ONC & CMS Proposed Rules – Part 6: Payer Data Requirements

Nikki Kent
Dave Levin


The Office of the National Coordinator (ONC) and the Centers for Medicare and Medicaid (CMS) have proposed final rules on interoperability, data blocking, and other activities as part of implementing the 21st Century Cures Act. In this series, we will explore ideas behind the rules, why they are necessary and the expected impact. Given that these are complex and controversial topics are open to interpretation, we invite readers to respond with their own ideas, corrections and opinions.

Interventions to Address Market Failures

Many of the rules proposed by CMS and ONC are evidence-based interventions aimed at critical problems that market forces have failed to address. One example of market failure  is the long-standing inability for health care providers and insurance companies to find a way to exchange patient data. Each has critical data the other needs and would benefit from sharing. And, as CMS noted, health plans are in a “unique position to provide enrollees a complete picture of their clams and encounter data.” Despite that, technical and financial issues, as well as a general air of distrust from decades of haggling over reimbursement, have prevented robust data exchange. Remarkably, this happens in integrated delivery systems which, in theory, provide tight alignment between payers and providers in a unified organization.

With so much attention focused on requirements for health IT companies like EHR vendors and providers, it is easy to miss the huge impact that the new rules is likely to have for payers. But make no mistake, if implemented as proposed, these rules will have a profound impact on the patient’s ability to gather and direct the use of their personal health information (PHI). They will also lead to reduced fragmentation and more complete data sets for payers and providers alike.

Overview of Proposed CMS Rules on Information Sharing and Interoperability

The proposed CMS rules affect payers, providers, and patients stating that they:

  • Require payers to make patient health information available electronically through a standardized, open application programming interface (API)
  • Promote data exchange between payers and participation in health information exchange networks
  • Require payers to provide additional resources on EHR, privacy, and security
  • Require providers to comply with new electronic notification requirements
  • Require states to better coordinate care for Medicare-Medicaid dually eligible beneficiaries by submitting buy-in data to CMS daily
  • Publicly disclose when providers inappropriately restrict the flow of information to other health care providers and payers

These rules apply to:

  • Health care providers
  • State Medicaid and Children’s Health Insurance Program (CHIP) agencies
  • Insurers that offer qualified health plans (QHPs)
  • Medicare Advantage plans
  • Medicaid and CHIP managed care plans

While, the broader commercial market, employer-sponsored health insurance, and stand-alone dental plans are currently exempted from these rules, the hope is that some will still adopt these new approaches.

Data Exchange Requirements for Payers CMS has proposed substantial data exchange requirements that define both the types of information to be shared and, where appropriate, the technical approach and standards to be followed. One key requirement is to implement and maintain an open API that allows third-party applications (some with approval from the patient) to easily retrieve a variety of information as shown in the table below:

Other key data management provisions include:

  • Payers must be able to exchange data elements outlined in the United States Core Data for Interoperability (USCDI) standards.
  • Payers must incorporate received data into their own records.
  • When a patient (member) requests it, the payer must (1) accept data from a patient’s prior health plan for up to five years, (2) send data to other health plans for up to five years, (3) send data to a recipient designated by the patient for up to five years.
The proposed rules for exchanging data should lead to reduced fragmentation and more complete datasets for payers, providers and patients.

Importantly, the rules also specify response times where possible:

  • Claims, encounter, and clinical data must be available through the API no later than one business day after a claim is processed or the data is received by the payer.
  • Provider directory data must be updated within 30 business days of changes to the directory.
  • No specific timeframe for submitting pharmacy directory or formulary information.

A key issue will be the payer’s dependence on providers sharing data with them in a timely manner so the payer can meet these requirements. CMS is urging payers to consider whether their contracts with providers should include timing standards regarding the submission of claims and encounter data.

