Printer Friendly, PDF & Email

The impact of the final ONC and CMS interoperability rules on health information

Michaela Andrawis ( is an Associate in the Los Angeles office, Lyra Correa ( is an Associate in the Washington, DC, office, and Miriam Ricanne Swedlow ( is an Associate in the Seattle office of Davis Wright Tremaine LLP.

On March 9, 2020, the U.S. Department of Health & Human Services (HHS), through the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), published separate, but related, final rules implementing the interoperability and patient access provisions of the 21st Century Cures Act (Cures Act).[1] The earliest compliance date for the rules is November 2, 2020,[2] and healthcare entities will find that there is a lot to do between now and then.

The ONC Rule[3] focuses on significant changes to the ONC’s existing health information technology (IT) certification program, addresses “information blocking,” and carves out eight categories of “reasonable and necessary” practices that will not constitute information blocking. The CMS Rule[4] addresses many of the same patient access and interoperability issues as the ONC Rule, but it applies to Medicare, Medicare Advantage, Medicaid, Children’s Health Insurance Program, and Qualified Health Plan issuers on federally facilitated exchanges.

These rules will significantly affect healthcare providers, health plans, health IT vendors, and patients in the years ahead. Once implemented:

  • Healthcare providers and health IT companies will risk potential penalties or disincentives for intentionally or inadvertently engaging in information blocking.

  • Hospitals will be required to make reasonable efforts to send real-time electronic patient event notifications to certain other healthcare providers and their business associates (under new Medicare conditions of participation).

  • Health IT companies adapting new application programming interface (API) standards to give third-party applications access to electronic health information will still have to comply with federal and state privacy and security requirements, such as Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission Act, the California Confidentiality of Medical Information Act, the Texas Medical Records Privacy Act, and others.

  • Patients and health plan members will have greater automated access to their health information through third-party apps, regardless of how well they understand the potential benefits or risks.

For some, these regulations mark a watershed moment in consumers’ access to their health information, potentially enabling unprecedented health IT innovation. For others, these rules present both an immediate danger to patient privacy by funneling health data outside of the protections of HIPAA and into a perceived privacy Wild West and a potentially murky intrusion into current commercial contracting practices related to health information sharing.

Regardless, the rules create new compliance risks and hurdles for health providers, health plans, and health IT vendors. This article highlights some of the compliance considerations and impacts of the new regulations on information sharing, care coordination through real-time e-notifications, and certified APIs.

This document is only available to members. Please log in or become a member.