agency (CalHHS) Data Exchange Framework (DxF).
California Health and Safety Code § 130290 (adopted as part of Assembly Bill 133 in July 2021) established the DxF and requires providers and other health care organizations participating in the DxF (Participants) to share Health and Social Services Information (HSSI). The DxF is intended to “accelerate and expand the exchange of health information among health care entities, government agencies, and social services programs” by January 31, 2024. The key requirements of the DxF are set forth in the DSA and policies and procedures (P&Ps) published by CalHHS. Providers should be aware of the following 10 issues when assessing how the DxF will impact their health information sharing activities and privacy and security practices.
1. Most Providers Are Required to Sign the DSA by January 1, 2023
The DSA is a legal agreement that sets forth a common set of terms, conditions and obligations to support secure, real-time access to, or exchange of, HSSI between and among Participants. The DSA incorporates by reference P&Ps that further detail Participants’ compliance responsibilities under the DxF.
On November 29, 2022, CalHHS launched a Signing Portal to allow health care providers, plans and other health care organizations to sign the DSA.
By January 31, 2023, the following health care provider types are required to sign the DSA:
- General acute care hospitals
- Physician organizations and medical groups
- Skilled nursing facilities
- Health care service plans and disability insurers that provide hospital, medical or surgical coverage
- Clinical laboratories
- Acute psychiatric hospitals.
By January 31, 2026, the following providers must sign the DSA:
- Physician practices with less than 25 physicians
- Rehabilitation hospitals
- Long-term acute care hospitals
- Acute psychiatric hospitals
- Critical access hospitals
- Rural general acute care hospitals with less than 100 acute care beds
- State-run acute psychiatric hospitals
- Nonprofit clinics with less than 10 providers.
2. The DxF Does Not Take Full Effect until January 31, 2024, and Additional P&Ps Have Yet to Be Published or Finalized
While most providers are required to sign the DSA by January 31, 2023, the DxF does not take full effect until January 31, 2024, allowing providers time to develop the necessary technical and compliance infrastructure to implement the DxF.
Furthermore, in anticipation of the January 31, 2023, deadline to sign the DSA, CalHHS is in the process of finalizing several additional P&Ps. As of December 15, 2022, there are at least five P&Ps still under construction:
- Information blocking
- Monitoring and auditing
- Required transaction patterns and technology requirements for exchange
- Real-time data exchange
- The qualified health information organization (QHIO) designation process.
CalHHS is currently accepting stakeholder comments on the information blocking and monitoring and auditing P&Ps and is considering the introduction of a P&P governing early exchange of data under the DxF.
3. The DxF Incorporates Federal Information Blocking Prohibition and Exceptions
The DSA contains a general prohibition against information blocking, stating that “Participants shall comply with any information-blocking provisions set forth in the [P&P].” The current publicly available draft of the information blocking P&P includes exceptions that mirror most of the information blocking exceptions included in the final rule (ONC Final Rule) adopted by the US Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) under the 21st Century Cures Act’s information blocking provisions, but excludes the ONC Final Rule’s Content and Manner Exception, Licensing Exception and Fees Exception. However, based on the DxF Data Sharing Agreement Policies & Procedures Subcommittee webinar on December 15, 2022, it appears the next draft of the P&P will include the ONC Final Rule’s Content and Manner and Licensing Exception but not the Fees Exception.
Specifically, CalHHS has suggested that Participants will not be able to use the Fees Exception in a manner that would result in withholding data requested for a required purpose outlined in P&P #4 (Permitted, Required and Prohibited Purposes). This may result in a situation where fees for data exchange permitted under the ONC Final Rule and HIPAA are effectively prohibited under the DxF—limiting Participants’ ability to cover their costs to share health data. Additionally, some stakeholders are advocating for the exclusion of the Licensing Exception in the final P&P. Since the ONC Final Rule’s Content and Manner Exception cross-references the Fees and Licensing Exceptions, it is not clear how CalHHS will modify the Content and Manner Exception to address their omission from the P&P.
Due to significant ongoing discussion, CalHHS has not finalized the information blocking P&P and is still accepting public comments. Stakeholders can submit comments to CalHHS to help shape the next draft of the information blocking P&P. California providers should consider advocating for CalHHS to align the DSA and P&Ps with the ONC Final Rule to avoid inconsistent, burdensome requirements. We expect CalHHS to publicly release a new draft on the DxF website soon.
4. The DSA Requires the Exchange of HSSI
The DSA requires providers to exchange HSSI, defined in the DSA as “any and all information received, stored, processed, generated, used, transferred, disclosed, made accessible, or shared pursuant to the DSA, including . . . : data elements as set forth in the P&P; information related to the provision of health care services, including . . . PHI; and information related to the provision of social services.” While the DSA does state that HSSI “may include” de-identified data, pseudonymized data, metadata, digital identities and schema, P&P #8 (Data Elements to Be Exchanged), which is intended “to define the [HSSI] to which access is to be provided or that is to be exchanged by Participants,” appears to take a narrower approach in line with current federal standards (and the DSA prioritizes P&P language when it conflicts with DSA language). For example, P&P #8 may effectively narrow the definition of HSSI and align it with the definition of electronic health information (EHI) under the ONC Final Rule.
