(804) 409-0050 info@clareto.com

Clareto Provides Initial Feedback to New Interoperability Rules

Katie Devlin

March 13, 2020

The Office of the National Coordinator (ONC) the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information, released its final rules this week around interoperability.

What are the implications for the use of electronic health data for underwriting and claims adjudication in the insurance industry?

A few key takeaways:

The rules are complex, and the proposed changes are large. Even as enacted, aspects of the new rules roll out in 2021 and will not be fully implemented until 2023. Using history as a guide, there are no guarantee that even these timelines will be met and that there will not be additional changes made in the interim.

Importantly though, the general tenor of the new rules are very positive for the insurance use case – the quantity and quality of data available in electronic health records should only improve and there are strict prohibitions against not providing access to data where appropriate controls are being met.

The focus of the final rules is to empower the patient, putting them in control when it comes to directing who can access their health data. While there is a significant amount of information to digest, there are a few areas for insurance carriers to focus on:

EHRs now must use the USCDI as the standard for interoperability, which is replacing the CCDS. The USCDI includes components such as clinical notes, allergies, meds and other data that helps to ensure information is easily interpreted when exchanged (you can find all elements here). Many of these elements are available in the documents carriers get electronically today, but the quality can vary from provider to provider. Quality of data should improve given the expected increase in consistently available structured data elements spelled out in the new regulations.

Clareto continues to aggressively grow our network and connect to as many data sources as possible. Our core competency of connecting to existing systems and national networks remains our primary focus given how critical this will be to advance utilization of EHD by insurers. Clareto is currently connected to eHealth Exchange and Carequality and is looking at opportunities to leverage Commonwell when it becomes available for non-treatment (insurance) use cases.

Information Blocking
One of the conditions for EHR certification now includes attestation that developers do not engage in information blocking and prohibits them from using EHR contracts as an excuse to limit communication around usability, security and interoperability. This allows providers and healthcare organizations to more openly communicate around these issues and will improve the way that data is shared. It will hopefully promote competition among the EHR developers and make for better products.

This also means that when health information (anything within the USCDI) is requested by a patient or with a valid authorization, the provider or healthcare organization must be able to export that data electronically. There are 8 exceptions called out for when information blocking is considered reasonable and they involve patient safety, privacy/security, and certain business practices (you can find all 8 exceptions here). As an industry, we must continue to push for fewer special authorizations and seeing more organizations move to an auto-release state

For EHR developers, the timeline for attestation is April 2021; providers have until 2023 to get the technology in place to export the data electronically. In the future, this may be helpful for streamlining the process and improving the way information is released to carriers…

Today, Clareto is fortunate to have some participating HIEs already auto releasing the data, with several others already working on it. Being part of Veradigm’s TPP program, Clareto is able to get Allscripts, Next Gen and Practice Fusion records auto-released as well. There’s also been an uptick in the Epic providers that implemented auto-release functionality and will likely continue trending this way.

Patient Access
With the goal of the rule being to increase patient access to their data without special effort (ie., technology or development), they are now able to choose any third-party application to share or manage their health data. Developers of Health IT apps will be required to use FHIR version 4 as the API standard. They’ll also have to meet certification criteria and also publish the APIs.

There will likely be an increase in the use of apps to manage certain conditions and get more involved in their healthcare. Patients will need to be cautious in choosing apps, ensuring that their data is protected properly. This includes paying more attention to End User License Agreements and understanding the repercussions of sharing their data. Once it is out of the healthcare organization and in the patient’s hands, it no longer has the same protections as it does under HIPAA.

Overall, the effort needed to get new capabilities in place will take time but will likely benefit the insurance industry in the long-term. Key takeaways include:

  • Patient use of portal/apps – Carriers will still need to be cautious of getting partial data from a portal-type solution. For example, if the applicant is providing their data from a portal/ app that is only linked to a specialist or specific condition, the carrier runs the risk of missing other providers and critical information.
  • Reduction of special authorizations– If a patient is using a valid HIPAA authorization to direct their information to a carrier, the provider risks the perception of information blocking and not complying. If a provider is found to “information block”, there are civil monetary penalties involved.
  • Increase in automated release of records– Carriers may see more providers move to a model where they are no longer manually reviewing each authorization, and instead doing a post-transaction audit.
  • Access to data via national networks– Providers are already exchanging data for patient care/treatment today. Carriers will be able to leverage these networks through Clareto as they become available.

With the introduction of the final rules being beneficial to the life and disability industry, carriers should continue to move forward with their electronic health strategy knowing the quality and availability of electronic health data will improve. Clareto will monitor the implementation of these new rules, providing relevant updates to carriers as they pilot and operationalize electronic health data.

Carriers interested in learning more about Clareto or this interpretation of the final rules should contact Katie Devlin at kdevlin@clareto.com


Electronic Health Data for Insurance & Consent Management

Katie Devlin
December 11, 2019

For insurance carriers, access to medical records is a critical component in the risk selection process. In obtaining these records, insurers must consider the Health Insurance Portability and Accountability Act (HIPAA) when interacting with HIPAA- covered entities such as hospitals, health information exchanges and clinician offices. As many of us know, the intent of HIPAA is to provide consumers with rights and privacy protections related to their health information, including how and when their medical records are used and disclosed.

