The 21st Century Cures Act and its Impact on Health IT

Some important healthcare legislation was passed early last week that you might have missed, but which has even more relevance given the significant care coordination challenges in dealing with the COVID-19 outbreak, testing, and quarantine requirements.

The Office of the National Coordinator for Health Information Technology (ONC) passed the Cures Act Final Rule, which is designed to provide patients and providers secure access to health information.

Meanwhile, the Centers for Medicare & Medicaid Services (CMS) passed the CMS Interoperability and Patient Access Final Rule, which is designed to provide patients with easier, more useful access to their health information.

We break down these two important rulings in greater detail below.

What is the 21st Century Cures Act?

The 21st Century Cures Act (“Cures Act”) was passed by Congress and signed into law in December 2016. The bill authorized $6.3 Billion in funding to be directed primarily to the National Institutes of Health (NIH) for a handful of different initiatives around population health.

The main areas of focus called out in the Cures Act include:

Small Business Health Reimbursement Arrangement (HRA)

The HRA is a means for small businesses to provide health benefits for their employees in a cost-efficient way.

FDA Drug Approval

This provision  was mainly driven by the current opioid crisis. It introduces changes designed to streamline drug development and approvals by the FDA, and includes changes for use of human subjects in medical studies.

Behavioral Health

The Cures Act  also enacted requirements for insurance providers to cover behavioral and mental health care.

Electronic Medical Record Information Blocking*

This prohibits “Gag Clauses” in EHR vendor contracts. EHR providers often include language in their contracts that effectively block physicians’ efforts to improve the usability and security of their systems and workflows.

This also requires that patients be provided better access to their medical records. Fines up to $1 Million per violation for non-compliance.

The Cures Act was passed amidst strong opposition from patient and consumer rights organizations (primarily due to the lax laws around FDA Approval process updates) while being supported primarily by pharmaceutical manufacturers (due to the same reasons). The House of Representatives passed the bill by a wide margin, while in the Senate it passed with only 5 opposing votes (Democrats Elizabeth Warren, Bernie Sanders, Ron Wyden, Jeff Merkley, and Republican Mike Lee).

After years of work, the Cures Act has resulted in two rulings: the ONC Cures Act Final Rule and the CMS Interoperability and Patient Access Final Rule. Both of these rulings aim to provide patients with greater access to care and implement new standards to enable greater access and coordination in patient care.

Office of the National Coordinator for Health Information Technology (ONC) 21st Century Cures Act Final Rule

Patients should be able to access their electronic medical record, at no cost, period. – Alex Azar, Secretary of Health and Human Services.

The ONC Final Ruling is primarily about patient electronic access to their health data. While this is the main goal, the ruling also supports provider needs on clinical data sharing, as well as addressing industry-wide information blocking practices that have often been stipulated by EHR providers.

Electronic patient access to medical records was already required under the new Meaningful Use guidelines from 2018; the shift in focus here is on providing it in a way that enables HealthIT developers to create the next-gen applications that will power healthcare as we move into the world of Value-Based Care and beyond.

Key Pillars of the ONC Ruling

Standards Based API

The ONC Final Rule sets the standard for all clinical data exchange to use HL7 FHIR Resource Version 4.0.1 (the version we use here at Myndshft). The existence of a mandated standard will significantly increase the ability for systems to connect with each other and increase the speed at which true innovation can occur around these standards. The FHIR standard was chosen because it is a built for the way the web works in 2020: JSON based data structures, standard HTTP Protocols, and robust authentication support (OAuth 2).

Whether this was envisioned from the beginning, clearly it became a priority to pick standards that will enable support for “Modern Smartphone Apps”. This was repeated many times by individuals around the completion and announcement of this ruling.

“This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.” – Dr. Don Rucker, National Coordinator for Health IT

“Modern smartphone apps to provide them convenient access to their records” – HealthIT.gov ONC Cures Act Final Review Site

“Once the policies in this final rule are implemented, patients will be able to access key medical information from their doctor’s electronic health record using their smartphones.” – Matt Lira in the whitehouse.gov briefing on “Delivering the Future of Healthcare”

Access to EHI

The ruling states that patients should have access to their Electronic Health Information (EHI) when they want and in the format in which they want to consume it. Providers are required to give patients programmatic access to the EHI contained in their systems via HL7 FHIR APIs for patients to consume via web or smartphone applications.

