The Interoperability and Patient Access Rule: It’s on the Menu (Part One)

You’re hungry and tired, so you decide to call for takeout. The little French bistro down the street sounds good, so you pull up the menu to check the specials, then call the restaurant, where a waiter takes your order for two of your favorites – Coq au Vin and Salade Lyonnais. The waiter passes your order and special instructions – easy on the onion! – along to the kitchen, where the chef begins browning the chicken and bacon. When your meal is ready and packaged to go, the waiter hands it off to a delivery service, which brings it to your house just in time for dinner.

The waiter’s role in your dinner, as described in a common analogy in developers’ circles, is akin to the role of an application programming interface (API) in delivering data. Like a waiter, an API receives a set of instructions, takes the request to a database, and retrieves the data, or enables a set of actions before sending a response back to the application or engineer that requested it. The API documentation is the menu, the chef the integration, and the ingredients used represent the data or functions. And just like a menu, APIs need to be designed for ultimate flexibility: Adding a business capability (or a new dish based on what’s in season) won’t force developers (or restaurant managers) to start from scratch.

Dinner plans aside, APIs have taken a prominent role in healthcare due to the Interoperability and Patient Access Rule issued by the Centers for Medicare & Medicaid Services (CMS). The rule is designed to give patients access to their health information when they need it most, in a way they can best use it. The rule requires state Medicaid and Children’s Health Insurance Program (CHIP) agencies and managed care plans to enable beneficiaries to access their health information through third-party applications using an API by January 1, 2021. Provider directory and formulary information must be made available via API as well.

Currently, the enforcement date is July 1, 2021, which may be an aggressive timeline for many Managed Care Organizations (MCOs), health plans, and states already grappling with COVID-19 response, budget crises, and in-flight Medicaid Enterprise System (MES) projects. But regardless of ongoing challenges, organizations must move forward now to ensure compliance with the Interoperability Rule.

Doing so will require you to address several considerations, applying a multi-disciplinary approach that looks across people, processes, and technology:

Data strategy: Identifying and mapping the required data sets a critical foundation for Interoperability Rule compliance. To develop an effective data strategy, you’ll also need to understand United States Core Data for Interoperability (USCDI) formats, integrate data from multiple sources, provision the data, govern the data, and manage your unstructured data.

We work with organizations to identify the clinical and claims data sources required to satisfy the interoperability requirements. From there, we perform a market analysis to inform the selection of an extract, transform, load (ETL) tool. Our services help you establish data provenance and capitalize on the implementation guides, processes, and tools developed by CARIN, Da Vinci, Blue Button, Darwin, etc. We can also help establish data-sharing, connectivity, and testing agreements with external organizations and third-party apps. In addition, our teams can guide you through the development of a master patient index to enable more accurate recipient identification. 

Third-party application onboarding and support: Groups like the Da Vinci Project and the CARIN Alliance are working on getting third-party applications to sign a code of conduct regarding standards and data exchange. Yet, your organization can take it a step further during the application onboarding process. Consider including attestations, onboarding to the authorization server, testing, and implementation training and support in the credentialing process. You’ll also need to implement and perform ongoing third-party application monitoring, audits, and technical support.

Patient access and authorization: Create a secure service to authenticate and register the patient's consent. Similarly, determine the scope of healthcare data that third-party applications can access on the patient’s behalf. You’ll also need to reach out to Medicaid and CHIP beneficiaries and educate them about the available data and how to access it.

To address challenges related to third-party applications and patient access, our teams help organizations identify and apply existing member portals to onboard users onto third-party mobile applications with the optimal access security and validation. We also work with organizations to select mobile application vendors and facilitate the onboarding and credentialing process. We work hand in hand with you to coordinate external user verification, define message delivery and security protocols, and establish a plan for help desk support.

That’s not all. In the second blog of our series, we’ll explore several other considerations for navigating the Interoperability Rule. These include API management, project management, procurement, and governance.