Mar 30 2021

3 Important Practices to Comply with CMS’ New Data Accessibility Regulation

Enforcement of CMS’ updated Interoperability and Patient Access requirements starts in July. Here’s what healthcare organizations need to know.

Healthcare organizations face a new challenge in their compliance efforts this summer. The Centers for Medicare and Medicaid Services will begin enforcement of a new rule to drive interoperability and patient access to health information in July.

The goal is to offer a more complete overview of a patient’s care — with the focus on CMS-regulated payers, such as Medicare Advantage, Medicare fee for service and managed care plans, along with Children’s Health Insurance Program coverage — opening the connection to all claims and encounter-level data, coupled with clinical data.

CMS is also bringing additional standards for more secure ways to share protected health information and to allow patients to have more visibility into how their own data is being shared. This is required to operate through Health Level 7 International’s Fast Healthcare Interoperability Resources (FHIR) Release 4.0.1 as the foundational standard to support the exchange of data through an application programming interface, or API.

While the purpose of the final rule is to bring more visibility and standardization to medical data sharing, there is a cost to the payers, providers and health systems to have the technology and process in place. As they get started on compliance efforts, healthcare organizations should focus on communication, security and identifying the tools that best meet their needs. HealthTech spoke with professionals in the healthcare industry about best practices to help organizations bolster their compliance efforts.

Communicate Effectively About Implementation of Software Changes

“Providers and hospitals will have to bear the financial and resource requirements to build out their electronic medical record and health information exchange environments in compliance with the final rule,” says Donna Morrow, vice president of clinical operations and client success at Noteworth, a comprehensive virtual care delivery platform. “The impact will reach beyond the providers into vendor partners, IT and development teams to meet the needs of the development, testing and implementation of software changes and API connections.”

LEARN MORE: Here's how to create an effective security regulation compliance strategy.

Implementation should start with a communication plan for providers and support staff on the requirements of the changes for information sharing and up-to-date provider contact information, Morrow says. Patients also need to understand the improvements to data sharing in safe and secure ways, she adds.

“First, start by holding the EMR and other health IT vendors accountable for the role they play in supporting the necessary interoperability,” she says. “Second, support full adoption of your EMR and other clinical documentation environments to support the quality and integrity of the patient data.”

Morrow, who is also a registered nurse, notes that it’s important to always put the patient at the center of any financial and technology decisions, and build an environment of trust to support complete health information exchange.

Build Multiple Security Layers in the EHR Infrastructure

Deepak Sadagopan, senior vice president of value-based care and population health informatics at Providence St. Joseph Health in Renton, Wash., says the initial set of interoperability deadlines that providers are confronted with, such as sharing admissions, discharge and transfer (ADT) data, do not pose a significant challenge. Most providers have been working on this for years through efforts to support meaningful use and promote interoperability.

“The EHRs we use are all able to exchange that information,” Sadagopan says. “The challenge for providers with the initial set of deadlines relates to administration.”

CMS has asked healthcare providers to register all interoperability contact information through the National Plan and Provider Enumeration System (NPPES).

“That’s an incredibly manual activity,” he says. “We’d love some tools to help with that, but at this point, it is a more human-overseen process.”


The percentage of healthcare organizations that considered improving ongoing compliance monitoring in 2020.

Source: SAI Global, “2020 Healthcare Compliance Benchmark Survey,” April 3, 2020

Sadagopan recommends the use of APIs that enable the publication of directories, which leverage the same type of information exchange principles CMS asks for from payers.  

A key focus should be on maintaining security, he adds, as the new rules change the landscape. The requirements start with data at the enterprise edge, and cover what information is requested and how that request is addressed.

“Our approach has been to build security into our cloud and EHR infrastructure that enables access as requests come in,” he says. “As an API starts to get published for access to patient health information, we have governance protocols in place that monitor who is accessing it and what they can legitimately access.”

However, Sadagopan notes that in an open API, there’s always the risk of unauthorized access to patient data, which is why healthcare organizations need to deploy technology that complies with HIPAA regulations.

“There’s no one technology that can address the whole underlying need,” Sadagopan says. “There are multiple layers of privacy that need to be put in place to make sure compliance is achieved and privacy is ensured.”

READ MORE: Can cloud-based healthcare operating systems solve the problem of interoperability?

Identify the Right Tools for E-Notification 

Healthcare organizations must consider multiple factors to achieve compliance with the new rule. Depending on which part of the rule is relevant to a given situation, different tools may be more effective in achieving compliance, says Dr. Joyoti Goswami, principal consultant at Damo Consulting, a digital transformation advisory firm. 

For ADT event notification, providers need to demonstrate the ability to send a notification to a patient’s primary care provider (or the next caregiver) when a patient is discharged from a health facility. To achieve compliance on digital contact information requirements, healthcare organizations must update information directly or as an FHIR endpoint on the NPPES portal.

“The interoperability rules are more on the payers than on the providers, like patient access APIs,” Goswami says. “That has to be published by the payers — all the claims data they have, lab information and so on, that has to be consumable by a third party, and those data elements need to be a part of that API.”

Donna Grethen/Ikon Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT