The Interoperability Mandate

On March 6, 2020, CMS finalized the Interoperability and Patient Access rule, building upon existing legislation to push for greater data exchange across the health care system. The regulation requires payers participating CHIP, Medicaid, and Medicare as well as plans on federal exchanges to make personal clinical and claims data accessible to members upon request. Affected payers must facilitate this data exchange by building application programming interfaces (APIs), or data infrastructures that allow third parties to connect to payers’ internal databases. Once health plans have implemented their APIs, third-party apps can request and retrieve health information on behalf of members.

Payers are required to build two separate APIs: a Patient Access API to house their personalized patient data, and a Provider Directory API to maintain an up-to-date list of in-network providers. While this rule doesn't require payers to build an API for the exchange of data from payer to payer, CMS included this requirement in their proposed Interoperability and Prior Authorization Rule, which has been temporarily withdrawn after being finalized earlier this year. While the compliance deadline for the Patient Access and Provider Directory APIs is July 1, 2021, the deadline for payers enabling payer-to-payer data exchange is July 1, 2022.

In addition to mandating that health plans build APIs, CMS published Fast Healthcare Interoperability Resources (FHIR), a set of standards that health data housed in APIs must meet. These guidelines offer a standardized format for health information so payers can integrate disparate data systems and create a single, longitudinal record for every member.

The concept of an interoperable health care system refers to the seamless, real-time data exchange of and digital access to historical health data across payers, providers, and patients. The health care industry has been on the path to achieving interoperability for over a decade, and CMS' new mandate is the latest jump toward this goal. While the rule targets payers specifically, its implications span the entire industry. The mandate will impact how consumers interact with their health information and give technology vendors and third-party apps the opportunity to establish themselves as prominent players in the health care ecosystem.

While the interoperability mandate can improve data exchange significantly, payers will need to devote significant resources to complying with the new rules. Payers must ensure a patient’s EHR, claims data, and formulary information translate into FHIR-compliant APIs to create a single, patient-centric record. To overcome the technological challenges to cleaning and mapping these data, payers can partner with vendors to build the required APIs. In addition to helping payers prepare for baseline compliance, vendors can overhaul payers' data infrastructures to enable other automated functions that reduce administrative burden.

Third-party apps that connect to APIs will gain the ability to repackage health data and market it directly to the consumer. In doing so, these apps can gain a foothold to grow in the health industry. Depending on how apps engage consumers, they have the potential to significantly disrupt the current methods consumers use to access their health data. While third-party apps will gain access to health information through APIs, their privacy and security protocols are still major concerns for payers. To address these concerns, payers are required to educate their members on how they can access their health information and publish guidance on how to choose apps with robust privacy protocols.

Payers impacted by the rules are those regulated by CMS, including Medicare Advantage organizations, Medicaid and CHIP FFS and managed care organizations, and issuers of individual Qualified Health Plans (QHPs) on Federally Facilitated Exchanges. These payers must abide by HL7 FHIR standards when building their APIs. HL7 FHIR is a technological standard for how health information can be exchanged among different computer systems. To see a summary of the data available over each API, refer to the table below.

The Patient Access API must allow patients to access their data from January 1, 2016. Consumers can download a third-party app to their smart device and give apps permission to retrieve their health data from their payer. Once data is accessed by third-party apps, it no longer falls under HIPAA guidelines, and apps must follow Federal Trade Commission guidelines for health information. Payers cannot deny apps access to their APIs unless the app threatens the privacy of the payer’s internal systems. However, payers can proactively inform their members about apps that pose privacy risks when handling their health data.

As required by the Provider Directory API provision, health plans must also make in-network provider directory information available within 30 days of the receipt of new data. The Payer-to-Payer Data Exchange rule covers the exchange of patient data between payers when a member leaves one plan and joins another. While this interoperability rule requires this data exchange, the proposed Prior Authorization rule mandates that it must be done via a FHIR-based API.

These conversations may help you meet compliance deadlines and identify opportunities to integrate interoperability into your larger business strategy.

Advisory Board resources

OUR TAKE: Harnessing Interoperability for Strategic Benefit
Read now

WEBINAR: Digital Health Spotlight Series: Changing the Interoperability Landscape
Read now

WEBINAR: Your guide to HHS’ final interoperability rules
Read now

External resources

DATA STANDARDS: The CARIN Trust Framework and Code of Conduct
Read now

BLOG POST: How health plans can mitigate bumps along the road to implementing CMS’ interoperability rules
Read now