Information Blocking

Today, information blocking and “gag clauses” are a regular practice that negatively impact patient care.

The ONC ruling eliminates information blocking and gag clauses, with some exceptions added after the proposed ruling was put up for public comment. This opens up care coordination and new ways for providers to share data with each other related to  episodes of patient care. It also enables providers to make better choices around which systems they will use to provide these services to patients; some large EHRs are  notorious for having customers sign gag clauses that eliminate their ability to speak publicly about their experience in using the companies products.

What does the ruling mean for Patients?

Patients are able to easily access their medical records

As patients increasingly demand to access and share their health data with trusted individuals (other providers, their family), they need an easy and secure way to achieve this goal. The ONC ruling enables a whole new set of modern software apps to be built around HL7 FHIR, enabling newfound access to patient clinical data.

Protecting Patient Privacy and Security

The rule will require a well-defined set of patient authorizations and approvals for access to medical record data, as well as clear intentions behind how the data is intended to be used. The standards also include the requirements for utilization of OAuth2, the same type of authentication used around the web for applications such as banking and travel.

Manage Costs and Shop Around

The ability to choose your provider has been a long standing healthcare issue in the US. Even today, some of the details around which provider is designated as in-network or out-of-network is fairly complex and confusing. This ruling increases the availability of data to help patients make better informed decisions about care quality and costs.

What does the ruling mean for Providers?

Patient Data Requests

Patients now have the ability to request  their data at any time in a fully automated manner. This eliminates the administrative work required to get patients access to their medical data; which is already required under law through the Meaningful Use changes in 2018.

Clinicians are now able to focus on providing care and not providing patients with access to their medical records.

Application Choice

Open APIs based on a single standard enable clinicians to select from a huge list of applications to help them provide patient care. Certified applications are going to be made available in a marketplace where clinical workers can select which apps to use, confident in the knowledge that they are both affordable and secure.

Information Blocking

Providers not only are required to supply access to patient data; they are also able to access data about their patients more easily due to the lack of information blocking. Moving from one provider to another is simpler and faster than ever.

What does the ruling mean for HealthIT Developers?

API Certification Requirements

Developers are now able to get their APIs certified by the ONC as compliant with the new standard, and have them included in the coming marketplace of apps. The ONC has also provided information about best practices, as well as additional requirements regarding the APIs being built. There are lots of details in the ONC FAQs on how to migrate from previous to new technical requirements.

Adoption of United States Core Data for Interoperability (USCDI)

The ONC ruling also adopts the U.S. Core Data for Interoperability Standard (USCDI) version 1. This is a baseline standard for interoperability and clinical data exchange. The standard includes things like clinical notes and other information that is important to patient care.

Opposition to the Ruling

The final rule was strongly opposed by EHR vendors, especially  Epic Systems and their CEO, Judy Faulkner. She publicly opposed the ruling during the Request for Comments period and sent letters to customers and hospitals asking them to do the same.

Her main stated concern was that the new ruling could result in unintended consequences such as patients inadvertently giving access to their clinical data to applications that may not be trustworthy.

She also asserted  that patients are not able to make educated choices around access to their medical data and how it is used. To make her point, she suggested that patients may be giving consent to their family’s medical data without their knowledge. For instance, a situation where a patient’s family history is part of their medical record.

“When patient data goes to an app from a health system, family members’ data will go over too. There is no way to get that out.” – Judy Faulkner, Epic Systems CEO

The more likely reason for the opposition, however, is Epic’s inability to continue the practice of gag clauses and information blocking. Epic is known for maintaining a closed ecosystem and not allowing access to patient data in their systems. 

This opposition did not  sway the ONC on their ruling and were called out fairly directly by Don Rucker (ONC Head).

“Our rule requires hospitals and doctors to provide software access points — endpoints, if you will — to their [EHR] databases so that patients can download these records to their smartphones. This download is entirely at the patient’s choice. It is done using modern security provisions and clear communications and choice about privacy.”

Main Consequences and Timelines

The timelines for the ONC ruling will be based on official filing dates. This process can be lengthy so it may take until 2022 for the compliance with ONC rulings to be required. There are quite a few toll gates along the way to ensure that providers are tracking progress toward the goal, as seen on the ONC Regulatory Dates Fact Sheet.

