The Department of Health and Human Services (HHS) and Centers for Medicare & Medicaid Services (CMS) have published several new proposed and final rules on various topics, ranging from prescription drug pricing to additional telehealth benefits. Amidst this busy season of rulemaking, there has been one proposed rule that has surprisingly not generated much buzz, despite the fact that it will require health plans to undertake significant changes if finalized: the proposed rule focused on improving interoperability and member access to health care data.
CMS published this proposed rule in March, promising it is merely the first in a series of rules CMS plans to publish to advance the interoperability of member health information and increasing the accessibility of member health information. Once finalized, it will impact health plans (generally meaning Medicare Advantage Plans (MA Plans), Qualified Health Plans (QHP) in federally facilitated exchanges, Medicaid and Children’s Health Insurance Program (CHIP) plans) in a variety of ways. First, it requires health plans to implement and monitor an open application programming interface (API) to which third party software applications (Apps) can connect, at a member’s request, to obtain and display the member’s health information. Second, it requires health plans to make their provider and pharmacy directories available through this open API, so that Apps can access and publish this information to members, prospective members, and providers. Third, it requires health plans maintain a process to communicate member health information with certain other health plans, upon a member’s request. Finally, it requires health plans participate in a trust exchange network. The initial effective dates for the proposed rule ranged from January 1, 2020 to July 1, 2020, depending on the provision of the proposed rule and the type of health plan.
The proposed rule’s comment period, originally scheduled to close on May 3rd, was extended through June 3, 2019. As part of that extension notice, CMS noted that, based on public comments already received on the proposed rule, it would adjust the effective dates of the proposed rule to allow for adequate implementation timelines. While it is not yet clear what an “adequate implementation timeline” might mean, the initial sense across the industry is that the originally proposed effective dates for the rule are simply not feasible. In fact, America’s Health Insurance Plans (AHIP) issued a statement in March criticizing the proposed effective dates as “unrealistic” and stating more time was needed for health plans to build, test and implement the changes called for by the proposed rule.
CMS has hosted question and answer sessions on the proposed rule. In each of those sessions, concerns have been raised about how health plans can ensure the security of their members’ health information is protected, while at the same time complying with the proposed rule to make such health information available to Apps. CMS reminded health plans that, while they must ensure appropriate authorization mechanisms are in place and authentication occurs before exposing member health information to the App chosen by the member, they are not responsible for the security of members’ health information once it has been received by the App. Nonetheless, some health plans have expressed concerns that members may not adequately understand the privacy risk associated with using Apps to access their health information.
Such concerns appear to be well founded. A recent analysis in BMJ studied 24 top-rated apps for Android mobile devices that related to medical and prescription drug information. Of those, 79% shared user data with third parties, which then shared it with fourth parties like Facebook, Oracle and Alphabet, Google’s parent company. Amazon and Alphabet received the most user data.
CMS appears to be resolute about advancing the interoperability and increasing the accessibility of member health information. It remains to be seen how quickly CMS will publish a final rule on this topic and when its changes will be effective. However, it is likely no longer a matter of if such a rule will be finalized, but rather when it will be finalized and made effective.
 84 Fed. Reg. 7610 (March 4, 2019) (available at: https://www.govinfo.gov/content/pkg/FR-2019-03-04/pdf/2019-02200.pdf).
 Meg Bryant, Healthcare Dive, “Most health apps share data with third, fourth parties, BMJ analysis warns” (March 21, 2019) (available at: https://www.healthcaredive.com/news/most-health-apps-share-data-with-third-fourth-parties-bmj-analysis-warns/550984/); BMJ 2019;364:l920 (available at: https://www.bmj.com/content/364/bmj.l920).