Skip to main content


On February 11, 2019 the Department of Health and Human Services’ (HHS) Center for Medicare and Medicaid Services (CMS), via its Interoperability and Patient Access Proposed Rule, proposed policy changes in support of its MyHealthEData initiative, which is the government-wide initiative started by the Trump Administration in March 2018 to empower patients by breaking down barriers that prevent patients from having electronic access and control over their own health records. This proposed rule specifically outlines opportunities to make patient data more useful and transferable through open, secure, standardized and machine-readable formats while reducing restrictive burdens on healthcare providers. 

In coordination with this rule, HHS’s Office of the National Coordinator for Health Information Technology (ONC) also published on the same day its 21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Proposed Rule. This proposed rule implements certain health IT provisions of the Cures Act, which is a wide-ranging health care law enacted by Congress in December 2016 in pursuit of accelerating the discovery, development and delivery of 21st century cures.  ONC’s rule specifically updates the requirements of the ONC Health IT Certification Program, promotes the voluntary certification of health IT for use by pediatric health care providers, and identifies activities that are exceptions to information blocking. It also promotes specific policies, such as the standardization of APIs, to ensure a patient’s electronic health information (EHI) is accessible to the patient in a manner that facilitates communication with the relevant parties.  

To best understand the thrust of these proposed rules, it is important to define what interoperability is. According to the Medicare Access and CHIP Reauthorization Act of 2015, it is defined as, “the ability of two or more health information systems or components to exchange clinical and other information and to use the information that has been exchanged using common standards as to provide access to longitudinal information for health care providers in order to facilitate coordinated care and improved patient outcomes.”     

Both rules work in tandem to advance interoperability and support the access, exchange and use of EHI, pointing to each other for guidance and support. For example, while CMS’s rule calls for open, standardized Application Programming Interfaces (APIs), ONC’s rules outlines the very standards the APIs must meet. 

CMS’ Interoperability and Patient Access Proposed Rule  

Perhaps the most exciting proposal in catapulting health care into the 21st century is the one regarding APIs. Last year, CMS launched the Blue Button 2.0 API in Medicare fee-for-service, allowing members to access their health claim information through the electronic application of their choosing. 

In an extension of this, CMS’ proposed rule requires Medicaid Advantage organizations, state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities and QHP issuers in federally-facilitated exchanges (FFEs) by January 2020 to implement open APIs meeting the standards outlined in the ONC’s proposed rule. These APIs must also be consistent with the content and vocabulary standards outlined in the ONC’s recently adopted rule. The purpose of these requirements is to allow third party application developers to access the entities’ pool of patient claims and other health information in order to make them accessible to patients. The aforementioned entities with the exception of the QHP issuers on FFEs must also make their provider directory available to enrollees and prospective enrollees through these APIs. 

In conjunction with Apple’s growing list of institutions that support health records on the iPhone’s Health app to consolidate records and produce patient-generated data and which already meets the rules’ API standards, health care seems to finally be moving toward empowering individuals’ health care with the technology they already use every day.  

Seema Verma, the Administrator of the CMS, seems to agree. In support of the proposed rule she said, “By requiring health insurers to share their information in an accessible, format by 2020, 125 million patients will have access to their health claims information electronically. This unprecedented step toward a healthcare future where patients are able to obtain and share their health data, securely and privately, with just a few clicks, is just the beginning of a digital data revolution that truly empowers American patients.”

According to CMS, other major proposals in this rule include: 

  • A requirement that the aforementioned entities support the electronic exchange of data as patients move between plan types for up to five years so that their health information travels with them (data includes information about diagnoses, procedures, tests and providers seen and provides insights into a beneficiary’s health and healthcare utilization). 
  • Requirement that the aforementioned entities participate in a “trust network” meeting criteria for interoperability. This would enable the information to flow securely and privately between plans and providers throughout the healthcare system in the pursuit of care coordination.  
  • In order to prevent practices which undermine interoperability and thus limit the availability, disclosure and use of electronic health information, CMS proposes to inform patients and caregivers via CMS websites if individual clinicians, hospitals and critical access hospitals (CAHs) have submitted a “no” response to any of the prevention blocking statements under the Quality Payment Program or the Medicare FFS Promoting Interoperability Program. This threat could incentivize clinicians, hospitals and critical access hospitals to improver interoperability. 
  • CMS is similarly proposing to publicly report the names and National Provider Identifiers (NPIs) of those providers who have not added digital contact information to their entries in the National Plan and Provider Enumeration System as required by The 21st Century Cares Act. This contact information can be used to facilitate secure sharing of health information. 
  • CMS is proposing to revise the conditions of participation for Medicare-participating hospitals, psychiatric hospitals, and CAHs to require these groups to send electronic notifications when a patient is admitted, discharged or transferred, as these notifications have been proven tools for improving transitions of care between settings and improving patient safety.   
  • In order to improve the experience of individuals eligible for both Medicare and Medicaid, there is a proposal to update frequency with which states are required to submit buy-in data  on dually eligible beneficiaries from monthly to daily by April 1, 2022, as well as update the frequency with which all states are required to submit MMA file data to daily by April 1, 2022. (Buy-in data refers to information about beneficiaries that states are using Medicaid funds to “buy-in” Medicare services.) 