Providers have a lot of work to do as the rollout phase begins. This could mean everything from selecting new EHR vendors, adding new technology solutions, and validating regulatory compliance with all new standards.

These standards will also enable providers to easily integrate new applications into their workflow, since their EHR will support FHIR out of the box.

CMS Interoperability and Patient Access Final Rule

The CMS Interoperability and Patient Access Final Rule has less to do with patients and providers as it does with payers and their responsibility in the 21st century marketplace of healthcare. All CMS regulated payers are subject to the new rule timeline and it is expected that many commercial insurers will follow quickly. CMS regulated payers include Medicare, Medicaid, Children’s Health Insurance Program (CHIP,) Qualified Health Plans (QHPs), and Plans available on the Federal Exchange (“FFE”).

The CMS final rule has its own pillars that have some overlap with the ONC ruling.

Key Pillars of the CMS Ruling

Patient Access API

The CMS ruling requires that payers enable patients to access their data via an easy-to- use HL7 FHIR-compliant API. This API is different from what the ONC is requiring of providers, as it requires payers to enable patients access to their claims and encounter information (encounter information includes datetimes and provider details for an episode of care).

This includes the patient ability to electronically access cost information and a subset of their clinical information that has been provided to the payer about their claims and encounters. This must be completed by January 1, 2021. 

Provider Networks

The CMS ruling also requires provider directories be made available via an electronic interface on January 1, 2021. This is intended to provide details to providers and patients about their network status with the payer. This enables patients to select which plan makes sense for them, as well as avoid surprise billing by knowing what a provider’s network status is with their plan.

Clinicians  are also able to refer patients to the appropriate providers based on that patient’s care network. It is worthwhile to note that this is not mandated to be an HL7 FHIR API, but rather just data that is in a “machine-readable format.”

Payer-to-Payer Data Exchange

Starting in January of 2022, payers are required to enable API access of patient clinical data (specifically USCDI version 1 data) to other payers. This will ensure that a patient has the ability to change payers without fear of losing access to their entire medical record or all the details about their previous care.

Benefit Coordination

In April of 2022, all Medicaid and Medicare-related payers will be required to provide enrollment event information to CMS as a means to increase benefit coordination and reduce the number of claims sent to the wrong payer. 

Public Reporting on Information Blocking and Digital Contact Information

Data collected during 2019 that identified  hospitals and clinicians suspected of blocking information will be made publicly accessible in late 2020. Along with this data, information on  providers that have not provided a digital Direct Address or FHIR API endpoint will also be made public.

The intention is to help patients select providers that are more willing to share their clinical data when needed, and thus force providers to adopt the standards if they want to stay in business.

ADT Notification Updates

Later this year, hospitals will be required to send Admission, Discharge, and Transfer (ADT) messages to other providers involved in patient care. The goal is to provide improved care coordination across providers and enable other providers to reach out to patients post-discharge to ensure that their follow-up care is properly implemented.

Main Consequences and Timeline

Payers have a lot of work to do in a short amount of time. The deadlines set by CMS are tied to their ability to perform business and are not movable. CMS is providing some guidance on how to execute on this, but nothing compared to the ONC. There are no certification programs, checkpoints for implementation, or guidebooks on how to get there.

Payers are going to need help moving from current state systems to ones that support all this functionality.

Final Thoughts

The rulings from CMS and the ONC highlight deficiencies in our current healthcare system that are very timely for many Americans living in a state of fear around the current coronavirus pandemic. Seema Verma, the Administrator of CMS, poignantly said.

“At a time when the healthcare system could be under stress with the handling of the COVID virus, the urgent need for coordinated, integrated care could not be clearer. In a healthcare system characterized by the easy and seamless flow of information, one in which a patient’s own data follows them to the provider they choose, care for patients would be drastically improved. Think of the passengers on the cruise ship, many of whom are seniors – they may be unaware of the names of all of their prescriptions or the dosage amount – having simply taken what they needed for the journey. Under this system envisioned by these rules, they could have access to this critical information and share it with their caregivers.”

This quote accurately captures the vision we have at Myndshft as well, ensuring that patients are able to get the care they need, without additional burden, so their caregivers can be caregivers and not administrators.