On May 14, 2021, CMS published FAQs addressing questions that have been raised regarding the Interoperability and Patient Access final rule published May 2020.  CMS is careful to note that the FAQs “do not have the force and effect of law and are not meant to bind the public in any way, unless specifically incorporated into a contract, as directed by a program.”  CMS has provided links and other guidance, including regarding technical standards, best practices, and privacy and security resources, and has directly addressed questions raised by trade associations and others.

We summarize some of the key points addressed in the FAQs.  We encourage you to review the full CMS response where questions arise in your implementation.
Continue Reading CMS Issues First FAQs on the CMS Interoperability and Patient Access Rule

Last week, the Center for Medicare & Medicaid Services (CMS) finalized long-awaited regulations on Interoperability and Patient Access (the “CMS Rule”) to require Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (“CMS Payers”) to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice. On the same day, the Office of the National Coordinator for Health Information Technology finalized its rules on Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”) related to the 21st Century Cures Act (Cures Act). The CMS Rule and ONC Rule have far-reaching impacts.

As individuals and organizations covered by the rules are considering how they may facilitate their access to health information to support patients, health care providers, and others, it is important to understand when provisions in the rules will be effective and timing and what acts may constitute violations of these rules.  To help clients get familiar with these deadlines, we are providing this summary chart of compliance requirements and applicable deadlines to help your organization prepare for upcoming enforcement of the ONC Rule and the CMS Rule.  For legal advice tailored to the specific needs of your organization, please reach out to Jodi Daniel, head of the firm’s Digital Health Practice at jdaniel@crowell.com.

As you read the chart, you should keep the following in mind:Continue Reading Compliance Reference Chart for ONC and CMS Interoperability Rules

On Monday, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) announced an enforcement action against Bayfront Health St. Petersburg (“Bayfront”) for allegedly failing to provide a mother timely access to her unborn child’s prenatal medical records. The enforcement action is noteworthy in that it marks OCR’s first

A patient has an emergency and goes to a hospital she knows is in her plan’s network. She receives treatment. She leaves the hospital. Weeks later, she receives a medical bill for tens of thousands of dollars. Unbeknownst to her, some or all of her treating doctors were out-of-network.

This all-too-common story has contributed to a significant medical debt crisis in this country, and has captured the attention of policymakers on all sides of the political spectrum—leading to the rare circumstance of executive and legislative alignment and the potential for bipartisan legislative action.

Proponents of price transparency hope that it will improve competition and allow patients to better understand their financial responsibility ahead of receiving services. The idea is that disclosing prices to individuals will incentivize them to “shop around” for health care services, which may drive down costs. On the other hand, opponents of price transparency argue that releasing such information could compromise bargaining leverage between third party payers and providers, and have the effect of driving up prices since information exchanges in concentrated markets can lead to tacit coordination that’s difficult to detect and punish under the antitrust laws.Continue Reading Trump Administration and Congress Are Moving Quickly on Health Care Price Transparency and Lowering Costs

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.Continue Reading HIPAA Spring Cleaning! Tidying Up Penalty Limits and FAQs on Patients’ Right of Access

  • More of our health information is becoming digital every day, as new technology companies enter the health care and wellness markets.
  • Many companies that hold a wealth of consumer health information are not covered by HIPAA.
  • Many consumers may not realize that their health information only is protected and they only have certain rights with respect to that information when it is held by certain entities, but not when it is held by others.
  • The private sector should work with regulators to develop a common sense, appropriate framework for use of health information by non-HIPAA covered entities.

As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.

Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.

At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data.
Continue Reading Closing the Health Information Privacy Divide

CMS has issued its 2019 Physician Fee Schedule Proposed Rule, containing highly anticipated new reimbursement policies for telehealth, remote monitoring, and other uses of digital tools, as well as updates to health IT requirements in the Quality Payment Program, with a stronger focus on patient access to health information. Comments are due September 10 at 5pm.
Continue Reading New CMS Incentives for Remote Patient Monitoring and Patient Access

This blog post has been prepared in collaboration with Validic. Mr. Schiller is CEO of Validic. Jodi Daniel is a partner in Crowell & Moring’s Health Care Group in Washington, D.C.


Our healthcare system is in the midst of a fundamental shift toward value-based care to drive down costs and improve the quality of care. We won’t be able to achieve that goal without technology that allows providers to collect and use health data and puts patients front and center. Patient access to clinical and claims data is essential. When patients have access to their own information, they can better understand their condition and feel empowered to ask questions and shape their own care plan.

Congress and the federal government are pushing to liberate data from within the healthcare system and to promote patient access to health information. However, it is equally important to focus on the flow of data from the patient back into the healthcare system. The patient – who is gathering data at home, managing her condition, and making day-to-day decisions that impact her health – holds information that is critical to treatment decisions and outcome improvements.
Continue Reading Transforming the Patient-Provider Relationship: A Comprehensive Approach to Patient Access and Patient-Generated Health Data

Building on momentum from Administrator Seema Verma’s announcement of the MyHealtheData initiative at HIMSS 2018, CMS has published more clues as to future action to liberate health information for patients.

In the CY 2019 call letter to Medicare Advantage organizations and Part D programs, CMS describes the Blue Button 2.0 project and its use of

CMS announced important changes to Medicare reimbursement for remote patient monitoring and telemedicine that can help accelerate adoption and use of these digital health tools. These changes are implemented through two rules released this week that will take effect January 1, 2018. Understanding these rules can help you incorporate these tools into clinical practice and can positively affect the business model for technology developers and innovators.

What are these new rules and do they affect me?

The 2018 Quality Payment Program Final Rule provides policy updates to the Quality Payment Program (QPP), which was established by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and will be entering its second year. MACRA offers two “tracks” for eligible clinicians to take as they move toward value-based care:

  • Participation in QPP and its scoring, or
  • Participation in an Advanced Alternative Payment Model (APM).

The majority of Medicare payments are still tied to fee-for-service, but HHS has set a goal of moving to 50 percent of Medicare payments for alternative payment models by 2018. For previous coverage of QPP proposals, visit our summary here.

The 2018 Physician Fee Schedule Final Rule addresses revised payment policies for the Medicare physician fee schedule. Any provisions in the PFS rule typically apply to fee-for-service type providers.
Continue Reading New Reimbursement for Remote Patient Monitoring and Telemedicine