In 2021, health plans providing Medicaid, Medicare, CHIP and coverage under the Federal Exchange must expand the sharing of individual PHI data beyond written communication to provide electronic claims and clinical data to members’ phones, mobile devices and web applications. The final CMS “Interoperability and Patient Access” rule released on March 9th is the first nationwide interoperability requirement for health plans and states administering coverage under government programs to generate individual and plan data in this manner. Enforcement of this regulation has been pushed back six months, to July 1st, but the compliance date remains the same. In addition to revising the effective date of the interoperability requirements to January 2021, the final regulation contains some notable changes from the proposed regulation issued back in February 2019.
What Interoperable Data Would Plans Have to Produce?
CMS and state Medicaid agencies have required electronic X12 data transactions for nearly 25 years. These data standards started with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which set enrollment, claims and payment transaction standards. However, HIPAA transaction standards govern data exchanges between health plans, providers and the government for batches of electronic transactions. HIPAA did not require electronic data sharing with individuals, but instead set up individual privacy and security protection over the release of individual data. Until now, plans have not been required to make individual claims data available to members, their families, caregivers, or providers via the Internet or mobile devices, and in fact, risked violating HIPAA by doing so.
The final CMS “Interoperability and Patient Access” regulation, along with a companion HHS Office of National Coordinator (ONC) interoperability rule finalized on the same day, dramatically changes how plans share information with enrollees. The CMS regulation and corresponding ONC rule set lays out new requirements for digital data-sharing with members and other entities as authorized by the member. CMS requires four types of data be available to the member through open Application Programming Interface (API): medical and drug claims data, clinical data possessed by the plan, current provider directory data, and formulary or preferred drug lists.
- Claims data: Health plans must make medical and drug claims available via API to web or mobile devices, only if requested and authorized by a plan enrollee or their legal representative, with members selecting who receives the data. Plans not only have to send the member newly-covered claims, but the final rule requires that plans release a history of covered claims starting with dates of service from January 2016. Covered claims must be sent to members within one day after a claim is adjudicated, and can use the data content from HIPAA transaction standards. To accomplish this, plans must allow third-party applications to retrieve the following data if authorized by the enrollee: adjudicated claims, encounters from capitated providers, and approved and denied claims. CMS does not prescribe a standard by which the data must be presented in member’s digital applications, but suggests some existing industry standards, such as the CARIN Blue Button data set.
- Clinical data: Plans must release “any clinical data,” including laboratory results, vital signs, clinical notes and assessments via API to the member and their designated stakeholders “if (the plan) maintains such data.” The requirement that plans must send any clinical data to members is a change from last year’s proposed rule, which made the clinical data requirement an alternative for plans to release instead of claims data. For clinical information, CMS requires specific data fields and layout, mandating that plans make the data available through the U.S. Core Data for Interoperability (USCDI) Version 1 Content and Vocabulary Standards, which were created for the 2015 edition electronic health record (EHR) certification.
- Provider Directories: Provider directory data for Medicaid and Medicare plans would need to be available via API to third-party applications for consumption, aggregation and display. When comparing Medicare and Medicaid provider directories:
• Medicaid plans must make additional provider fields available
• Medicare and Medicaid plans must make pharmacy network listings available.
Changes in provider listings must be updated via API within 30 calendar days. A notable change in the final rule is that this data must be accessible to the general public via open APIs, and not just to plan enrollees.
- Covered Prescription Drugs: Medicare and Medicaid plans have to provide specific listings of the drugs they cover via plan formularies for Medicare Advantage plans and preferred drug lists for Medicaid and CHIP plans. These must be available for the public to access via API.
- Plan to Plan Data: In addition to making data available to members and their representatives starting in January 2021, the final rule requires that, by January 2022, plans must share electronic clinical data with each other, if authorized by their shared members. This will allow plan clinical data to move with members when they change plans, and successor plans must incorporate this electronic clinical data history into their plan records.
The two interwoven CMS interoperability and patient access rules require the following types of plans to implement, test and monitor APIs so that data is digitally available to patients through third-party applications:
- Medicare Advantage
- Children’s Health Insurance Programs (CHIP)
- Medicaid Fee-for-service programs and managed care entities
- Qualified health plans (QHPs) on the Federally-Facilitated Exchange (FFE)
While the proposed regulation required these plans to make the above data available via a trusted exchange network, the final rule removes this requirement because these trusted networks will not be fully available by January 2021.
CMS estimates up to 125 million lives could request EHI access to their claims, clinical and provider directory data.
Be aware that CMS now estimates an average one-time cost to implement health plan API requirements will be $718K - $2.3M per health plan; the annual cost to maintain, upgrade and test with third-party applications is estimated to be around $158K.
Health plans in the government space now have an urgent mandate to implement new interoperability requirements. This ability to receive and push out digital data creates a new medium for plans to communicate with their members and interact with providers. While it will require a big transition to make the change, this could open new opportunities as additional use cases arise that these technical pathways can solve. Regardless of line of business, plans would do well to consider interoperability, since all members will increasingly expect to have digital access to their current health coverage and clinical data.
SS&C is proactively applying our API experience to roll out a new interoperability solution to assist plans with compliance of these final requirements. Contact us today to learn more about our solutions and expertise. We’re here to help you prepare for a more patient-connected tomorrow.