5. The DxF Does Not Replace Existing or Future Agreements That Provide for a Broader Amount of Data Sharing
The DxF creates a data sharing floor for California providers, but providers remain free to create agreements among themselves that allow for more data sharing, in compliance with applicable state and federal law.
6. Providers Must Get Authorization from Patients to Disclose Certain Information in the DxF
Before disclosing a patient’s Protected Health Information (PHI) or personally identifiable information (PII) through the DxF, providers must obtain all required authorizations under state and/or federal law from the patient. Participants who disclose PHI and/or PII through the DxF expressly represent that all patient authorizations or other consents required under state and/or federal law have been obtained.
7. The DxF Requires Health Information Exchange Beyond HIPAA’s Permissive Data Sharing Rules
While HIPAA permits the exchange of health information for treatment, payment, health care operations and public health activity purposes, the DxF requires Participants to exchange and provide access to HSSI for those purposes. Participants can also exchange or provide access to data under the DxF for other non-specified purposes, including to facilitate the sale of data, as permitted by law and with the appropriate authorizations and legal agreements.
8. Participants Are Required to Exchange HSSI in Real Time through the Avenue of Their Choice
The DSA requires Participants to exchange HSSI in real time. However, CalHHS has yet to finalize what constitutes as real-time data exchange. In a recent webinar, CalHHS indicated that if a Participant receives a request for diagnostic, health or social services, the Participant must share HSSI associated with such request as soon as practicable and no more than 24 hours after the data is available or immediately upon receipt of the request in emergency or urgent care situations.
Participants may exchange HSSI either through: (1) a QHIO, which is a state-designated non-participant data exchange intermediary that facilitates HSSI exchanges and access between Participants; (2) another Participant’s technology; or (3) the Participant’s own technology.
9. Participants Can Seek Amendment of the DSA and Modifications to the P&Ps
While Participants cannot negotiate personalized changes to the DSA with CalHHS, under P&P #1 (Process for Amending the DSA), Participants and any other stakeholders can submit a written request for amendment to the DSA for all Participants. CalHHS will determine if the proposed amendment merits consideration, followed by a comment period and an objection period. A task force established by CalHHS, in consultation with local partners and a stakeholder advisory group, will determine whether to approve the request for amendment of the DSA.
In addition, under P&P #2 (Modifications to Policies and Procedures), any Participant or other stakeholder can submit a written request to amend, repeal or establish a new P&P. CalHHS will evaluate these requests similarly to requests to amend the DSA.
10. California’s DxF Is Separate and Distinct from the Federal Trusted Exchange Framework and Common Agreement
Before the California legislature established the DxF, Congress directed ONC to create the voluntary Trusted Exchange Framework and Common Agreement (TEFCA) to govern the exchange of EHI between health information networks across the United States. While DxF and TEFCA have similar expectations for health information interoperability, those who participate in both frameworks must comply with both data sharing agreements.
If your organization has questions about the DxF, including its potential impacts on your privacy, security or information blocking compliance plans, please reach out to your McDermott lawyer or one of the contacts listed below.
Information Blocking Considerations for Health Systems Offering EHR System Access to Community Physicians and Facilitating Health Information Exchange
CLIENT ALERT / INFORMATION BLOCKING / INTEROPERABILITY
October 9, 2020
Read time: 3 min
On September 17, 2020, the Office of Management and Budget received an Interim Final Rule for review from the Office of the National Coordinator for Health IT (ONC) entitled “Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency.” While the title suggests that health care providers and other regulated actors may have more time to come into compliance with ONC’s May 2020 information blocking final rule, details about potential delays remain scarce and health care providers would be well served to continue apace with compliance efforts, even if the original November 2, 2020 information blocking compliance date ultimately shifts.
This is particularly true for hospitals and health systems that might also function in the capacity of a health information technology (IT) developer of certified health IT (Certified Health IT Developer) or health information network or health information exchange (HIN/HIE), because Certified Health IT Developers and HIN/HIEs face potential civil monetary penalties (CMPs) from the HHS Office of Inspector General (OIG)—as opposed to the yet undefined “appropriate disincentives” health care providers face. OIG is currently engaged in its own rulemaking to finalize regulations implementing its information blocking CMP authorities. In its proposed rule, OIG stated that it would not enforce CMPs for violations of the information blocking regulations that occur after November 2, 2020, but before OIG finalizes the CMPs. It is not clear how, if at all, any change to the ONC’s information blocking compliance date would impact the timing of OIG’s final rule (which is not yet at OMB for review) and, ultimately, timing of enforcement actions. Given such uncertainty, continued effort to identify and address areas of potential non-compliance with ONC’s final rule is advisable, particularly for actors that face potential CMPs of up to $1M per violation. For more information on the OIG proposed rule, see our On the Subject.
