CMS Recently Introduced New Interoperability Mandates for Health Plans That Must be Implemented by July 1, 2021
The CMS Interoperability and Patient Access Rule (“Interoperability Rule”) requires payors to permit third-party applications to retrieve, with the approval and at the direction of a current enrollee certain health care data. 42 C.F.R. §§ 422.119(a), 431.60(a), 457.730(a); 45 C.F.R. § 156.221(a). The Interoperability Rule does not alter covered entities’ or business associates’ responsibilities to protect PHI under HIPAA, however, once a member selects a third-party application and authorizes access of their data to the application, the covered entity and business associate are no longer liable for the privacy and security of the PHI or any electronic health information sent. 85 Fed. Reg. 25510, 25518 (May 1, 2020).
CMS has indicated that covered entities and business associates are free to offer advice to patients on the potential risks involved with requesting data transfers to an application or entity not covered by HIPAA, “but such efforts generally must stop at education and awareness or advice regarding concerns related to a specific app.” 85 Fed. Reg. 25510, 25518 (May 1, 2020). Further, if a member still wants their data to be shared despite an application’s privacy policy, or lack thereof, a payor would need to share the data via the application programming interface or API absent an unacceptable security risk to the payor’s own system.
Therefore, the most payors can do is educate its members through its member resource document required by the new rule. Beneficiary and enrollee resources regarding consumer-friendly (non-technical, simple, and easy to understand), patient facing privacy and security information must be made available through appropriate mechanisms usually used to communicate with patients, such as on a website. Further, the Interoperability Rule requires that certain information be made available such as factors to consider in selecting a health information management application, practical strategies to help them safeguard the privacy and security of their data, and how to submit complaints to the Office of Civil Rights (OCR) or the Federal Trade Commission (FTC).
For more information about the Interoperability Rule, please contact Eunice C. Majam-Simpson or Lisa J. Mayberry.