December 2, 2022

Volume XII, Number 336


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

Increased Interoperability of Health Information: Two New Proposed Rules

The U.S. Department of Health and Human Services (HHS) recently proposed two new rules designed to increase patient and provider access to health records. As stated by HHS in its press release, the proposed rules “will support seamless and secure access, exchange, and use of electronic health information.” These proposed rules stem from two separate components within HHS – the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC). The rules have much in common, with both sharing the same goal of increased health information interoperability in order to improve access to, and the quality of, health information.

A Snapshot of the Proposed Rules

  • On February 11, 2019, CMS and ONC proposed complementary rules facilitating patient access to and the flow of health information.
  • Health care providers would be required to implement, test, and monitor open standards-based application programming interfaces (APIs) to make patient information more available to patients through third-party applications and developers.
  • Payers would have to support electronic exchange of data for transitions of care as patients move between plans.
  • Plans would have until 2020 to comply with the proposed rule, should it go into effect.
  • To ensure both patients and providers have easy access to information, plans would be required to make information about in-network providers available to enrollees and prospective enrollees through API technology.
  • Health care organizations would be incentivized to participate in “trusted exchange networks” such as health information exchanges (HIEs) in order to facilitate the flow of health information.
  • “Information blocking” would be curtailed through public reporting of and enforcement actions against organizations that engage in practices that prevent or significantly restrict the effective and efficient flow of patient information.
  • Patients would be enabled to easily access their health information electronically and at no cost.

What Are the Key Takeaways?

The CMS Proposed Rule

The CMS proposed rule, CMS-9115-P, strives for greater interoperability in the health care industry by requiring that all governmental health plans as well as all health plans offered through the federal Affordable Care Act (Covered Plans) provide patients with free control of, and increased access to, their HIPAA protected health information (PHI). Issuers of these Covered Plans would have until 2020 to comply with the proposed rule, should it go into effect. The reach of this rule would be extensive, as Covered Plans provide insurance for nearly 125 million patients.

Patient Access and Information Flow through APIs

Among other things, the CMS rule would require Covered Plans to implement, test, monitor, and maintain PHI APIs to:

  1. Make patient claims and other PHI available to patients through third-party applications and developers
  2. Simplify and increase the ease and access for patients to transition between insurance plans and providers by facilitating the flow of PHI.

Generally, APIs are sets of code which allow multiple software programs to interact and communicate with each other (more on this under the ONC Rule). Covered Plans are encouraged to join an “exchange network,” with certain payers being required to join, with the goal of facilitating the flow of information.

Restricting “Information Blocking” Practices

Both rules address the practice often referred to as “information blocking” – when a health care provider or vendor unreasonably interferes with or prevents access to electronic health information (for example, when an organization charges fees which makes information exchange cost prohibitive, or when policies or contract terms prevent or disincentive sharing information with patients or other health care providers). Under CMS’ proposed rule, CMS would publicly post information about health care organizations that submit information indicating the engagement in some form of information blocking. The reporting would apply to clinicians under the Merit-based Incentive Payment System (MIPS), hospitals participating in Medicare and/or Medicaid, and critical access hospitals in rural areas serving residents otherwise far from emergency care.

Increased Adoption and Use of Health Information Networks (HIEs)

Transmitting health information through the internet requires a ‘trust framework’ that addresses the privacy and security of the information. Trusted networks such as HIEs are those in which plans and providers can easily share information regardless of various health IT systems and networks. The CMS rule recognizes the need to expand and integrate more plans and providers into these networks.  The rule would incentivize payers to join any health information network they choose and be able to participate in regional and nationwide exchange of data. Certain CMS qualified plans would be required to participate in trust networks to improve interoperability.

The ONC Proposed Rule

Common API Criteria and Standards to Improve Access

The ONC rule, RIN 0955-AA01, addresses more technical and granular issues than the CMS rule. Similar to the CMS rule, the ONC rule attempts to increase health care network interoperability through the use of APIs. The ONC rule is more detailed than the CMS rule in this regard, proposing new API criteria in an effort to standardize APIs in the health care industry to promote and facilitate secure access to health information on smartphones and other mobile devices. The proposed rule sets forth standards on data classification as well as other specifications for the API-enabled access and services. The goal of these aspects of the rule is to facilitate the sharing of the myriad different formats currently used, and to make patient information available using mobile technology.

