News Room

Policy Briefing: Health IT-related Notices of Proposed Rulemaking from CMS and ONC

March 5, 2019 | Author: HealthTech Solutions

On February 11, 2019, the Centers for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator (ONC) for Health IT both released closely related Notices of Proposed Rulemaking (NPRM). CMS also announced two Requests for Information (RFI). The policymaking purpose of these efforts is to further the government’s efforts to enhance system interoperability and data portability through increased use and standardization of application programming interfaces (API) and electronic health information (EHI).


An NPRM is a public notice that the government plans to engage in new rules or changes to existing rules, complete with the basis and reasoning for the changes, the proposed rules themselves, and the required estimated impacts to the public in terms of costs and compliance effort. An RFI is a formal attempt to gather the public’s opinion, research, and expertise on a specific set of issues that could lead to additional rulemaking, grantmaking, solicitations, or other policy and partnership opportunities.


The following has been updated to reflect the extension for comments. Comments were originally due on May 3, 2019. This period has been extended by 30 days.

Following these initial releases, they were each published in the Federal Register on March 4, 2019. The public has a 90-day opportunity to comment on the NPRMs following publication. Comments may be submitted through the Federal Register (links below) until June 3, 2019, and the federal government must address all comments received when they finalize the rules. Responses to the RFIs may be handled separately, but on the same timeline.


Links to the CMS and ONC materials are located at the bottom of this document.


CMS NPRM: “Interoperability and Patient Access Proposed Rule”

Key provisions

CMS has oversight of managed care entities in Medicaid, the Children’s Health Insurance Program (CHIP), Medicare, and the Federal Marketplace/Exchange. They propose to use that oversight to leverage claims data by requiring managed care entities, as well as state Medicaid and CHIP agencies to:

  • Make patient claims information available through Health Level Seven international standard (HL7) Fast Healthcare Interoperability Resources (FHIR, pronounced “fire”)-based APIs to enable third-party application development supporting patient access to their own EHI
  • Support care planning through electronic transactions, sending and receiving standard U.S. Core Data for Interoperability (USCDI) care information at a patient’s request, effective January 1, 2020
  • Provide API access to published provider directories
  • Participate in a trusted exchange framework to increase care coordination (including Part D plans) by January 1, 2020

Other areas CMS to address

  • Increase frequency of state data on individuals dually enrolled in Medicare and Medicaid (“duals”) from monthly to daily for both buy-in data and the Medicare Modernization Act (MMA) file beginning April 1, 2022
  • Seek comments on other ways Medicare and Medicaid data can be improved for duals population
  • Define, report, and prevent information blocking (i.e., preventing the electronic exchange of EHI)
    • Public reporting of attestations by providers on Physician Compare website that they have not engaged in info blocking
    • Public reporting of attestations by hospitals and Critical Access Hospitals on a CMS website (TBD) that they have not engaged in info blocking
    • More on info blocking in the ONC NPRM
  • Update National Plan and Provider Enumeration System (NPPES) with digital provider contact information to phase out the fax machine
    • Capability is currently available for voluntary reporting of digital contact info by providers
    • List of recalcitrant providers proposed in second half of 2020 to encourage completion
    • Solicitation of comments regarding whether to require providers to submit this information
  • As part of Conditions of Participation for Medicare, require hospitals with certified electronic health records technology (CEHRT) to send electronic admit, discharge, or transfer (ADT) notifications to another healthcare facility or community provider with a relevant, established care relationship with the patient
  • Seek comment on promoting interoperability between models


CMS RFIs are seeking expertise on two key areas

  • Promoting a patient matching strategy in absence of a unique identifier
  • Promoting an interoperability strategy in both key clinical areas (e.g., institutional and community long-term and post-acute care, behavioral health, care for duals, etc.) and nationally to achieve value-based purchasing goals


ONC NPRM: “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program”


Key provisions

  • Deregulatory actions
    • ONC reviewed and evaluated existing regulations to identify six technical fixes to reduce burden and implement deregulatory actions
  • Adoption of USCDI v1 as a common data set (replacing the Common Clinical Data Set); adoption of the USCDI increases the categories of data in the minimum required data set for C-CDAs
  • Updated electronic prescribing and related certification criteria effective January 1, 2020
  • HL7 Quality Reporting Document Architecture (QRDA) standards requirements replaced by QRDA Implementation Guides (IGs)
  • Standards for FHIR APIs focused on clinical data from EHRs
  • EHI export to replace data export; specifically, this criterion would:
    • Enable the export of EHI for a single patient upon a valid request from that patient or a user on the patient’s behalf
    • Support the export of EHI when a health care provider chooses to transition or migrate information to another health IT system
    • Require that the export include the data format, made publicly available, to facilitate the receiving health IT system’s interpretation and use of the EHI to the extent reasonably practicable using the developer’s existing technology
  • New API certification criteria for “application access – data category request” to become part of the 2015 Edition Base EHR definition, requiring use of HL7 FHIR
  • Privacy and security transparency attestation with multi-factor authentication, encryption, and support
  • Data Segmentation for Privacy and Consent Management (DS4P) which approaches certification with more granularity
  • Proposed updates to 2015 certification criteria and proposed modifications to the ongoing CEHRT process
    • New and revised principles of proper conduct (PoPC) for ONC-Authorized Certification Bodies (ONC-ACBs)
    • Clarified provisions for records retention
  • Health IT for the Care Continuum offers voluntary certifications of health IT for specialty care, including pediatrics
  • Differentiation between ongoing Conditions of Certification and Maintenance of Certification
  • Information Blocking
    • Assurances that entities are not blocking information
    • Seven exceptions
    • Many fact sheets on this topic

ONC RFI on registries

  • ONC seeks public input on how providers and registries might use APIs to support the exchange of data such as for public health reporting, quality reporting, and care quality improvement





CMS Rule

Pre-published version of the NPRM (double-spaced, full page):

Federal Register version, along with where to submit comments:



ONC Rule

Pre-published version of the NPRM (double-spaced, full page):

Federal Register version, along with where to submit comments:

Overview and fact sheets:

Presentation on API Conditions of Certifications by Steve Posnack, Executive Director, Office of Technology, ONC, to Healthcare Information and Management Systems Society (HIMSS):