CMS Recently Introduced New Interoperability Mandates for Health Plans That Must be Implemented by July 1, 2021
The CMS Interoperability and Patient Access Rule (“Interoperability Rule”) requires payors to permit third-party applications to retrieve, with the approval and at the direction of a current enrollee certain health care data. 42 C.F.R. §§ 422.119(a), 431.60(a), 457.730(a); 45 C.F.R. § 156.221(a). The Interoperability Rule does not alter covered entities’ or business associates’ responsibilities to protect PHI under HIPAA, however, once a member selects a third-party application and authorizes access of their data to the application, the covered entity and business associate are no longer liable for the privacy and security of the PHI or any electronic health information sent. 85 Fed. Reg. 25510, 25518 (May 1, 2020).
Therefore, the most payors can do is educate its members through its member resource document required by the new rule. Beneficiary and enrollee resources regarding consumer-friendly (non-technical, simple, and easy to understand), patient facing privacy and security information must be made available through appropriate mechanisms usually used to communicate with patients, such as on a website. Further, the Interoperability Rule requires that certain information be made available such as factors to consider in selecting a health information management application, practical strategies to help them safeguard the privacy and security of their data, and how to submit complaints to the Office of Civil Rights (OCR) or the Federal Trade Commission (FTC).