To help health care providers that might also function as Certified Health IT Developers or HIN/HIEs identify potential areas of consideration and focus, we have developed the below resources. Please reach out to your McDermott lawyer or one of the contacts listed here to discuss your information blocking preparations.
Additional Resources
October 13 Webinar with The Chartis Group | APIs and Information Blocking: What Providers Need to Know
REGISTER
Analyzing Fee Restrictions for Health IT and EHI Under ONC’s Final Information Blocking Rule
CLIENT ALERT / INFORMATION BLOCKING / INTEROPERABILITY
March 20, 2020
Read time: 21 min
The Office of the National Coordinator for Health Information Technology recently released a final rule under the 21st Century Cures Act to promote interoperability of health IT and advance access, exchange or use of electronic health information (EHI). The final rule has significant implications for how health IT developers, health care providers and other stakeholders price access to application programming interfaces (APIs) and other technology used to access, exchange or use EHI. This On the Subject discusses the framework for determining whether license fees and other charges for use of such technology would comply with the final rule’s exceptions to the Cures Act’s information blocking prohibition and condition of certification for certified APIs.
On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC) released its final rule under the 21st Century Cures Act to implement various policies to promote interoperability of health information technology (IT) and advance access, exchange or use of electronic health information (EHI) for continuity of care and other appropriate purposes. The final rule amends the certification requirements under the ONC Health IT Certification Program and identifies health IT pricing practices that do not fall under the Cures Act’s information blocking prohibition.
These final policies have significant implications for how certified health IT developers, health care providers, health information networks (HINs) and health information exchanges (HIEs) (collectively, actors) license and charge for technology to enable access, exchange or use of EHI with patients and other technology and service providers, health care providers and health plans.
Subject to limited exceptions, EHI covered by the information blocking prohibition includes electronic protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations (EPHI) to the extent that the EPHI is part of a patient’s electronic medical record or another designated record set under HIPAA, regardless of whether the records are used or maintained by or for a HIPAA covered entity. However, until the date 24 months after the publication of the final rule in the Federal Register, EHI is limited to the data elements represented in the US Core Data for Interoperability (USCDI) standard adopted under the health IT certification provisions of the final rule.
This On the Subject discusses the analytical framework for determining whether license fees and other charges for use of application programing interfaces (APIs) and other technology used to access, exchange or use EHI comply with the final rule’s information blocking exceptions and condition of certification for certified APIs. It also recommends practical next steps for implementing the final rule’s fee restrictions.
For more information about the final rule, including provisions that are not directly related to fees and other charges, see McDermott’s prior Special Report comprehensively covering the information blocking provisions of the final rule.
Does the information blocking prohibition restrict charges for health IT used to access, exchange and use EHI?
The final rule generally defines information blocking to mean a practice by an actor that is likely to interfere with, prevent or materially discourage access, exchange or use of EHI unless the practice is required by law or covered by an exception in the final rule. Because of this broad definition, any fees or other charges that an actor charges patients, health care providers, health plans, technology or service providers or other third parties for access, exchange or use of EHI or technology to enable such access, exchange or use, potentially implicate the information blocking prohibition. Consequently, those fees and charges, unless required by law, would need to fit within an information blocking exception to protect the actor from potential information blocking liability.
What information blocking exceptions protect licensee fees and other charges for use of health IT used to access, exchange and use EHI?
The final rule includes the following three exceptions for license fees and other charges for interoperability elements and other fees for use of technology that may interfere with EHI access, exchange or use. A fee or other charge that meets the definition of information blocking must satisfy at least one of these exceptions:
- Content and Manner Exception
- Fees Exception
- Licensing Exception
Content and Manner Exception
The Content and Manner Exception allows an actor and a party that requests EHI to negotiate mutually agreeable terms (including fees) for access, exchange and use of EHI. To be protected under the Content and Manner Exception, the actor must respond to a request for EHI with the subset of EHI identified by the USCDI data elements until the date 24 months after the publication of the final rule in the Federal Register. After that date, actors must respond with all EHI in a designated record set as discussed above.
In terms of the manner of response, an actor must fulfill a request for access, exchange or use of the required content in the manner requested, unless (1) the actor cannot technically fulfill the request, or (2) the actor and requestor are unable to reach mutually agreeable terms. If an actor fulfills a request in the manner requested, the limitations in the Fee Exception and Licensing Exception would not apply. Thus, the actor would have the opportunity to negotiate mutually agreeable fees and other terms with requestors.
If the actor does not fulfill a request in the requested manner, then the actor must fulfill the request in one of three alternative manners specified in the exception without unnecessary delay. When an actor fulfills a request in an alternative manner, the fees charged would have to meet the Fees Exception or the Licensing Exception.
Fees Exception
The Fees Exception allows an actor to charge fees, including those that result in a reasonable profit margin, for accessing, exchanging or using EHI, provided that the fee is:
- Based on objective and verifiable criteria, uniformly applied for similarly situated people/requests;
- Reasonably related to the actor’s costs;
- Reasonably allocated among all similarly situated people; and
- Based on costs not already recovered for the same instance of the service to a provider or third party.
