The Evolution of Interoperability Regulations in Healthcare

Beth Plumptre
January 16, 2024

From around 1996, different regulations have emerged to develop the healthcare interoperability landscape, beginning with the Health Insurance and Portability and Accountability Act (HIPAA), up until more recent proposals like the Centers for Medicare and Medicaid Services’ Advancing Interoperability. This guide will explore the foundational regulations governing coordinating operations in healthcare, and how interoperability requirements impact health information systems.

Evolution of Healthcare Interoperability

Healthcare interoperability began from humble, manual beginnings. What started as the physical exchange of patient charts, medical records, referral letters, and other documents, quickly evolved to fax-based transmissions between healthcare organizations before entering into the digital era, where Electronic Health Records (EHRs) — electronic versions of a patient’s medical history — became a fixture of healthcare data exchange.

After EHRs emerged, Health Information Exchanges (HIEs), became established to support the secure exchange of electronic health information between various health systems. HIEs have become a staple of state and national healthcare data exchange, with top names like CommonWell Health Alliance and Carequality promoting seamless information sharing across the country.

Also supporting data exchange are core standards organizations Health Level 7 (HL7), interoperability frameworks like the Trusted Exchange Framework and Common Agreement (TEFCA), plus standardized APIs like the Fast Healthcare Interoperability Resources (FHIR).

Regulations have become a necessary catalyst for change in the healthcare data exchange landscape, helping to cement consistency and standardization as core features of this many-layered process. These rules guide and stimulate interoperable relations between data systems.

Regulatory Frameworks and Standards for Healthcare Interoperability

Before data exchange was consolidated into set rules, early information sharing was achieved via highly individualized structures. One health care system may adopt diverse data formats, proprietary interfaces, APIs, and disparate communication protocols. This lack of standardization, coupled with the absence of industry standards slowed the adoption of interoperable standards across the health ecosystem.

To encourage technology acceptance while introducing uniform measures for data exchange, the following regulations have been gradually mandated to promote cooperation between providers, and improve health outcomes:

The Health Insurance Portability and Accountability Act

HIPAA revolutionized security in data exchange across health systems. While this regulation made provisions for different aspects of patient care like administrative processes, health insurance portability, plus protection against discrimination, its mandates on electronic health transactions properly present semantic interoperability for medical devices.

Under HIPAA, the Department of Health and Human Services (HHS) was tasked to develop regulations to ensure valuable patient data stays private and secure within the healthcare organization it’s generated in, and also outside of it during the exchange process.

The HHS published the HIPAA Privacy Rule and Security Rule to promote patient privacy and security, which applied to healthcare providers, health plans, and healthcare clearinghouses to set necessary interoperability standards in handling electronic health information. 

HIPAA Security Rule

When healthcare began to adopt electronically-backed structures formally, this change simplified exchange and secure access, but also exposed clinical data to potential cyber threats.

The Security Rule regulates who has access to patient records, how security incidents should be managed, and response plans for emergency incidents involving personal health information.

HIPAA Privacy Rule

In addition to health professionals, health plans, and health clearinghouses (Covered Entities), the patient record pipeline flows through external bodies (Business Associates) like IT Providers, pharmacy administrators, medical billing companies, and more.

Under the Privacy Rule, patients now have a say on who can view their records and what can be done to this information. This rule limits what counts as PHI, and how this information should be transferred, received, handled, or shared. It also stipulated the parties responsible for safeguarding this information, plus how much information can be transferred between entities.

The law is crucial for maintaining confidentiality, ensuring data integrity, and promoting the interoperable and secure exchange of health information in the evolving healthcare landscape.

21st Century Cures Act

The 21st Century Cures Act champions the patient's interest, with several provisions encouraging active participation in their clinical data and caregiving.

Passed into law in 2016, it was in March 2020, under the Cures Act Final Rules, that the methods for implementing this law were established. For one, this rule allowed patients to view their medical charts, keep track of previous provider encounters, and receive test results from the comfort of their smartphones, sometimes through modern applications. 

These applications also decentralized the concept of choice to the patient, as information about care quality and cost is more readily accessible. To ensure the patient's interests are secured, the Final Rules focus on players influential in making this possible. 

Under Section 4002 of The Cures Act, Developers must publish APIs, and these developers are tasked with ensuring all data elements contained in a patients' health record are accessible via an API, within the extent supported by law:

“Health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, as provided for under applicable law.” 

Under the ONC Rules, all applications must be SMART on FHIR compliant to push standardization across health data sharing channels. These features contributed to the anti-information blocking rules of the act, which removes the hurdles that previously prevented patients from accessing their health information.

CMS Interoperability Measurement Framework

To ensure healthcare reaches the finish line for interoperability, the Centers for Medicare and Medicaid have put plans in motion to ensure existing measures for care coordination meet the mark.

The CMS plans to transition the quality measures used in reporting programs to digital quality measures (dQMs). This means modernizing quality measurement systems from paper-based surveys, chart reviews, and audits of medical processes.

To meet this requirement, the CMS has outlined four domains to revolutionize quality measurement:

  1. Improving data quality
  2. Advancing technology
  3. Optimizing data aggregation
  4. Aligning data, tools, and measures

Trusted Exchange Framework and Common Agreement (TEFCA)

The ONC created the Trusted Exchange Framework and Common Agreement to unify electronic health records nationwide. While technology adoption is on a steady ascent across the US, unique and disparate proprietary systems are some of the challenges preventing the full realization of interoperability in healthcare, which is where this agreement comes in. 

Forming TEFCA are principles, terms, and conditions that support the development of a Common Agreement that supports the exchange of electronic health information across different health information networks (HINs). 

Under TEFCA, healthcare providers agree to stay connected to ensure clinical data is readily accessible for a more complete picture of health records. This structure provides the technical and legal infrastructure for sharing health information across the United States. 

2024 is shaping up to be a big year for interoperability, with all eyes on TEFCA and the roll out of qualified health information networks (QHINs). Follow Metriport to stay up to date with the latest developments across the industry, and what they will mean for your organization.

Stay up-to-date with news from Metriport.

View Blog

Get the latest updates and blog posts from the Metriport team.

Metriport icon