API Standards for Payers

CMS and ONC have been moving in tandem to address interoperability and information blocking. It’s no surprise CMS will require payers to comply with a separate ONC proposed rule to use APIs to meet certain technical standards and address standardized content and vocabulary for data available through the API. They also address behaviors that can limit interoperability or lead to information blocking. A good example is the requirement to deliver clinical data which mandates USCDI be available via a standard FHIR API. Other requirements specify (among other things) that:

  • The API must be publicly accessible on a payer’s website and accompanied by documentation on technical aspects (such as API syntax, function names, and various other parameters).
  • Payers cannot require a reader to pay a fee to access the documents, receive a copy via email, or agree to receive future communications before making the documentation available.
  • Payers can deny or discontinue a third party’s connection to their API if the payer determines—using objective, verifiable criteria —that the connection threatens the security of protected health information (PHI).
  • Payers can make non-standardized data available through their APIs but are required to ensure that their API documentation provides enough information to developers to handle this information.

Economic Impact on Payers

In general, the rules proposed by CMS and ONC are subject to a Regulatory Impact Analysis (RIA) to estimate the costs and benefits of specific rules. Interestingly, CMS suggests that promoting data exchange between payers and participating in a trusted health information exchange may qualify as “quality improvement activities” for purposes of an insurer’s medical loss ratio. This is an important consideration for payers since these costs

could be counted against the requirement to spend 80 or 85 percent of premium revenue on claims and quality improvement.

This is Getting Real – Real Fast

CMS has proposed specific time lines and actions for payers to meet the new requirements as illustrated below:

It seems likely payers will object to the January and July 2020 deadlines and that CMS and ONC will accommodate some delay, given the current timelines.

Data Must Flow for the Benefit of the All.

An overarching theme of the proposed rules is that patient data should flow freely and at the direction of the patient unless there is a compelling, common-sense exception (seven of which are spelled out in detail). The proposed rules for payers reflect this theme and directly address the long-standing failure of market forces to encourage robust information sharing. They also hold the real promise of benefiting patients, health care providers and payers by enabling better care at a lower cost.


Dave Levin, MD is co-founder and Chief Medical Officer for Sansoro Health where he focuses on bringing true interoperability to health care. You can follow him @DaveLevinMD or email Dave.Levin@SansoroHealth.com

Nikki Kent, SVP of Operations at Sansoro Health, is an accomplished health care executive having specialized in Operations, Human Capital and Sales for Payer and Provider organizations.

1 reply »

  1. I wish they would try these vast new social rules locally somewhere first—as experiments. They need some evidence of practicality. Evidence-based policy. Will it foster hacking and ransom-ware or litigation all over the place? Stealing EHR data and selling it to potential employers has got to be a potential goldmine. If you were an employer, wouldn’t potential new employee health information be very valuable? These proposed rules have over 700 pages and there is vagueness over each page. Eg the concept of Open API, application programming interface. Look this up on wiki and you will see how vague this is. It can mean a Windows operating system with Intel hardware, Wintel, or almost anything else up to Unix and Linux or some self-designed system that you give away at your doorstep.

    I hate to see everyone wasting all this energy trying to muck around with this vagueness, trying to please our masters in Washington….especially because it has not really been shown to improve or cheapen patient care. Also, of course, employer sponsored health plans do not need to comply. All these rules were written by young lawyers just out of law school. Be skeptical.

    Besides, if we were doing all this interoperability fairly, there is a lot of stuff that the public would like to know about the business side of health care. The arrow should not just go from the patient to the payer. It should go the other way too. How about showing to the world the actuarial value of these firms? Or their medical loss ratios? Or why PGMs are paying plans and everyone else under the sun, kickbacks? Or the same with GPOs, group purchasing organizations. How much money does your hospital CEO get from GPOs?

    Pick a region with a defined market and try these new rules.

    The more we push for interoperability and to push for unblocking data, the more this data will be liberated into hackers paws. Hasn’t this got to be true?

    Someone once told a policy maker “ Oh, we shouldn’t have to repeat lab work that the patient just had across town in another clinic.” “This is a big waste of money. “And the policy maker believed this and convinced everyone in CMS and in DC that it was a big problem. Well, it wasn’t.