June 3, 2019 The Honorable Seema Verma Administrator Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, MD 21244 RE: CMS-9115-P Dear Administrator Verma: Thank you for the opportunity to respond to the Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans in the Federally- Facilitated Exchanges and Health Care Providers proposed rule. Health Innovation Alliance (HIA) is a diverse coalition of patient advocates, healthcare providers, consumer organizations, employers, technology companies, and payers who support the adoption and use of health IT to improve health outcomes and lower costs. We strive for an interoperable, patient-directed health system where providers are emboldened, not burdened, by technology, and entrepreneurs are able to bring new products to market at the speed of innovation. HIA is pleased that the CMS has released the proposed rule, in compliance with the 21st Century Cures Act (Cures Act), to end the costly and dangerous practice of information blocking. Information blocking is an insidious practice that undermines the nearly $40 billion taxpayer dollars provided by the HITECH Act. HIA is very concerned, however, that what CMS has proposed will increase costs for providers and payers, rather than facilitate information exchange and better care for patients. Several HIA members have indicated that the implementation timelines for this proposed rule is not realistic. HIA requests CMS significantly alter the implementation deadlines outlined in the proposed rule to ensure that impacted entities have time to operationalize the policies. We are also concerned the proposed rules exceed the Congressional intent of the Cures Act. The proposed rule should be clarified, and implementation timelines adjusted, so that payers and other actors can meaningfully accommodate the new requirements. General Comments Provider Attestation. HIA strongly supports CMS’ proposal that eligible providers and hospitals attest that they are not information blocking. In the event that they indicate that they are information blocking, their name and institution will be publicly listed. We urge CMS to consider that information may be 440 1st Street NW, Suite 430 Washington, DC 20001 202.643.8645 Health-Innovation.org blocked at the institutional level when determining whether to require individual practitioners should be publicly listed. Attestation is not an adequate solution alone to address the complex issue of information blocking. • We suggest CMS collaborate with NIST to develop a spot-check evaluation test-bed that can be leveraged by the administration during CMS audit and survey activities. Information gleaned from evaluations can be used to inform a better understanding of the state of interoperability among hospitals and providers and to inform future rulemaking. Scope. The proposed rule applies exclusively to payers. Providers and payers hold different types of data, and that provider information may be very valuable to a patient or their caregiver. While we acknowledge that patient EHI is discussed in the ONC proposed rule, this rule is designed to give patients convenient access to their own health information. We believe that the scope of the CMS rule must be expanded to provide additional detail or to include how provider data would be made available to put payment data in an appropriate context. • HIA is concerned CMS' proposal to require plans to disclose payment information via APIs may create unaddressed security and privacy issues and could reveal proprietary business operations and pricing. These issues should be addressed in the final rule. Data Sharing Requirements. While HIA supports plans making data available to disenrolled beneficiaries to aid in their future care, we believe plans may require more time to make information available in a format that can be shared via API. Technology is constantly evolving, and technology used to store beneficiary data five years ago is vastly different than today. Given the amount of data payers hold, we urge CMS to take this into consideration when finalizing a timeline for this requirement. We are also concerned that the proposed requirement that plans make claims data available via API in one business day is also unrealistic. • CMS should harmonize the rule’s requirements with current claims submission requirements placed on providers. Security and Liability. CMS' proposals create a system where HIPAA covered entities, such as payers, are required to provide patient information directly to the patient or direct the information based on patient requests. CMS envisions a system where patients are able to manage their health information through the use of third-party applications. While HIA supports this, we also recognize that third-party applications often will not have a business associate agreement with payers, thus are not covered under existing HIPAA liability provisions. This is a significant issue that CMS must address. The administration should create clear bounds for when actors cease to be liable for EHI breaches and for maintaining the security of certain transactions. Under the rule, payers are required to provide significant amounts of EHI, which they invested heavily in protecting, to third-party developed software that may have little or no experience in managing patient data of this kind. CMS should clarify where security and liability begins and ends. There are a number of “handshake” communications and security standards and protocols that are already mature and in use in the financial services sector where the regulatory burden is effectively transferred between actors throughout a transaction. For example, TLS transactions have been used for authenticating bank customers that use automatic teller machines outside of their banking network. 