Overcoming Four Key Health IT Challenges In Complying with New CMS Guidelines

By Mifan Careem, vice president of solutions architecture, WSO2.

Mifan Careem

In 2020, we’ve seen the pandemic accelerate the need for greater healthcare interoperability and digital solutions. Notably, providers that have offered telemedicine, virtual visits and other digital services fared better than those that have not.

At the same time, provider and payer organizations are now more focused on value-based care measured by patient outcomes rather than reactive patient care. Such innovations have been made possible by integrated data sources within and across the healthcare organization.

Too often however, the lack of interoperability continues to stifle innovation that would otherwise benefit the healthcare industry’s most important stakeholder: the patient. The Office of the National Coordinator (ONC) Cures act and the Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access Final Rule (CMS-9115-F) set to go into effect on July 1, 2021, aim to change that.

The new ONC and CMS rules, which target U.S. organizations, require healthcare payers and providers to provide patients with open access to their data and a secure data exchange between the different parties. As a result, patients should have improved access to health information. Meanwhile, the improved interoperability among providers and payers is expected to trigger innovation and pave the way to a newer app ecosystem.

APIs are key to compliance

Interoperability is a critical component within the healthcare system as records are digitized and must be easily shared between institutions and payers to improve the overall care of patients. The lack of interoperability is hampering the industry’s ability to transform and streamline services. While there have been attempts by the organizations including Health Level Seven (HL7) to promote interoperability and responsible data sharing over the years, concerns and issues with granting patients access to their data remain.

To achieve successful interoperability, healthcare payers and institutions must use APIs—specifically those aligned with the Fast Healthcare Interoperability Resources (FHIR) standards—to exchange structured healthcare data, such as those used for electronic health records (EHRs), digital health applications and patient use.

The CMS rule is designed to help simplify how payers and providers use APIs to drive interoperability and data sharing. However, as with all regulations, CIOs need the right strategy to implement the technology and steps to ensure compliance. As this is a new rule, there are no prior examples to follow, and if CIOs do not effectively follow a strategy, they may be found at fault on July 1.  

There are four challenges that healthcare CIOs will need to overcome to ensure successful compliance and more importantly the transition to a patient-centered approach—with services delivered when, and where, consumers want.

Analyze compliance readiness

CIOs must examine their current infrastructure and determine how it matches with the different provisions and data access requirements outlined in the new ONC and CMS rules. Does the platform support the most current versions of FHIR APIs? Are FHIR-based resources available for secure access by authorized partners, patients, and other healthcare stakeholders? Is a consent management framework in place that allows patients to control access to their data? Finding the current technology gaps will allow CIOs to fill them now rather than in June when the compliance deadline is around the corner.

The CMS regulation §170.315 (g)(11), Consent management for APIs, requires particular attention. It mandates that proper security measures and guidelines be followed when gathering patient clinical and claims healthcare data and when sharing this data to third-party systems via APIs. The rule also requires that this data only be shared under the explicit consent of the patient. This ensures only those with applicable consent are able to access the protected information.

Patients must be made aware of who they are granting access to, for what period of time, for what purpose, for which specific data, and how to revoke consent. The systems that access these APIs can be healthcare apps that the patient consents to and uses, or they can be applications used internally by a healthcare insurer or provider that supports the patient.

Because APIs are exposed externally, OpenID Connect-based API security and user consent management should be part of the platform. An API developer portal encourages business-to-business (B2B) and consumer app developers to subscribe to, test and try out APIs. This will be the foundation of the organization’s healthcare API marketplace, where APIs compliant to the rule as well as other APIs can be productized—and, in some cases,  monetized. Organizations that build a sustainable API ecosystem and platform business model where all stakeholders collaborate and benefit, will elevate their value to patients.

Alleviate data mapping risks during implementation

The challenge here is understanding how data is accessed and used in the organization so it may be shared properly with external applications, patients and stakeholders in the future. Mapping data from heterogeneous sources and multiple formats into a standard compliant format is not trivial. CIOs should build a contingency plan and take extra time to identify where and in what format the data lives now and how that plays into the first challenge of retrieving and sharing that data.

Data in well-defined protocols can be auto-transformed using the right accelerators. For instance, data exposed as HL7 V2 can be transformed to FHIR if the accelerator supports the right transformation templates. This eliminates the need for manual transformation and thus reduces the chances of errors. A lot of data sits in databases today though, and requires row-level data mapping capabilities. Visual data mapping with some level of automation will help address these transformation challenges.

Foresee data quality issues

The authenticity of the data is critical when sharing it with outside parties as well as knowing if the patient has allowed it to be shared. Where did the data originate from, how has it been used historically, and how valid, timely and accurate is it? Proper data lineage builds trust in the information for patients, payers, and providers.

Accelerators, such as FHIR and HL7 validators, play a role here. These accelerators can validate the API request and response payload at runtime to ensure it fits into the expected FHIR format.

Think beyond compliance to future innovation

We’ve examined the issues of compliance. However, in developing an implementation strategy, healthcare enterprises should look beyond the ONC and CMS rules and build a comprehensive digital value proposition around APIs that will position them for healthcare innovation.

While there are some limitations on direct monetization of the APIs mandated by the rules, there are many indirect monetization sources that can be explored. Making certain types of APIs available to third-party healthcare apps paves the way for revenue share, subscription or usage-based business models.

Putting into place a healthcare-specific solution based on a full API-integration platform will provide capabilities central to innovating new digital offerings. These can include:

Return on investment (ROI) is another important consideration. Accelerators and tools that provide a rapid mechanism to pull multiple data sources and transform them result in time savings and efficiency for teams and reduced time to market.

Finally, healthcare payers and providers are increasingly taking advantage of the cost savings and scalability provided by the cloud. However, there are many situations where data must reside locally behind a firewall. Therefore, the architecture and supporting technology should allow for deployment flexibility across software-as-a-service (SaaS), private cloud, bare metal, and hybrid cloud environments.


APIs are at the heart of efforts by the ONC and CMS to give patients ready access to their healthcare information. Interoperability is the wave of the future for the healthcare industry. While it is being mandated by the ONC and CMS rules, over time, it will create a new breadth of opportunities for healthcare payers and providers.

Additionally, these new rules will simplify data access for patients while payers and providers alike remain compliant with regulatory measures. However, if CIOs don’t act now to create a plan on how to meet CMS requirements, they face potential fines for failing to comply. The key is effective planning and taking advantage of the time now to implement new processes. By doing so, these four key challenges associated with the regulation, institutions can position themselves for future success.

Write a Comment

Your email address will not be published. Required fields are marked *