With healthcare organizations focused on battling COVID-19, the recent federal healthcare regulation requiring data interoperability may have become an afterthought. However, compliance with this rule will create a powerful tool for fighting COVID-19 recurrences and future pandemics.
If interoperability had gone into effect earlier this year as originally scheduled, many insurance companies and the federal government would now be able to securely share the data they have for most of the elderly patients on Medicare and more than half of the poor Americans on Medicaid. The industry might have identified COVID-19 risk factors more readily; attending physicians would have had more comprehensive data on which to base treatment decisions. Patients would have been able to use telehealth more effectively, with their healthcare history more readily available.
Data clearly is critical to the fight against COVID-19 and whatever future viruses and diseases emerge and travel the globe. The final interoperability rule issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) in March of this year will make healthcare data more widely and securely available. Although CMS recently announced a delay in enforcement until July of 2021, compliance remains an imperative, with deadlines for health insurers starting at the end of this year.
Many of the initial activities can be launched despite the current crisis. The rule spells out the standards and formats plans should use to publish a third-party developer application programming interface (API). The rule requires Medicare, managed Medicaid and individual Federally Facilitated Exchange (FFE) qualified health plans to develop the API using Fast Healthcare Interoperability Resources (FHIR) and terminology normalization. Here’s how to prioritize efforts to meet that January/July 2021 API publication deadline.
Start Here: Discover the scope of the work necessary. With fewer than 300 days from rule finalization to the compliance date and about a year from rule finalization to possible enforcement, getting clear on scope is vital. These are the initial steps to take:
Understand the rule. The rule’s requirements are broader than most plans initially appreciate. Key areas overlooked include the breadth of administrative and clinical data that payers must orchestrate from themselves and their vendors, the challenges of meeting the one-day periodicity requirement, the terminology normalization required, the comprehensive support for external developers that comes with a third-party developer API gateway, and the numerous business process impacts
Evaluate the rule’s impact on privacy requirements. This is likely to be the area of greatest risk and should be among the first areas to scope and address. Much of the current privacy infrastructure is not adequate for the safe execution of the rule’s requirements. As one example, consent to send data to a third-party app is now API-driven and requires new business processes and technology tools to manage successfully. The rule makes clear that all existing federal and state requirements still apply; plans are required to share data much more easily yet every bit as securely.
Discover the gaps. A plan must next identify the specific work to be done. Every plan has different systems, different architectures, different data management capabilities, and most importantly, different data. The assessment should focus on both the discovery of the data elements scattered across the plan that need to be orchestrated and provided to the API as well as the sufficiency of the source systems with the data management systems to accomplish the task with the required timing, quality and security. Most plans will identify multiple necessary improvements to source system improvements or changes to data management, data organization, privacy controls, and security safeguards.
Develop a plan. The resulting view of scope against resources will be a significant challenge to most plans. Multiple parallel workstreams will be necessary, especially because most plans will want to be finished with as much as possible before the start of open enrollment.
Curate your roadmap. First, it will free up both funding and focus to do the work required to be compliant. More importantly, almost every plan today now has an outdated roadmap of the future. In its lifetime, the healthcare industry has worked and planned for a world in which data does not flow. Two to three years from now, every payer and provider will be sharing their data in a standard way. Current roadmaps must be remediated in anticipation of that new world.
Education and planning are excellent first steps that can occur in the days of COVID and working from home because the development and integration work needs to be well underway by June and July. When planning is complete, the following actions take priority:
Focus on the application programming interface (API). This API must provide not only claims data, but also other administrative data and even select clinical data. It uses specified standards to support Substitutable Medical Applications and Reusable Technologies (SMART) on FHIR so that every plan’s API is similar. The APIs will enable third parties to develop apps and tools that use authorized data to help members manage their health more effectively.
The API should be the immediate focus, because the plan-to-plan data exchange was delayed a year to Jan. 1, 2022, and another requirement, that health plans join a Trusted Exchange Network, has been deferred for future rulemaking.
Launch IT remediation. In addition to the basic requirements of the data needed for the APIs, data sourcing, orchestration, and labeling are all major issues. It’s critical to trace and verify data provenance, understanding where, how and by whom data originated, and how it has been used, modified and processed by other people and systems. For example, a pulse rate collected from a hospital may be treated differently than one reported by a member’s Fitbit tracker. Metadata issues must be addressed, especially the identification and tagging of sensitive data, such as HIV status.
Analyze third-party relationships that involve data access. For example, if a payer contracts with a service provider for utilization management, fulfilling the data vending requirement becomes complex. It’s usually the service provider that has data used to make a coverage determination, not the payer. Yet the mandate generally requires that a member should be able to see whatever data the plan used when it decided on the appropriateness of care. It’s important to evaluate these relationships and determine how member data requests will be fulfilled under them.
Revamp member enrollment processes to capture data-sharing consent. While the rule does not immediately address member enrollment, obtaining member data-sharing consent as part of the enrollment process can improve process efficiency and care delivery. By becoming an app developer themselves and creating their own app (or website) designed to get member consent, a health plan initially could gather member data from previous health plans through the new API. Payers then could immediately analyze the data, to determine what care management is appropriate, evaluate data needed for risk adjustments or HEDIS measures, and assign an accountable care organization, medical home or primary care physician — all as part of a new enrollment workstream. Members could receive a level of personalized service and care in mere hours instead of the months it now takes for payers to collect and analyze similar data.
The Longer View
While meeting the July 2021 API enforcement deadline, payers must also keep in mind how the interoperability rule will change their competitive landscape and business models.
To start, payers must address how interoperability partially negates their current value proposition. For the last two decades, payers have competed by reducing claims adjudication costs and on increasingly competitive network design. Now, payers will be able to analyze data released under the rule to see how competing plans have structured their networks and rates. That indirect transparency will blunt the value of physician networks as a competitive edge.
Competition from new industry entrants is increasing. Apple, Amazon, Best Buy, Walmart and others will combine member data with their existing expertise, whether technological, logistical, physical footprint, or in other areas. The results likely will produce new options for care delivery, such as Walmart’s flat-price no-insurance clinics. Payers can hold their own by using compliance efforts to retool processes and imagining new services built on members controlling their own health data. With data flowing easily, payers should create new value propositions based on such qualities as frictionless service; member experiences; better care management and outcomes; and improvements to the medical cost of care.
The interoperability rule on patient access to healthcare data is more than a regulation; it’s a blueprint for building critical data capabilities needed to tackle future crises like COVID-19 in the shorter term while reshaping the industry for the longer run. Payers that approach compliance with the goal of moving beyond basic compliance will equip themselves with the capabilities they’ll need as interoperability ignites significant and sustainable change in healthcare quality, delivery and payment.
About Jay Sultan
Jay Sultan is Vice President of Healthcare Innovation and Strategy at Cognizant. He has been a thought leader in healthcare, advising over 120 health plan and 50 delivery systems on value-based care, provider data management, healthcare analytics, clinical data use and interoperability. In his current role at Cognizant, Jay is leading the application of the specific areas of strategy from inception to “business as usual.”