2 • We strongly suggest that CMS consider a similar approach as it pertains to EHI so that healthcare institutions and payers can confidently exchange data knowing it has fully complied with its own legal obligations. Provider Digital Contact Information. HIA strongly supports the CMS proposal to report publicly the names and NPIs of those providers who have not added digital contact information to the NPPES system. This will help ensure the system is more complete so that information may be more easily shared. Revisions to the Conditions of Participation (CoPs) for Hospitals and Critical Access Hospitals CMS proposes to require Medicare participating hospitals and other entities to send electronic notifications when a patient is admitted, discharged or transferred. HIA supports this requirement because it will improve care coordination and patient safety while keeping all a patient’s medical team informed of changes in care. We believe using CoPs is a powerful tool to achieve this goal. API Access to Published Provider Directory Data. HIA supports requiring Medicare Advantage plans, state Medicaid and CHIP FFS programs, Medicaid managed care plans, and CHIP managed care entities to make their provider networks available to enrollees and prospective enrollees through API technology. This change will help patients better understand their health care choices and allow a patient’s healthcare provider to better locate other network providers for referrals, transitions of care, care coordination and access to patient information. HIA notes that QHP issuers on the Federally Funded Exchanges are already required to make provider directory information available in an electronic format. Requiring this information also be available in Medicare, Medicaid and CHIP is reasonable and desirable. Requests for Information Advancing Interoperability Across the Care Continuum. The Cures Act requires APIs that do not require special effort to exchange EHI. However, we are concerned that ONC is proposing the implementation of non-normalized exchange standards; specifically, the Fast Healthcare Interoperability Resources (FHIR) standards in their proposed rule. There are a number of health IT developers that will already be rushed by the short implementation timeline proposed in this rule. We believe that it is directionally correct to guide the EHR marketplace toward FHIR, however, CMS should use FHIR R.4 to better ensure interoperability. Policies to Improve Patient Matching. HIA encourages CMS to pursue a patient matching strategy that will be scaled across all programs. While patient matching is key in the effective coordination and delivery of clinical care, it is a necessary component in improving patient safety. Matching strategies help deliver the correct information on the right patient that helps providers avoid duplicate and sometimes harmful tests (such as x-rays) and medical errors, including adverse drug events. These problems are the third leading cause of death in the US. NCPDP and Experian Health have partnered to offer a solution that manages patient identity through a referential matching process. The Universal Patient Identifier Powered by Experian Health UIM and NCPDP StandardsTM leverages Experian’s expansive consumer demographic information and referential matching methodologies to identify record matches and duplicates in a patient roster file, and then assign a unique UPI to each patient in the file. The UPI can be used to exchange information amongst different healthcare entities. As multiple organizations acquire the UPI in their patient files, it can be attached to active claims in real-time transactions and then appended by other healthcare partners. The UPI can travel with a patient from provider to provider. 3 The UPI was developed for the industry, using the same consensus-building process that used for federally mandated standards and industry guidance documents, which will greatly aid in system-wide adoption. To this end, we believe that any patient matching solution should also include a discussion of identity integrity, the use of emerging healthcare technologies such as blockchain and referential matching, and pharmacy networks that can drive adoption of these approaches. Because CMS’ Conditions of Participation authority is meant to ensure safety, and patient matching is a key safety strategy, we encourage CMS to use its CoP authority to require all hospitals to adopt a patient matching strategy. We do not suggest CMS use one matching solution over another – the market should determine that. Patient care will be safer, and CMS can evaluate the impact of the program after a year to determine its impact. Conclusion There are a number of issues that require administrative clarification before this proposed rule can meaningfully move to the next stage of rulemaking. Similarly, we believe the implementation timelines laid out by CMS will cause an undue burden on payers attempting to comply with this regulation. To this end, we strongly urge CMS to push back implementation timelines to ensure the many entities that add value to our healthcare system are ready to prosper in a technology-enabled healthcare system. HIA and its members are pleased to respond to this proposed rule, and we stand prepared to serve as a resource to CMS as we continue the process to address these important issues. Sincerely, Joel C. White Executive Director 4