In addition, the fee must not be based on:
- Competitive considerations;
- Sales, profit, revenue or other value that the requestor or other party may derive from the access, exchange or use of the EHI;
- Costs that an actor incurs because it designed or implemented health IT in non-standard ways (unless the requestor agreed to the fee associated with such implementation);
- Costs associated with intangible assets other than actual development and acquisition costs;
- Opportunity costs unrelated to the access, exchange or use of EHI; or
- Any costs leading to the creation of intellectual property if the actor charges a royalty for that intellectual property under the Licensing Exception and the royalty includes development costs of creating that intellectual property.
Additionally, an actor may not charge any of the following fees under the Fees Exception:
- Fees prohibited under the HIPAA Privacy Rule for individuals’ requests for access to their protected health information;
- Fees based in any way on the electronic access of an individual’s EHI by the individual, the individual’s personal representatives or others designated by the individual (The final rule defines “electronic access” as “an internet-based method that makes EHI available at the time the EHI is requested and where no manual effort is required to fulfill the request.” So whenever fulfilling individuals’ requests to send EHI to themselves or their personal representatives or others they designate, if the process requires manual effort, such as collating or assembling electronic health records from multiple systems, then the definition of electronic access would not be met and the actor could charge a fee and meet the Fees Exception.);
- Fees to export EHI to switch health IT or provide EHI to patients, if done through a capability certified to the final rule’s EHI export health IT certification criterion at 45 CFR § 170.315(b)(10) (Certified EHI Export Capability); and
- Fees to export or convert data from an EHR system, unless the parties agreed to the fee in writing at the time the EHR system was acquired.
In addition, this exception requires health IT developers that create certified API technology (certified API developers) to comply with the new condition of certification for certified APIs as a condition of meeting the Fees Exception.
Licensing Exception
Under the Licensing Exception, an actor’s terms (including those related to fees) for licensing an interoperability element for EHI to be accessed, exchanged or used is not prohibited information blocking when the practice meets all of the conditions discussed below. The final rule defines the term “interoperability element” to mean “hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that (1) may be necessary to access, exchange or use EHI and (2) are controlled by the actor. Such control includes the ability to confer all rights and authorizations necessary to use the element to enable the access, exchange or use of EHI.”
Upon receiving a request to license an interoperability element for the access, exchange or use of EHI, the actor must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license with the requestor, subject to the licensing conditions below (and other requirements of the Licensing Exception), within 30 business days from receipt of the request. The license for the interoperability element must meet the following conditions:
- Scope of Rights. The license must provide all rights necessary to: enable the access, exchange or use of EHI and to achieve the intended access, exchange or use of EHI via the interoperability element.
- Reasonable Royalty. If the actor charges a royalty for the use of the interoperability element, the royalty must be reasonable and comply with the following requirements:
- The royalty must be non-discriminatory, consistent with the non-discriminatory terms requirement below.
- The royalty must be based solely on the independent value of the actor’s technology to the licensee’s products, not on any strategic value stemming from the actor’s control over essential means of accessing, exchanging or using EHI.
- If the actor has licensed the interoperability element through a standards developing organization in accordance with its policies regarding the licensing of standards-essential technologies on terms consistent with the licensing exception, the actor may charge a royalty that is consistent with such policies.
- An actor may not charge a royalty for intellectual property if the actor recovered any development costs pursuant to the Fees Exception that led to the creation of the intellectual property.
In the final rule preamble, ONC notes that whether a royalty is reasonable for purposes of the Licensing Exception requirement depends on the particular facts and circumstances. ONC also identifies the following non-exclusive list of potential factors for evaluating reasonableness:
- The royalties received by the actor for the licensing of proprietary elements in other circumstances comparable to reasonable and non-discriminatory licensing circumstances.
- The rates paid by the licensee for the use of other comparable proprietary elements.
- The nature and scope of the license.
- The effect of the proprietary elements in promoting sales of other products of the licensee and the licensor, taking into account only the contribution of the elements themselves and not of the enhanced interoperability that they enable.
- The utility and advantages of the actor’s interoperability element over the existing technology, if any, that had been used to achieve a similar level of access, exchange or use of EHI.
- The elements’ contribution to the technical capabilities of the licensee’s products, taking into account only the value of the elements themselves and not the enhanced interoperability that they enable
- The portion of the profit or selling price that may be customary in the particular business or in comparable businesses to allow for the use of the proprietary elements or analogous elements that are also covered by reasonable and non-discriminatory terms commitments.
- The portion of the realizable profit that should be credited to the proprietary elements as distinguished from non-proprietary elements; the manufacturing process; business risks; significant features or improvements added by the licensee; or the strategic value resulting from the network effects, switching costs, or other effects of the adoption of the actor’s technology.
- The opinion testimony of qualified experts.