More on Information Blocking

Like the CMS proposed rule, the ONC proposed rule would also address information blocking in an effort to lessen use of the practice in non-constructive or beneficial ways. Curtailing information blocking is key to the HHS goal of health information interoperability and exchange. The ONC rule provides further requirements to discourage information blocking, with a few important exceptions focused on preventing harm and promoting privacy, which the ONC deems reasonable and necessary under certain conditions. In an effort to provide additional clarity to health care providers and vendors, the proposed rule identifies reasonable and necessary activities that do not constitute information blocking. These aspects of the rule as well as the API criteria and standards are designed to help ensure that patients can electronically access their electronic health information at no cost.

How to Submit Comments

Interested parties will have until mid-April to provide comments on the proposed rules to CMS and ONC (the exact date will be 60 days from when the rules are posted on the Federal Register, expected to be February 15). Commenters can provide their responses either online or through mail to the contact information provided in the rules. Instructions on how to comment are provided below.

In addition, CMS is requesting specific feedback and commentary on adopting health information technology for use in post-acute care settings, and the role of patient matching through data interoperability, resulting in improved patient care.  ONC is also seeking specific input regarding what types and kind of information would help increase transparency for health care industry costs.

To learn more about the proposed rules, or for assistance in providing a comment, contact any of the authors for more information.

For the CMS Rule:

  • Visit the Federal eRulemaking Portal. Be sure to follow the instructions for submitting comments
  • Send written comments by regular mail to the following address:

Centers for Medicare & Medicaid Services
Department of Health and Human Services
Attention: CMS-9115-P
P.O. Box 8016
Baltimore, MD 21244-8016

  • Send written comments by express or overnight mail to the following address:

Centers for Medicare & Medicaid Services
Department of Health and Human Services
Attention: CMS-9115-P
Mail Stop C4-26-05
7500 Security Boulevard
Baltimore, MD 21244-1850

For the ONC Rule:

  • Visit the Federal eRulemaking Portal. Be sure to follow the instructions for submitting comments
  • Send one original and two copies by regular, express, or overnight mail (or by hand delivery or courier) to the following address:

Department of Health and Human Services, Office of the National Coordinator for Health Information Technology
Attention: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Proposed Rule
Mary E. Switzer Building
Mail Stop: 7033A
330 C Street, S.W.
Washington, D.C. 20201

© 2022 Foley & Lardner LLPNational Law Review, Volume IX, Number 46

About this Author

Chanley Howell, Intellectual Property Attorney, Foley Law Firm

Chanley T. Howell is a partner and intellectual property lawyer with Foley & Lardner LLP, where his practice focuses on a broad range of technology law matters. He is a member of the firm's Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices and the Sports and Health Care Industry Teams.

Mr. Howell represents companies in a variety of technology law areas, such as:

  • Data Privacy and Security Compliance – Counsel and advise clients with respect to compliance...

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Kelly Thompson, Foley Lardner, Healthcare lawyer

Kelly Thompson is an associate and health care business lawyer with Foley & Lardner LLP. Her practice focuses on legal services for corporations, hospitals, physician practices, and other health care providers in the areas of business law and health regulatory compliance with a focus on federal and state fraud and abuse and licensure laws. 

Ms. Thompson has assisted health care providers on various health and business law issues, including federal and state privacy laws, criminal and civil fraud and abuse laws, HIPAA, employment law,...

Elliott Francis Gurnick Technology Transfer lawyer Foley Lardner

Elliott Gurnick is an associate with Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing Practice. In 2017, Elliott was a summer associate and law clerk for Foley & Lardner LLP, where he gained experience assisting in contract negotiations for software procurement. Prior to joining Foley, he worked as a summer law intern researching laws on cyber insurance and retail sales policies and as an analyst intern for SpaceX.


Elliott earned his law degree from the University of California, Irvine School of...

Thomas E. Chisena Technology transaction lawyer Foley Lardner

Thomas (Tom) Chisena is an associate with Foley & Lardner LLP, where he is a member of the Technology Transactions & Outsourcing Practice. He advises on all matters involving intellectual property and technology transactions, including licensing, procurement, outsourcing, and other technology law issues affecting companies of all sizes.

Mr. Chisena also advises on cybersecurity and privacy issues affecting all industries, including state, federal, and international laws and regulations.

Prior to joining Foley, Mr. Chisena was an associate at an ...