The U.S. Department of Health and Human Services has released its final interoperability, information blocking, and data sharing rules.

The two companion rules were proposed in February 2019 by the HHS’ Office of the National Coordinator of Health IT (ONC) and the HHS’ Centers for Medicare and Medicaid Services (CMS). The interoperability and information blocking rules were a requirement of the 21st Century Cures Act and are intended to provide patients with easy access to their electronic health records contained in electronic health record systems and to make it easier for health plan members to obtain their records from payers. The rules also support President Trump’s MyHealthEData initiative to empower patients to make better healthcare decisions by having easy access to their health data.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

One of the main requirements of the new rules is for Certified health IT developers to establish a secure, standards-based API that providers can use to allow patients to access their health records that are stored in EHR systems. Through the use of an API, patient health records can be sent to smartphone apps which can be paired with wearable health monitoring devices. Information can also be obtained from their health insurance provider is a similar fashion and can be integrated with patients’ health data.

Other requirements of the rules include requiring hospitals to send electronic notifications to patients’ primary care providers when patients have been admitted, transferred, or discharged. Certain restrictions have been lifted that make it easier for doctors and nurses to communicate issues related to the usability of health IT products, by allowing screenshots to be taken of EHR systems. The rule also requires payers to make their provider directories publicly accessible through a provider directory API starting in 2021. This requirement will allow app developers to develop apps to help patients evaluate which plan is right for them, which could help them see which clinicians are available under different networks and make decisions accordingly. It would also allow them to plan and avoid surprise billing. The rules will help to stimulate innovation. A whole host of apps could be developed to help patients monitor specific health conditions and improve their health.

The rules also aim to stop information blocking, which is stopping the healthcare system from functioning correctly. The ONC’s rule clearly states eight common sense exceptions that are not considered information blocking. If information blocking is discovered, and the exceptions do not apply, financial penalties may be imposed.

While the rules have been largely welcomed, there has been criticism of some aspects of the rules due to privacy concerns. One aspect that has attracted a considerable amount of criticism is the requirement to use APIs to send electronic health records to third party apps. Not only may those apps not be secure – HIPAA Rules do not apply to health app developers – there is potential for secondary uses of patient data that may not have been made clear to patients. The EHR company Epic Systems was one of the more vocal opponents to API-based record sharing.

Alex Azar made it clear that appropriate privacy protections are in place to ensure patient information is secured. “I want to emphasize that we’re taking these actions while maintaining and strengthening patient privacy protections. Patient privacy should never stand in the way of patient control,” said Azar.