- The amount that a licensor and a licensee would have agreed upon (at the time the licensee began using the elements) if both were considering the reasonable and non-discriminatory terms obligation under the Licensing Exception and its purposes, and had been reasonably and voluntarily trying to reach an agreement.
- Non-Discriminatory Terms. The royalty and other terms on which the actor licenses and otherwise provides the interoperability element must be non-discriminatory and comply with the following requirements:
- The terms must be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons and requests.
- The terms must not be based in any part on:
- Whether the requestor or other person is a competitor or potential competitor, or will be using EHI obtained via the interoperability elements in a way that facilitates competition with the actor; or
- The revenue or other value the requestor may derive from access, exchange or use of EHI obtained via the interoperability elements.
Accordingly, the royalty or other compensation terms in the license agreement for the interoperability element may not be a revenue share based on the revenue that the licensee generates from EHI transferred through the interoperability element.
How does the condition of certification for APIs affect license fees and other charges?
ONC finalized a condition of certification for certified APIs that includes, among other requirements, restrictions on the pricing practices of certified API developers. The requirements directly applicable to the fee restrictions are as follows:
- Permitted Fees Generally. The condition of certification permits certified API developers to charge three categories of permitted fees and expressly allows the permitted fees to include a reasonable profit margin otherwise in accordance with the Fees Exception. All other fees related to certified API technology are prohibited. A certified API developer must ensure that:
- All permitted fees are based on objective and verifiable criteria that are uniformly applied to all similarly situated hospitals, physician practices and other organizations that deploy certified API technology (API information sources), and persons or entities that create or use software applications that interact with the certified API technology (API users).
- Permitted fees imposed on API information sources are reasonably related to the certified API developer’s costs to supply certified API technology to, and if applicable, support certified API technology for, API information sources.
- Permitted fees to supply and support certified API technology are reasonably allocated among all similarly situated API information sources.
- Fees are not based on whether API information sources or API users are competitors or potential competitors, or will use the API in a way that facilitates competition with the certified API developer.
- Three Categories of Permitted Fees. The condition of certification permits the following categories of fees for certified API technology:
- Permitted Fee: Development, Deployment and Upgrades. A certified API developer may charge fees to an API information source to recover the costs reasonably incurred by the certified API developer to develop, deploy and upgrade certified API technology.
- Permitted Fee: Recovering API Usage Costs. A certified API developer may charge fees to an API information source related to the use of certified API technology, provided that the fees are limited to the recovery of incremental costs reasonably incurred by the certified API developer when it hosts certified API technology for the health care provider or other API information source.
- Permitted Fee: Value-Added Services. A certified API developer may charge fees to an API user for value-added services related to certified API technology, as long as the services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with the certified API technology.
- Prohibited Fees. Consistent with the Fees Exception, the condition of certification prohibits a certified API developer from charging a fee for:
- Costs associated with intangible assets other than actual development or acquisition costs of such assets;
- Opportunity costs unrelated to the access, exchange or use of EHI; and
- Any costs that led to the creation of intellectual property if the actor charged a royalty for that intellectual property pursuant to the Licensing Exception and the royalty included the development costs for the creation of the intellectual property.
- Non-Discrimination. A certified API developer must meet the following non-discrimination requirements when setting fees and other terms with respect to certified API technology:
- Provide the certified API technology to an API information source on terms that are no less favorable than the certified API developer provides to itself and its own customers, suppliers, partners and other persons with whom it has a business relationship;
- Base the terms for the provision of certified API technology on objective and verifiable criteria that are uniformly applied to all substantially similar or similarly situated classes of persons and requests;
- Not offer different terms or services based on whether a competitive relationship exists or would be created; and
- Not offer different terms or services based on the revenue or other value that another party may receive from using the API technology.
- Description of API Fees. The certified API developer must describe all fees that it charges for the use of its certified API technology in detailed, plain language. The description must include all material information, including the persons or classes of persons to whom the fee applies; the circumstances in which the fee applies; and the amount of the fee, which for variable fees must include the specific variables and methodologies used to calculate the fee.
- Record-Keeping Requirements. A certified API developer must keep detailed records of any fees charged with respect to the certified API technology, the methodologies used to calculate the fees and the specific costs to which such fees are attributed. In the final rule preamble, the ONC states it expects that “the accounting practices already used by health IT developers will largely support the health IT developer to meet this requirement. Examples of these practices by health IT developers include the methods used to track their own investments, determine how to bill and issue invoices to their customers, document receipt of payment, and to maintain overall accurate financial records of business transactions.”
What is the analytical framework for determining whether charges for health IT comply with an information blocking exception under the final rule and, if applicable, the condition of certification for APIs?
If an entity desires to impose a fee or other charge for an interoperability element or EHI access, exchange or use, to the extent the information blocking prohibition applies, the entity must design the fee to meet an exception to the information blocking prohibition and any applicable conditions of certification for certified health IT, such as the restrictions on fees for certified APIs. Accordingly, the entity should consider the following questions:
- Covered Actor. Is the entity seeking to charge the license fees or other charges for use of APIs and other technology to access, exchange or use EHI an actor subject to the final rule (i.e., a health care provider, certified health IT developer, or an HIN or HIE)?
