CMS and ONC Rules: What You Should Know

Beth Plumptre
October 27, 2023

The present and future of healthcare can be summarized in one word: interoperability. Organizations like the HHS Centers for Medicare and Medicaid, plus the Office of the National Coordinator for Health Information Technology (ONC) are building an ecosystem where valuable healthcare data is readily available, and easily exchanged to promote care coordination and patient engagement in treatment.

With easy exchange and access, however, comes the dangers of compromised clinical and patient information. There are also common technical limitations that can hinder communication between health information technology systems. The CMS and ONC rules, released in March 2020, provide a framework to bind healthcare providers, payers, and IT providers into a structure that promotes best practices when distributing health information.

This guide examines how these new rules are laying down the law for better patient access to health information. We’ll see how common regulations and standards are transforming healthcare’s approach to patient-centered care.

What are the CMS and ONC?

As agencies of the United States Department of Health and Human Services (HHS), the CMS and ONC coordinate efforts to promote healthcare and the efficient use of health information technology.

In the United States, citizens that are within the 65 and above age range may be more familiar with the CMS as the agency responsible for Medicare which provides coverage for nursing facilities, hospice care, prescription services, preventive care, and other benefits like the Medicare Advantage. Likewise, Medicare provides a safety net for people living with special needs so they have access to quality healthcare services. Also covered are eligible lower-income families who enjoy Medicaid services for health care to pregnant women, children, the elderly, and others in need.

As a partner, the ONC does a lot of behind-the-scenes work to make sure the structures that keep healthcare efficient and accessible run smoothly. This agency pushes for the advancement of health IT systems and is the backbone behind the popular use of electronic health records (EHRs) across health settings. 

Despite being separate provisions, the CMS rule and ONC rule have the joint goal of boosting patient access to medical data to improve involvement in health outcomes. These rules are designed to administer the interoperability and patient access provisions of the 21st Century Cures Act.

What is the CMS Rule?

The ONC and CMS rules may cover different aspects of health IT, but their intent is similar: democratizing data using Application Programming Interfaces (APIs).

Patient-Access API

For provider organizations, payers, pharmacies, and other key players interested in participating in Medicare, the CMS Interoperability and Patient Access Final Rule requires a Patient Access API to promote patient participation in care delivery. Under this rule, patient data becomes readily available through the fast healthcare interoperability resources (FHIR) API

Using this measure, APIs can connect to mobile applications, EHRs, or practice management systems for a more seamless information exchange process.

Access to Payer-Provided Provider Directory

The CMS rule also encourages patients to make better-informed decisions when engaging with a health insurance program. By mandating payers to provide access to the provider directory usually available on their websites, patients are now empowered to find a provider best suited to their needs.

Because of the CMS rule, developers have a shorter learning curve when developing the provider directory API necessary to find and connect patients with these providers.

Seamless Payer Data Exchange 

Whether for lower premium costs, to reduce out-of-pocket expenses, or to enjoy special coverage for specific services, patients may decide to change their insurance coverage for any number of reasons. This change has become even easier, as patients now have the right to direct that their old payer send their information to the new payer, using a FHIR interface.

Patient Event Notifications

The CMS rule also intervenes at the point of emergency care. When a patient is admitted following an emergency, this rule now mandates that the emergency department inform the primary care provider to ensure proper continuity of care and care coordination. It is because of the CMS rule that most healthcare organizations now provide admission, discharge, and transfer event notification at every point during the patient’s care.

The CMS interoperability rule also prioritizes patient privacy. To guarantee patient safety, this rule has specifications such as ensuring health IT vendors can attest to privacy policies that specify secondary data uses, while keeping patients in the know about any such uses. The CMS is also partnering with payers to educate patients about sharing their information with third parties so their rights are always protected. 

The ONC Rules

The primary concern of the ONC’s Final Rules is keeping electronic health information secure during the process of access and exchange between key players. Like the CMS, this agency requires the popular adoption of APIs so everyone from patients to providers can access critical clinical data. These rules aim to prevent information blocking — situations where business, technical, or organizational practices prevent or considerably discourage access or use of electronic health information. It counts as blocking when one healthcare provider refuses to share a patient’s medical records with another provider.

Likewise, high data access fees, restricting API access, or unstandardized data formats could constitute blocking. However, not every act of restricting information access results in information blocking.

There are around eight information blocking exceptions as of October 2023:

• Preventing harm: where a healthcare provider reasonably believes it’s in the patient’s best interest to restrict access to information.

• Privacy exception: if withholding information is required for the patient’s privacy, or by the law.

• Security exception: if blocking is carried out to protect the security of clinical data, or to prevent the loss of information.

• Infeasibility exception: if technological limitations or other outside circumstances can cause genuine challenges with sharing information.

• Health IT performance exception: developers are permitted certain practices that stop information sharing, provided this development is necessary for developing health IT systems.

• Content and Manner Exception: here, developers are permitted to establish policies and procedures regarding how electronic health information (EHI) is structured and exchanged, as long as these practices are not designed to block the sharing of information unreasonably.

• Fees exception: where reasonable fees are charged to access health information, this practice will not be regarded as information blocking.

• Licensing exception: Information blocking does not occur when practices are required to license interoperability elements (such as application programming interfaces or data elements) on reasonable and non-discriminatory terms.

Stay up-to-date with news from Metriport.

View Blog

Get the latest updates and blog posts from the Metriport team.

Metriport icon