What is interoperability?

The Centers for Medicare and Medicaid Services (“CMS”) announced the Interoperability and Patient Access Rule to (among other things) impose on certain lines of business the obligation to implement three initiatives.

The three initiatives are:

• A Patient Access Application Programming Interface (“API”)
• A Payer-to-Payer Data Exchange
• A Provider Directory API

Patient Access API

The Basic Requirement

Covered Health Plans must:

“implement and maintain [an API] that permits third-party applications to retrieve, with the approval and at the direction of a current [member or the member’s] personal representative, data specified in [the Interoperability Rule] through the use of common technologies and without special effort from the enrollee.”

What data is included?

• Data concerning adjudicated claims
• Encounter data from capitated providers
• Clinical data if the Covered Health Plan maintains any such data

Technical Requirements

CMS adopted two technical standards for the Patient Access API:

• the HL7 Fast Healthcare Interoperability Resources (FHIR)
• the OpenID Connect Core 1.0

The FHIR standard includes three implementation specifications:

• HL7FHIR US Core Implementation Guide STU 3.1.0
• HL7SMART Application Launch Framework Implementation Guide Release 1.0.0 including mandatory support for the ‘‘SMART Core Capabilities’’
• >FHIR Bulk Data Access (Flat FHIR)(v1.0.0: STU 1), including mandatory support for the ‘‘group-export’’ ‘‘Operation Definition.’’

These standards establish the format for data to be disclosed through the Patient Access API.

In addition, CMS adopted “content and vocabulary standards” for data to be included in the Patient Access API. There are two such standards, each of which applies “where applicable to the data type or element, as appropriate.” The first standard is the United States Core Data for Interoperability, version 1 (“USCDI”) . The second standard is the HIPAA Transactions Rule together with the “Standards for Electronic Prescribing” transaction applicable to Medicare Part D plan sponsors (including MAOs that offer MA-PD plans). The requirements for this second standard relate to standardized electronic transactions that health plans, providers, and other parties exchange, such as health care claims, remittance advice, and eligibility inquiries.

App Developers’ Privacy/Security Attestations

Although CMS does not permit Covered Health Plans to deny an App access to the Patient Access API except in limited circumstances, it will allow Plans to conduct “app vetting” and provide information about Apps’ privacy and security policies to members before they approve disclosures of protected health information to the App through the Patient Access API. Blue Shield of California requests that third-party apps attest to having certain privacy and security provisions included in their privacy policy prior to providing the app access to the API. Members are informed if an app has accepted or denied an attestation but will allow the member to use the App for obtaining data through the API, unless the member affirmatively withdraws his/her request.

Payer-to-Payer Data Exchange

The Basic Requirement

Covered Health Plans “must maintain a process for the electronic exchange of the data classes and data elements included in the [USCDI data standard].” HHS explains that “exchanging this data set would help both enrollees and health care providers coordinate care and reduce administrative burden to ensure that[Covered Health Plans] provide coordinated high-quality care in an efficient and cost-effective way that protects program integrity.”

What data is included?

The data to be provided through the Payer-to-Payer Data Exchange does not include the adjudicated claims or encounter data that must be disclosed pursuant to the Patient Access API. Rather, the information is limited to the Clinical Data a Covered Health Plan must make available through the Patient Access API. The Payer-to-Payer Data Exchange will require the transfer of data for dates of service on or after January 1, 2016, for as long as the Covered Health Plan maintains such data.

Upon Member’s request

The Privacy Rule permits one covered entity to disclose an individual’s protected health information to another covered entity for the recipient’s care coordination, provided that both covered entities have (or previously had) a relationship with the individual and the information “pertains to the relationship.” Thus, as long as a Payer-to-Payer Data Exchange is between health plans that have or had a relationship with the individual, no HIPAA authorization is necessary. The Interoperability Rule, requires Covered Health Plans to disclose data to any health plan a current or former member (or his/her personal representative) “specifically requests.” It is therefore possible that an individual would request disclosure of the data in a manner that does not comply with HIPAA. A member could ask a Covered Health Plan to disclose his/her protected health information to another health plan in which the member expects to enroll (but has not yet enrolled). Any such disclosure must be made with the member’s authorization because the recipient does not have (and never previously had) a relationship with the member.

Why is this needed?

In the past, patients would need to take many steps to request and get their records. Blue Shield is improving patient experience. Our payer-to-payer system modernizes and standardizes data. Patients can request their data when they leave an insurance company (“payer”). Also known as "interoperability," this system requires you to consent to share your data. Once your insurance company has consent, they can access your health data. We've created a system to manage this data exchange for members. It will allow members to request and retrieve their records.

Provider Directory API

The Basic Requirement

A Covered Health Plan (other than a QHP Issuer) “must implement and maintain a publicly accessible [Provider Directory API]” that “is accessible via a public-facing digital endpoint on the [Covered Health Plan’s] website.” The Provider Directory API must be accessible by any member of the public - it cannot be limited to a health plan’s members - and “any person using commonly available technology to browse the internet [should be able to] access the information without any preconditions or additional steps.”

What data is included?

The Provider Directory API “must provide a complete and accurate directory of” the Covered Health Plan’s “network of contracted providers.”

The data elements required vary by plans and may include (but are not limited to) the following:

• Names
• Addresses
• Phone numbers
• Specialities
• The provider’s group affiliation
• The provider’s Website URL
• Whether the provider will accept new patients
• The provider’s cultural and linguistic capabilities
• Whether the provider’s office/facility has accommodations for people with physical disabilities

Technical Requirements

The technical requirements for the Provider Directory API are the same as those for the Patient Access API, except that, since no protected health information is involved, “the security protocols related to user authentication and authorization and any other protocols that restrict the availability of this information to particular persons or organizations” do not apply to the Provider Directory API.