- EHI. Does the proposed fee or other charge relate to EHI, as opposed to HIPAA de-identified health information or other information outside the definition of EHI, such as (for the 24 months after the publication of the final rule in the Federal Register), information that is not included in the USCDI data set?
- Interoperability Element or Access, Exchange or Use. Is the proposed fee or other charge for (1) a license or other right to use an interoperability element or (2) providing access, exchange or use of EHI? For example, is the fee in exchange for a license for an API that enables access to EHI stored in an EHR system? Is the fee for a license to elements of EHR software or other health IT that only stores EHI rather than providing access, exchange or use of EHI? Alternatively, is the fee for participation in an HIN or HIE?
- Information Blocking Exception. Does the proposed fee or other charge meet the Content and Manner Exception, Fees Exception or Licensing Exception? The Content and Manner Exception provides the greatest flexibility for actors relative to pricing and terms and may, therefore, be the most advantageous exception for actors to consider first. Between the Licensing Exception and the Fees Exception, the Licensing Exception is typically more attractive if the applicable costs are low, so it may be advantageous to consider that exception before the Fees Exception.
- Additional Requirements for Certified API Technology. If the proposed fee or other charge relates to a certified API, does the proposed pricing practice meet the additional requirements of the condition of certification for APIs?
What are the key next steps for a certified health IT developer to ensure fees and other charges comply with the final rule’s information blocking prohibition and condition of certification for certified APIs?
A certified health IT developer should consider at least the following key steps to implement compliance.
- Step 1: Identify all executed and template contracts and other arrangements under which the developer provides technology that includes any capability or service that enables access, exchange or use of EHI to third parties rather than merely storing EHI.
- Step 2: Develop a business strategy and process for amending non-compliant arrangements with current customers and other counter-parties within the six-month period before the final rule’s compliance date for its information blocking provisions and for negotiating market terms with prospective counter-parties under the arrangements identified in Step 1 in accordance with the Content and Manner Exception.
- Step 3: Revise any template pricing terms that do not meet the restrictions of the Fees Exception or Licensing Exception in order to be prepared for the failure of negotiations of market terms in accordance with the Content and Manner Exception.
- Step 4: Develop a business process for responding to third-party requests to license an interoperability element, including its deadlines for beginning license negotiations and completing negotiations of a license agreement.
- Step 5: Ensure that any template license or other agreement with a new customer for an EHR system specifies any fees to export or convert data from the EHR system in order to avoid the prohibition on export and conversion fees that are not agreed to in writing at the time the EHR system is acquired.
- Step 6: Determine how to reasonably allocate certified API supply and support costs among similarly situated API information sources, including determining reasonably likely costs and forecasting the number of API information sources deploying the certified API.
- Step 7: Determine whether existing accounting practices maintain detailed records of fees charged with respect to the certified API and other technology, the methodologies used to calculate the fees and the specific costs to which such fees are attributed. If existing practices do not maintain detailed records of these items, establish a practical business process to attribute fees to costs and a record keeping system to track required information.
What are the key next steps for a health care provider (that is not a certified health IT developer) to ensure that its contracts and other arrangements comply with the fee restrictions in the final rule’s exceptions to the information blocking prohibition?
A hospital, physician practice or other health care provider actor should consider the following steps to implement compliance with the information blocking prohibition:
- Step 1: Identify all contracts and other arrangements under which the health care provider licenses or otherwise obtains an interoperability element or service from a certified health IT developer or other actor that enables access, exchange or use of EHI rather than merely storing EHI.
- Step 2: Evaluate the arrangements identified under Step 1 to determine whether any fees may fail to meet the limitations imposed under the applicable final rule exception, and if so, consider requesting modified pricing terms for non-compliant arrangements.
- Step 3: Develop a business strategy and process for responding to requests from physician practices and other health care provider requestors that have common patients with the health care provider receiving the request, for access, exchange or use of EHI maintained by the receiving health care provider. For example, a community physician practice may request that a hospital with common patients establish a custom interface to enable seamless access to EHI about common patients maintained by the hospital.
Summary Chart*
Our summary chart, available here, identifies all of the restrictions directly applicable to fees charged by an actor under the final rule. The first column of the chart identifies a restriction affecting fees. The second column indicates whether the fee restriction in the first column is an element of the Licensing Exception. The third column indicates whether the restriction in the first column is an element of the Fees Exception. The fourth column indicates whether the restriction applies to developers of certified APIs.
*For more information about elements of the exceptions that are not directly related to fees charged by an actor, please see McDermott’s prior Special Report comprehensively covering the information blocking provisions of the final rule.
Please do not hesitate to contact your regular McDermott lawyer or any one of the authors of this On the Subject if you have questions or need assistance with understanding the fee restrictions under the final rule.
