After a six-month delay due to the COVID-19 pandemic, the first provisions of the interoperability rule issued by the Centers for Medicare Medicaid Services (CMS) took effect on July 1. The new requirements are the first of many that health plans will face over the next several years related to the mandatory disclosure of data, as other mandates of both the interoperability rule and the health plan transparency rule are scheduled to take effect in 2022, 2023 and 2024.
Taken together, the interoperability and transparency rules are transforming the data-sharing obligations of health plans. They are part of a quartet of rules issued by the Trump administration that conceive of a world where health care data flows more freely to the benefit of patients, with the other two—the information blocking and hospital price transparency rules—targeting providers instead of health plans. Unlike many other health regulations issued by the Trump administration, these rules have not yet been overturned by the courts or reversed by the Biden administration. Indeed, President Biden’s recent executive order on competition embraces price transparency in health care.
The interoperability and transparency rules have so far left plans scrambling to prepare for their new obligations even as they still address changes in pandemic operations. But whether the rules will ultimately provide the envisioned benefit to patients remains to be seen.
Overview of the Rules
On the surface, the interoperability rules and transparency rules are quite different. The interoperability rule focuses on government-funded plans: Medicare Advantage Organizations (MAOs), Medicaid and Children’s Health Insurance Program (CHIP) managed care plans (as well as fee-for-service Medicaid and CHIP), and Qualified Health Plans (QHPs) sold on the Affordable Care Act exchanges (the interoperability rule also imposes limited obligations on providers, such as the disclosure of hospital admission and discharge information). In contrast, the transparency rule focuses on the commercial health insurance market, with QHPs the only category of plan subject to both rules. Given the different scopes, the rules have been issued by different agencies, with the Department of Health Human Services (HHS), the Department of Labor (DOL) and the Internal Revenue Service (IRS) (the Departments) issuing the transparency rule. Most information disclosed under the interoperability rule is protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule because it contains individual-level data on services provided to patients, while data shared under the transparency rule generally will not be PHI because it is price information not connected to a particular patient. And the government’s goal with the different rules also differs somewhat: The interoperability rule seeks the disclosure of information as a means of improving the quality of care delivered to patients, while the transparency rule aims to reduce prices.
Yet the rules reflect the same philosophical shift from the government. Both CMS and the Departments have now endorsed the view that the rapid disclosure of sensitive data is critical to addressing the flaws of the health care system, and CMS and the Departments view health plans as key players in addressing that issue. CMS and the Departments also believe that voluntary disclosures will not be sufficient and that data-sharing mandates are necessary to achieve needed reform. Further, CMS and the Departments view health care consumers as playing a central role regarding the data, as they envision patients easily obtaining information about their health care and potential health care costs from third-party apps that will become more and more available.
The rules could also spark the development of third-party apps that provide analysis to health care consumers. The interoperability rule requires disclosure of data to apps based on a member’s request. The transparency rule does not mandate disclosure to apps, but it does require public disclosure of pricing data in machine-readable files. In theory, an app that had access to a consumer’s historical claims data and pricing information could recommend the use of services. For example, an app could inform a consumer who frequently saw a dermatologist of the potential savings of switching to another dermatologist who was paid a lower rate by the consumer’s health plan.
The government has also decided that the benefits of disclosures outweigh any countervailing interests. In the case of the interoperability rule, some commentators raised questions about the privacy implications of sharing PHI with third-party apps. These commentators noted that CMS was creating a system in which data would be moved from a relatively protected environment—health plans that are subject to all HIPAA requirements—to apps that are typically not subject to HIPAA and therefore may do things with health care data that health plans and providers typically do not, such as use it for marketing purposes or sell it for a profit. The commentators also noted that the claims and encounter data contained important pricing information that is also deemed sensitive by health plans and providers alike. The same concerns are reflected in comments to the transparency rule, but with a different emphasis. Some objected to the transparency rule because it requires health plans to make public their negotiated rates with providers among other sensitive information, a class of data that is typically treated as proprietary since it can be used by competitors. The rule also requires the disclosure of historical net prices for many drugs, an amount that both health plans and pharmaceutical manufacturers typically keep secret.
CMS and the Departments acknowledged these concerns but concluded that they did not justify limiting the scope of the rules. Regarding the privacy implication of third-party apps, CMS argued that a market will develop where apps with stronger, more consumer-friendly privacy and security policies would become more trusted and more popular. CMS also encouraged health plans to provide warnings to their members about the risks of disclosures. The Departments similarly argued that the public availability of price information will put downward pressure on health care costs, which will outweigh any negative repercussions of such disclosure. This conclusion has been buttressed by the fate of the hospital price transparency rule, which also requires the disclosure of proprietary information and so far has survived challenges in court.
For health plans, both rules impose a host of compliance challenges. Plans need to figure out exactly what data needs to be made available, how to make it available and how to keep updating that data so that they meet their legal responsibilities.
Requirements that appear simple often become complex in practice. For example, the interoperability rule requires disclosure via an application programming interface (API) of certain clinical data maintained by health plans. But are plans obligated to send every piece of clinical data they hold, even if data is held in large PDFs or exists outside a plan’s designated record set? CMS has provided some guidance on this question, which plans are just now addressing.
Under the transparency rule, the Departments have provided some guidance on how plans are supposed to report negotiated prices when they use downstream intermediaries, such as behavioral health organizations, to contract for providers and when they use alternative fee arrangements, such as capitated models, to pay providers. But more guidance will likely be needed to address the range of downstream and alternative fee arrangements. Even with the guidance, plans will have thorny judgments to make about how to report particular negotiated rates.
While plans are now developing systems to comply with the rules, the extent of their impact may not be fully understood for years.
CMS and the Departments both put consumers at the center of each rule. CMS believes many Medicare and Medicaid beneficiaries will eagerly download apps on their phones that allow them to view their claims and clinical data and help them better manage their own care. Similarly, the Departments think that commercial plan enrollees will use the cost information to obtain estimates of the costs of services at certain providers and obtain care from lower-cost providers based on that data.
But will this actually happen? How often will Medicare and Medicaid beneficiaries go through the trouble of finding an app, authenticating themselves with their health plans and seeking to manage their own care? How many consumers will bother to use the resources provided by the transparency rule to shop for lower-priced health care services?
One possibility is that it may not be consumers who are the main users of the newly available data. While the focus of the interoperability rule has been consumer access to data, the rule also requires health plans to share data with one another if directed to do so by their members, and the Trump administration proposed requiring disclosures to providers as well (the final rule was never published, and it remains unclear whether the Biden administration will follow through). Even if consumers do not make common use of their data, health plans and potentially providers could use the data made available through the interoperability rule to better coordinate care. Similarly, even if health plan enrollees rarely use the transparency rule data to help them shop for health care services, others may make use of the public versions of such data. Providers may scan the transparency rule data to have a better sense of the rates being obtained by their competitors; the same may occur with regard to health plans. Researchers too may see the data as a trove of information that can be used for the development of new health policies, thereby impacting the health care marketplace without relying on changed behavior of consumers.