In Verma’s remarks at the 2019 Healthcare Information and Management Systems Society Conference, she said the initiatives in the proposed rule will reduce costs and improve quality of health and health care by ensuring transparency of health information. She also believes that freeing health data will spur innovation medical advancements, treatment plans and insurance plan options in pursuit of more personalized health care.  

CMS has published the proposed rule in the Federal Register. After the comment period for the proposed rule closes on April 29, CMS will review comments. If the agency receives significant comments, it may revise the proposals and must again propose the rule. If not, the agency will implement the minor feedback into the final rule. 

ONC’s 21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Proposed Rule 

According to the ONC, one of the major provisions of the ONC’s proposed rule sets up Conditions and Maintenance of Certification requirements, as the Cures Act requires the Secretary of the HHS to establish Conditions and Maintenance of Certification requirements of the ONC Health IT Certification Program, which was designed to test and certify health IT. There are seven Conditions of Certification with accompanying Maintenance of Certification Requirements: information blocking, assurances, communications, APIs, real world testing, attestations, and electronic health record reporting criteria submission. Any noncompliance with the proposed requirements would be subject to ONC direct review, corrective action and enforcement procedures under the ONC Health IT program. 

For example, in relation to CMS’ key provision on APIs, the ONC’s Conditions of Certification for APIs requires standardization of APIs using the Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) standard, which is what Apple’s health records feature meets.  

Another major provision of the ONC’s rule relates to voluntary certification of health IT for use by pediatric health care providers. According to the ONC, after meeting with stakeholders in the public and private sector, the ONC developed ten recommendations for the voluntary certification of health IT for pediatric care and generated new and revised certification health IT criteria for pediatric health care providers.  

In addition, the rule traces the boundaries of the definition of information blocking by proposing categories of practices that would not be considered information blocking, provided certain conditions are met. According to Health Affairs, the seven categories are: preventing harm; promoting privacy; promoting security; recovering costs reasonably incurred to make the API technology available; infeasible requests for data; license conditions that the data discloser or API technology supplier imposes on the app developer and which are reasonable and non-discriminatory; and system maintenance. According to the ONC, if the actions of a regulated actor satisfied one of these exceptions, the actor would not be subject to the relevant civil penalties or other disincentives under the law.   

Lastly, according to the ONC, a bundle of proposals in the proposed rule works to ensure that a patient’s EHI is accessible to that patient and the patient’s designees in a manner that facilitates communications with all relevant parties. The proposals include: United States Core Data for Interoperability (USCDI) standard; “EHI export” criterion; “standardized API for patient and population services” criterion, “data segmentation for privacy (DS4P)” criteria, “consent management for APIs” criterion; API Condition of Certification; and information blocking requirements, which include providing patients access to their EHI at no cost to them. 

Donald Rucker, the National Coordinator for Health Information Technology, seems to echo Verma in his high expectations the changes the proposed rule, especially the standardization of APIs, will bring to a health care system desperate for improvement. In his recent remarks on the ONC’s HealthITBuzz site, he said, “How will healthcare change when patients can freely access their medical records stored in different provider databases and combine them in a single app?  How will it change when patients find they can take their records with them as they manage the rising costs of a healthcare system that offers little true competition?  How will healthcare change when medical devices increasingly connect with the Internet of Things through secure and open APIs? While we do not know exactly what a secure open API future will bring, we can expect change in healthcare to be transformative. We will have better control of our medications and their costs. We will be able to bring machine learning and artificial intelligence directly to our health records on our smartphones. Apps we choose can help us to live more healthy and productive lives…” 

The ONC’s rule, while approved by the HHS, has not yet been submitted to the Federal Register for publication. The document, therefore, may change slightly from the published document if editorial changes are made during the Register review process. HHS will update once the proposed rule is published by the Federal Register.  



The views and opinions expressed by the authors on this blog website and those providing comments are theirs alone, and do not reflect the opinions of Softheon. Please direct any questions or comments to

Leave a Reply