For an in-depth discussion of the final rules and their impact on your organization, view the recordings of our March 2020 webinar series.
CMS Final Rule Aims to Advance Interoperability, Exchange of Clinical and Plan Information
CLIENT ALERT / INFORMATION BLOCKING / INTEROPERABILITY
March 16, 2020
Read time: 10 min
The Centers for Medicare & Medicaid Services (CMS) published its highly anticipated final rule aimed at enhancing interoperability and increasing patient access to health information. CMS’s final rule will require hospitals and payors to make significant investments in their health information technology to comply with the new requirements, effective six months following publication of the final rule in the Federal Register for hospitals, and January 1, 2021, for payors. In this On the Subject, we analyze the final rule requirements, which include a new requirement that CMS-regulated payors offer application programming interfaces, and a new Medicare condition of participation that requires hospitals with electronic health record systems to send electronic patient event notifications to communicate transitions of care.
On March 9, 2020, the US Department of Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) announced a final rule aimed at enhancing interoperability and increasing patient access to health information. The final rule requires CMS-regulated payors and agencies (Covered Plans and Agencies) to implement application programming interfaces (APIs) that allow patient information to be shared more readily between patients, healthcare providers, payors and third-party applications selected by patients. APIs could improve patients’ ability to gain access to their health information and share key medical history information with other providers and payors. Notably, however, HIPAA does not apply to many third-party applications that patients would use to access their data, raising stakeholder concerns about the privacy and security of information shared through APIs.
The final rule also requires hospitals that have adopted electronic health record systems to engage in electronic event reporting of patient admissions, discharges and transfers to patients’ primary care practitioners as a condition of participation (CoP) in the Medicare program. Hospitals and payors may need to make significant investments in health information technology (IT) to comply with the new requirements, which go into effect six months following publication of the final rule for hospitals, and on January 1, 2021, for payors.
This highly anticipated final rule has already garnered responses from key industry players, including America’s Health Insurance Plans, the nationwide association of health insurers, which stated that it shares HHS’s vision for expanded consumer data access but “remain[s] gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws.” The association cautioned that “any new rules must ensure we protect patient privacy, reduce health care costs, and get personalized information into the hands of patients.”
On the same day that CMS released the final rule, the HHS Office of the National Coordinator of Health IT (ONC) released a final rule implementing the information blocking provisions of the 21st Century Cures Act and updates to ONC’s health IT certification program. A separate On the Subject about the ONC final rule is forthcoming.
Read on for a summary of the key requirements and implications of the CMS final rule, and recommended next steps for payors and hospitals. For a review of our past coverage on these rules, please visit our Regulatory Sprint to Coordinated Care Resource Center.
Application Programming Interfaces
Under the final rule, Covered Plans and Agencies—which include Medicare Advantage (MA) plans, Medicaid state agencies, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) agencies, CHIP Managed Care entities, and issuers of qualified health plans in federally facilitated exchanges, except for stand-alone dental plans—must adopt and implement an “openly published” API that permits third-party software applications to retrieve, at the direction of the patient or health plan member, a significant amount of clinical and payment information. The API technology must meet health IT standards established by ONC. Covered Plans and Agencies must comply by January 1, 2021.
The Covered Plan or Agency must make the following information available through the API:
- Data concerning adjudicated claims and encounter data, including claims data for payment decisions that may be appealed, were appealed, or are in the process of appeal, and provider remittances and enrollee cost-sharing pertaining to such claims
- Clinical data, including laboratory results, if the Covered Plan or Agency manages such data.
The Covered Plans and Agencies must make this information available no later than one business day after a claim is adjudicated or the Covered Plan or Agency receives the data.
For MA plans, Medicaid and CHIP fee-for-service programs, Medicaid managed care plans and CHIP managed care entities, the API must also allow access to a provider directory of the payor’s network of contracted providers, including names, addresses, phone numbers and specialties, updated no later than 30 calendar days after the payor receives the information or an update.
For MA organizations that offer Part D plans, the API must allow the third-party application to retrieve:
- Standardized data concerning adjudicated claims for covered Part D drugs, including remittances and enrollee cost-sharing, no later than one business day after a claim is adjudicated
- Pharmacy directory data, including the number, mix and addresses of network pharmacies
- Formulary data that includes covered Part D drugs and any tiered formulary structure or utilization management procedure that pertains to those drugs.
While the open API initiative in the final rule specifically applies to Covered Plans and Agencies, CMS also expressed the hope that other stakeholders, such as state-operated exchanges and private payors, will adopt similar requirements for access to information and interoperability so that even more patients can broadly access their health information and better manage care.
Payor-to-Payor Data Exchange
In addition to proposing payor-to-patient exchanges through APIs, CMS also finalized its proposal to require MA plans, Medicaid managed care plans, CHIP managed care entities and qualified health plan issuers on the federally facilitated exchanges to forward patient information maintained within the ONC-identified US Core Data Set for Interoperability to other payors designated by the requesting patient for up to five years after the patient has disenrolled from the plan (with the approval and direction of the patient). CMS anticipates that payors will leverage the API they put in place to comply with patient access requirements to additionally provide other payors access to the same data. CMS allows payors to use other methods of data exchange to accomplish this requirement, however. Covered Plans and Agencies must comply with the payor-to-payor exchange requirement by January 1, 2022.
