How regulatory changes have impacted interoperability in 2024
Federal agencies have unveiled many new rules that promise to address major problem points that rankle providers and payers.
There’s been significant regulatory actions impacting the healthcare space this year.
The year started with the publication of the Centers for Medicare and Medicaid (CMS) Interoperability and Prior Authorization Final Rule in January. In February, we saw the adoption of the final rule modifying the Confidentiality of Substance Use Disorder Patient Record regulation at 42 CFR Part 2 by the Department for Health and Human Services via the Substance Abuse and Mental Health Services Administration (SAMHSA) or the Office of Civil Rights (OCR).
A couple months later, in April, the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule was published. Then in July, we saw the publication of the newly rebranded Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC) proposed HTI-2 rule.
These regulatory initiatives can be divided into two key buckets – interoperability and patient privacy. This should not be a huge surprise, because these have always been the two core focuses of healthcare regulation in the United States.
Drafting new rules, updating aging regulations
CMS and ASTP/ONC have been heavily focused on interoperability in the last few years. The COVID pandemic illuminated not only the importance of data access but also just how little data sharing is happening today.
Despite working towards a common goal, each agency took a different approach. CMS focused on FHIR with its FHIR APIs; meanwhile ASTP/ONC concentrated on CCDAs with the Trusted Exchange Framework and Common Agreement (TEFCA).
This year has brought an expansion of both CMS APIs – with the inclusion of the provider access, payer-to-payer data exchange and prior authorization APIs – and of TEFCA – with the naming of Qualified Health Information Networks (QHINs), adoption of Common Agreement version 2.0, and the release of new standards of operating procedures (SOPs).
However, the lack of uniformity in approaches has created a bit of confusion in the industry and has ultimately resulted in slower adoption of both initiatives. Much of the intent behind ASTP/ONC’s proposed HTI-2 rule is to help create more symmetry between the agencies and their respective rules, in the hopes of bridging that gap.
While the last few years have been rife with proactive requirements in support of interoperability, we have not seen any real amendments to privacy regulations to further support such initiatives – which has been another barrier to broader adoption. The HHS rule finalized this past February has made the sharing of Part 2 information much easier by enabling organizations to obtain general consent for the disclosure (and redisclosure) of Part 2 information for treatment, payment, and operations purposes.
However, some of that administrative burden reduction has been offset by the new restrictions on sharing information related to reproductive health care services. These new restrictions on data sharing are not only found in the finalized amendments to the HIPAA Privacy Rule in April, but are being adopted by states in similar restrictions in state privacy laws, and in other federal regulatory initiatives, such as the proposed Protect Care Access Information Blocking exception outlined in the ASTP/ONC HT1-2 proposed rule.
More changes on the horizon
In addition to all the regulatory changes outlined above, there was a very impactful Loper Bright Enterprises v. Raimondo Supreme Court decision in June, which ended the 40-year precedence of the Chevron deference.
While this does not immediately impact healthcare today, it can have a material impact on both future rulemaking and on the enforcement of current regulations. In the event of ambiguity in the interpretation of certain federal regulations, the Chevron deference gave the respective federal agencies that drafted such regulations discretion over how they should be interpreted. With the Chevron deference being overturned, that discretion will now live with the judicial system.
While 2024 has already been jam-packed with regulatory changes, given that it is also an election year, the only thing we can be certain about is that more changes are likely to follow. While it will be interesting to see how much of the proposed HTI-2 rule ultimately gets codified into a final rule, we also may see some additional regulatory actions with respect to the HIPAA privacy rule, such as the finalization of the proposed rule issued in 2021 geared towards removing “barriers to coordinated care” and decreasing “regulatory burdens on the health care industry.”
Further, it’s possible that we’ll continue to see more state-based regulatory initiatives. For example, we may continue to see more states adopt regulations protecting patient privacy with respect to reproductive health data. We could also see potentially more states adopt the CMS API requirements, such as what has happened in California and Tennessee. Such adoptions would be exciting as state adoption results in the use of the APIs for not just federally regulated plans, but for commercial plans as well.
Irrespective of where we land from a political perspective after the election and while much is still subject to change, we can all take solace in the fact that from a regulatory perspective, the healthcare industry will continue to be driven by two key motivating factors – interoperability and patient privacy. So, while we cannot predict the future with certainty, as long as those core tenets remain the cornerstones on which your foundation is built, you will be ready for all that lies ahead.
Eden Avraham-Katz is general counsel and privacy officer of 1upHealth.