For healthcare, compliance with HIPAA is complex, causing carriers and vendors to encounter a few bumps in the road related to consent.
1. There are common misconceptions as to what health data is available for the life and disability insurance use case.

Traditionally, the exchange of electronic health data has been designed for treatment, payment and operations (TPO) and did not cover use cases like underwriting and claims management. Interoperability regulations continue to reinforce the move towards allowing providers to share data for non-treatment purposes.

Of the major interoperability initiatives, eHealth Exchange paved the way in 2016 by adding “authorized released of health information for life insurance” to its list of approved use cases. Their main participation agreement (the DURSA) specifically calls out the Permitted Purpose to support the patient’s “right to direct with whom their information can be shared or where their information should be sent”. While healthcare providers or HIE’s are not compelled to participate in non-treatment data exchange, this language provides both an endorsement of the idea and a framework under which data exchange can be handled from an operational perspective. While many HIE’s and healthcare providers do not yet participate in the use case, many are in the process of evaluating it now and the trend towards increased participation is increasing.

There is now strong support from the Office of the National Coordinator (ONC) to ensure that the patient is in control of their medical records, which will further support the non-treatment use case. The Trusted Exchange Framework and Common Agreement (TEFCA), which was released by ONC in 2018, will establish a standardized process for healthcare stakeholders- including life insurers- to connect and participate in the sharing of electronic health data.

In support of this, the Department of Health and Human Services (HHS) has proposed a new rule that puts a strong focus on enabling patients to electronically access their health data and implements the information blocking provisions of the 21st Century Cures Act. When a patient signs a HIPAA authorization for an insurance carrier, they are directing that information to be released. Under the proposed ruling, if an organization can provide the data electronically, they must comply or will be assessed a financial penalty.
2. How does it work when an organization agrees to participate in the insurance use case?

All healthcare organizations are requiring a valid, signed HIPAA authorization establishing patient consent in order to release data. Most organizations will accept the standard insurance company HIPAA authorization, but because this is new for healthcare providers, some are being more cautious and request facility-specific authorizations in addition to the traditional HIPAA consent. This requires the underwriter/agent to go back to the client to sign another form, often delaying the process and resulting in frustration for all parties involved.
There are different approaches carriers can take to reduce the friction of special authorizations in their new electronic health record workflow. A more labor- intensive approach would be to understand which facilities will require the special auth upfront and incorporate that into the application process. This is tough, as it requires knowing not only the applicant’s provider, but the facility where they seek treatment. A carrier could eliminate querying to any organization that requires the special auth, but that reduces the amount of data available.

A major advantage of working with HIE’s is their willingness to work with standard HIPAA authorizations. Apart from New York, all of the HIEs Clareto is working with are able to leverage the existing data governance and standards that are in place for traditional health information data sharing, allowing the carrier to obtain EMR-agnostic medical data without the need for special consent.
3. How do organizations review and approve authorizations?
Keeping in mind the non-treatment use case is new to healthcare, some organizations and providers are requiring a manual review of authorizations once submitted by the carriers. This is not something that the EMR vendor can control and without automation, this process can delay the time in which records are released.

In small ambulatory practices there is rarely a dedicated individual managing the release of information. The authorizations are routed to a queue/inbox for review, and the release might take up to 10 days. Even in larger healthcare organizations the requests go to the Health Information Management (HIM) department where a clerk or analyst must manually review each request in queue. These same resources may also have other responsibilities which could include fulfilling patient requests, filing birth/ death certificates, coding, billing, or duplicate record matching. It is easy to speculate that an insurance carrier request could be lower priority.

4. What does the future hold?

There are good things happening here. HIEs such as Utah, Missouri and Kansas City have implemented automated connectivity models to help handle the influx of volume from insurance carriers. Epic has established a number of large providers who are automating the process for carriers and Veradigm’s Trusted Partner Network eliminates the need for manual review or special authorizations.

Clareto is committed to working with HIEs, EMR vendors (such as Epic and Veradigm) and providers to promote the non-treatment use case and provide carriers more access to data. Part of this work includes educating the healthcare community on patient (applicant) rights to dictate where this data is shared and the completeness of carrier authorizations to reduce the need for special consents. Clareto also works with organizations to help them understand the benefits of automating the release of information and provides technical benchmarking and expertise. Making a concerted effort to engage more organizations, accept traditional authorizations and automate the process will benefit the applicant, carrier and healthcare provider.





Confused about the National Networks?

Clareto explains what they are and exactly what they mean for insurance carriers. 