Notably, CMS elected to not finalize its proposal to require Covered Plans and Agencies to participate in trusted health information exchange networks. CMS noted that although some commenters showed support for the proposal, other commenters noted the need for a mature Trusted Exchange Framework and Common Agreement (TEFCA), a set of policies and procedures for interoperable exchange, to be put in place first. ONC published a second draft TEFCA on April 19, 2019, but has not yet finalized it.
Hospital Condition of Participation
CMS finalized its proposal to adopt a Medicare hospital CoP that requires hospitals, psychiatric hospitals and critical access hospitals (CAHs) that have electronic event notification capabilities to send electronic notifications upon a patient’s admission, discharge or transfer to or from the hospital’s emergency department or inpatient service department. The CoP becomes effective six months after the final rule’s publication in the Federal Register.
CMS modified the CoP slightly from the proposed rule. The final CoP does not require hospitals to include diagnosis information within the notification. Instead, the notification must include at a minimum the patient’s name, treating practitioner name and sending institution name. The CoP does not require hospitals to send notifications to all providers that have an “established care relationship” with the patient, but only to the patient’s established primary care practitioner or other practitioner or practice group identified by the patient as primarily responsible for the patient’s care.
CMS stated that electronic patient event notifications, or automated electronic communications from discharging providers to another facility, could improve care coordination and potentially reduce readmissions by making a receiving provider aware of the care the patient has received elsewhere. However, this CoP creates a new set of requirements on top of existing Promoting Interoperability measures that CMS adopted to incentivize the use of health IT to improve care. Hospitals must already spend significant resources to achieve the Promoting Interoperability measures, and the new CoP requirement will likely increase hospitals’ overall compliance burden with respect to health IT implementation.
Information Blocking and Public Reporting
The final rule discourages clinicians from engaging in the practice of information blocking by requiring the public display, via an indicator on the Physician Compare website, of physicians and other clinicians who fail to attest as part of the CMS Merit-based Incentive Payment System (MIPS) program that they:
- Did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of certified health IT
- Implemented technologies and practices to ensure that their certified health IT is connected and compliant with applicable law
- Responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information.
Clinicians who fail to attest “yes” to the above statements would receive a potential reduction of Medicare reimbursement under MIPS, in addition to the negative indicator on the CMS Physician Compare website, which is available to patients who are seeking to compare Medicare-participating physicians and other clinicians.
CMS also requires eligible hospitals and CAHs to make “yes/no” attestations concerning their use of certified health IT in order to participate in the CMS Promoting Interoperability program. A hospital or CAH’s failure to attest “yes” will result in a negative indicator on a future CMS website that will display hospitals’ attestations under the Medicare Promoting Interoperability program.
CMS included these reporting requirements in the final rule to discourage hospitals and clinicians from engaging in information blocking. CMS expects to post the information for both clinicians and hospitals in late 2020.
Recommended Next Steps
The final rule will have a significant impact on Covered Plans and Agencies and hospitals. These entities should consider taking several practical steps in response to the final rule.
Recommendations for Covered Plans and Agencies
Covered Plans and Agencies should consider the following next steps in response to the final rule:
- Assess the technological capabilities of IT systems and quickly make any necessary adjustments to offer an API that is consistent with ONC standards
- Develop user guides or other resources that explain how a plan member or patient may obtain data through the API and protect their privacy by only selecting reputable third-party applications
- Work with other Covered Plans and Agencies to develop technical mechanisms and policy frameworks for connecting and sharing data in accordance with the payor-to-payor exchange requirement, which becomes effective in 2022.
Recommendations for Hospitals and CAHs
Given the aggressive timelines in the final rule, hospitals will soon need to assess the capabilities of existing IT systems and their readiness to send electronic notifications as required by the new CoP. Even with necessary systems in place, hospitals should review their intake and discharge workflows to ensure that they are consistently identifying the practitioner primarily responsible for patients admitted to the emergency and inpatient departments. To the extent that hospitals are not consistently capturing this information, they should consider revising their policies, procedures and training to emphasize the importance of obtaining the information, and should set up event notifications to the identified individual or group practice.
If you would like assistance in complying with any of the new requirements, please contact one of the authors or your regular McDermott lawyer.
Our experienced team, which includes several attorneys who previously worked at the US Department of Health & Human Services (HHS), has advised many clients on the potential impact of the HHS proposed rules on their businesses and has analyzed the final rules. We will host a series of webinars to discuss the final rules. Details are below and you may register by clicking here.
- March 23, 2020: ONC Final Information Blocking Rule
- March 26, 2020: CMS Interoperability Rule
- March 31, 2020: Navigating the New ONC Requirements for APIs