Affidavit: Healthcare and the Law - CMS and ONC Release Long Awaited Final Rules on Interoperability

Contributors: Kristine Murphy Gallagher and Lisa Clark, JD’89
To learn more about Kristine and Lisa, click here.


On March 9, 2020, the United States Department of Health and Human Services (HHS) released two highly anticipated final rules, which will significantly impact actors in the health information technology (health IT) universe in the coming months.  The separate but related rules governing interoperability were released by the Office of the National Coordinator for Health Information Technology (ONC).[1] and the Centers for Medicare and Medicaid Services (CMS)[2]  Both rules, which follow proposed rules published in February 2019, address interoperability, information blocking, use of application programming interfaces (APIs), and other topics related to health IT.  The rules build upon and implement provisions of the 21st Century Cures Act enacted in 2016 and aim to further the goals of increasing access to data among patients, providers, and payers.  Although initial enforcement of the rules’ requirements has been temporarily delayed due to the ongoing COVID-19 public health emergency, stakeholders in the health IT industry are already grappling with the implications.

ONC Rule
ONC’s final rule implements changes to its health IT certification program, including adopting interoperability provisions of the 21st Century Cures Act as a condition of certification.  Additionally, ONC’s rule adopts the “information blocking” requirements of the 21st Century Cures Act.  Information blocking is defined as a practice that, except as required by law or covered by one of the exceptions set forth in the rule, is likely to interfere with access, exchange, or use of electronic health information (EHI). Violators may be subject to civil monetary penalties up to $1 million per violation, and the rule prohibits such conduct by healthcare providers, health IT developers, health information networks (HINs), and health information exchanges (HIEs).  ONC’s final rule repeated five categories of practices previously identified in its proposed rule as likely to rise to the level of information blocking:

(i) restrictions on access, exchange, or use;

(ii) limiting or restricting the interoperability of health IT;

(iii) impeding innovations and advancements in access, exchange, or use of health IT-enabled care delivery;

(iv) rent-seeking and other opportunistic pricing practices; and

(v) non-standard implementation practices.

In addition to identifying these practices, the rule defines eight exceptions, describing conduct that does not constitute information blocking on the following reasonable and necessary bases:

(i) preventing harm;

(ii) protecting an individual’s privacy;

(iii) protecting security of EHI;

(iv) infeasibility of the request;

(v) improving health IT performance;

(vi) limitation of content and manner of response to a request;

(vii) charging fees for accessing, exchanging, or using EHI; and

(viii) licensing of interoperability elements.

ONC’s final rule also updated its 2015 Edition health IT certification criteria to establish new standards for API.  APIs function as messengers to allow aggregation of information among separate software programs and servers.  The rule establishes technical criteria that APIs must meet for certification.  By standardizing API criteria, ONC hopes to enable third-party developers to more easily build applications designed to make EHI more readily available to both patients and providers.  Additionally, the rule sets forth criteria and guidelines for the fees that API developers may charge and prohibits developers from imposing fees other than those identified.

CMS Rule
The separate rule released by CMS also addresses interoperability and patient access to EHI, and applies to Medicare Advantage (MA), Medicaid, Children’s Health Insurance Program (CHIP), and Qualified Health Plan (QHP) issuers on the federal exchanges.  The rule requires these entities to coordinate care by exchanging patient clinical data at the patient’s request, to more easily allow patients to move from payer to payer over time. 

Like the ONC rule, CMS’s rule also includes requirements related to APIs.  CMS exercised its authority over payers that participate in federal healthcare programs to require these entities to implement and maintain two categories of APIs: (1) patient access APIs, which allow patients to quickly access their data through third-party applications; and (2) provider directory APIs, which enable patients to find information on healthcare providers. 

Additionally, the CMS rule updates hospital conditions of participation to require facilities to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner.  Although this requirement applies only to hospitals that currently possess an electronic health record (HER) system, CMS stated its belief that the requirement would improve care coordination and facilitate follow-up care. 

What’s Next?
Initially, certain requirements of the ONC and CMS rules were set to go into effect six months after publication of the final rule.  In response to the ongoing public health emergency caused by the COVID-19 pandemic, HHS announced in April that it would delay enforcement of certain requirements. Compliance dates vary for different requirements, and entities subject to these rules should continue to monitor the timelines for implementation.

Although the health IT industry had anticipated publication of the final rules for over a year, both CMS and ONC have faced criticism.  Health IT developers, providers, and payers alike have expressed concerns that increased access to health data could lead to significantly decreased privacy for patients.  Moreover, some industry stakeholders have questioned whether patients will truly be in a position to understand how their health data may be used by developers.

Members of the health IT industry should carefully consider whether they are subject to the requirements of the CMS and ONC rules and how their current practices may be implicated. For example, entities subject to the ONC information blocking prohibitions could face significant penalties for unintentional violations or complaints from third parties of inappropriate activities.  Even entities that are not covered by the rules may face pressures from business partners to comply with new requirements.  The rules’ requirements could be particularly perilous for new players entering the growing health IT space, who may be unfamiliar with their obligations.  Health IT industry members should consult legal and other experts to ensure they are aware of what their obligations are, how they can meet those obligations, and when they must come into compliance.

Contact Kristine at: [email protected]
Contact Lisa at: [email protected]



[1]85 Fed. Reg. 25642 (May 1, 2020).

[2]85 Fed. Reg. 25510 (May 1, 2020).