CMS has released a companion rule on Interoperability and Patient Access (the “CMS Rule”) that requires payers participating in federally-funded healthcare programs to provide patients with easy access to their claims and encounter information, as well as certain clinical information (inclusive of the elements defined in the USCDI version 1 data set) via standardized APIs to third-party applications of the individual’s choice. To establish this new requirement, CMS uses its authority over payers through various federal programs, including Medicare Advantage, Medicaid and Children’s Health Insurance Program managed care plans, state agencies, and qualified health plan issuers on federally-facilitated exchanges. Beginning on July 1, 2021 (which reflects a 6 month enforcement delay), payers in these programs must implement and maintain an API to support patient access to their health information (the “Patient Access API”) and make provider directory information available through a public facing provider directory API (the “Provider Directory API”).
The Patient Access API requirement is modeled after CMS’s Blue Button 2.0 initiative, which allows Medicare beneficiaries and third-party apps they designate to access Medicare claims information. The rule requires payers to provide API access to requestors no later than one business day after adjudicating a claim or receiving the clinical data from providers, including price-related information such as provider remittances and enrollee cost-sharing information. Starting in 2022, these payers will be subject to a Payer-to-Payer Exchange requirement, meaning they must comply with individuals’ requests to send their data to other payers, whether through the Patient Access API or other means.
CMS has explained that the “only instance” that a payer could deny access to a third-party application would be if the payer’s own systems would be endangered by allowing the third-party application to access the API.
At the same time as they are required to release this data, payers are also under an obligation to explain the relevant privacy and security risks to individuals. The rule requires that the payers provide educational resources for enrollees that explain the general steps an enrollee can take to protect the privacy and security of the health information, including factors to consider in selecting a third-party application. CMS has issued guidance to assist payers in making this information available.
Payers must also make provider directory information available, similar to the API requirements that already exists for qualified health plans in the exchanges. Importantly, this information could help patients understand in closer to real-time and via their mobile phones which providers are in-network versus out-of-network, which could help them make more cost-conscious decisions in seeking out healthcare services. The Provider Directory API must include the payer’s network of contracted providers, including names, addresses, phone numbers, and specialties, updated no later than 30 calendar days after providers update their information with the plan. Medicare Advantage organizations offering Part D plans also must offer the number, mix, and addresses of pharmacies in their networks.