Katie Devlin

November 4, 2019

For anyone who doesn’t work in healthcare IT, it can be overwhelming to understand the industry initiatives aimed at improving interoperability. Even more confusing, is understanding how they impact data availability for insurers given that they were designed for treatment purpose and different rules apply to non-treatment use cases (including insurance). As carriers try to gain an understanding of how EMRs, HIEs and patient portal data can be used for underwriting and claims, it will be increasingly important to understand how interoperability initiatives and national networks networks fit in to the big picture.

Let’s start with The Sequoia Project. The Sequoia Project was founded back in 2012, when it assumed stewardship of the nationwide health information network exchange from the Office of the National Coordinator (ONC). It is a non-profit, collaborative organization focused on advancing the secure, national sharing of health care data. It is important to note that the Sequoia Project itself is not a network, meaning members of the Sequoia project are not guaranteed access to data. The collaborative is meant to be a thought-leader and convener for interoperability, bringing together industry and government to solve challenges in health care. There are several working groups within the Sequoia Project, focused on various initiatives or challenges such as radiology image sharing or Patient Unified Lookup System for Emergencies (PULSE). One successful past initiative of the Sequoia Project was eHealth Exchange.

If you think of Sequoia as the over-arching organization, eHealth Exchange was its first interoperability initiative. eHealth Exchange is a nationwide public-private, health information network that connects the private sector providers and state/regional HIEs to each other and federal entities (SSA, DoD, etc.). It currently supports over 120 million patients and several interoperability use cases. One common participation agreement, the DURSA, establishes trust among participants who wish to exchange data.

Clareto operates MedVirginia, which is a founding and anchor member of eHealth Exchange. MedVirginia aided in the development of the network in 2008 and in 2009 via eHealth Exchange, was the first HIE in the country to connect with the Social Security Administration’s Health IT Program and later to the Department of Veteran Affairs and Department of Defense.

From a technical perspective, connecting to eHealth Exchange requires that you are a certified member and have completed on board testing and validation. Being a member of eHealth Exchange reduces the complexity around security and standardizes how data is sent, but each certified member will then need to work with their participants to set up access to exchange data.

eHealth Exchange was initially established to exchange data for TREATMENT purposes as the primary use case.  This is a critical distinction for carriers to understand, as the life and disability purpose of use are considered NON-TREATMENT. While the technical capabilities may be in place for non-treatment data exchange, the participating HIEs each need to approve the use case on an individual basis. This usually requires HIE stakeholder or board approval. Additionally, Clareto works with HIE stakeholders to provide education around the non-treatment use case and the value to help with prioritization against grant funded projects such as prescription drug monitoring programs (PDMP).

Following the success of eHealth Exchange, questions persisted around how providers who connect through different networks (such as vendor, payer, lab, etc.) enable data sharing with each other?  Sequoia gives the example: imagine not being able to call someone because they have a different cell phone carrier. That is what providers historically faced when joining a data sharing network.

The answer was found in Carequality, another successful initiative spearheaded by The Sequoia Project. Carequality is a network-to-network trust framework, that connects existing and future networks to each other.  When providers adopt this framework, they can then share data with those outside of their network without additional effort.

eHealth has recently implemented a HUB-model to enable the routing of requests among its participants and to accommodate the Carequality Framework.  While initially scheduled to go live this year, it will likely be fully in place by early 2020.

The Sequoia Project was also recently announced as the Recognized Cooperative Entity (RCE) responsible for developing, updating, implementing, and maintaining the Common Agreement component of the Trusted Exchange Framework and Common Agreement (TEFCA). As part of ONC’s 21st Century Cures Act, the Sequoia Project will be responsible for creating both the legal and technical requirements for networks to share electronic health information.

Commonwell is another national network, but unlike the others, is not related to the Sequoia Project. Backed by the large EHR vendor, Cerner, it too is focused on health data interoperability and leverages existing standards. Commonwell also provides record locator services, patient identification and matching and consent management to its participants. Like eHealth exchange, Commonwell was also established for treatment purposes. Each participant in the network would need to individually approve the non-treatment use case to share health data with insurance carriers.

The Strategic Health Information Collaborative (SHIEC) is a collaborative group for HIEs and strategic business members to share best practices and identify joint solutions. It provides education and influence on legislation, as well as thought-leadership across the industry. Membership does not equal access to data. Clareto recently announced its acceptance in SHIEC’s group purchasing program, which provides group benefits and preferred purchasing terms.

SHIEC’s first initiative, the Patient Centered Data Home, launched in 2018. This nationwide network has a goal of exchanging data across HIEs and notifying providers when a care event has occurred outside of the patient’s regional HIE. This enables providers to access real-time information across state and regional lines. For example, if an individual resides in Missouri and takes a vacation to Hawaii, their “home” HIE might be the Missouri Health Connection (MHC). If they become injured or sick while away, the Hawaii Health Information Exchange (HHIE) will be able to notify MHC of your incident, and they can access records from your primary care providers/health facilities. Like other networks, PCDH exchanges data for treatment purposes.

So how can we sum this up? First, there are a lot of networks, organizations, and collaboratives focused on improving health data sharing which benefits all healthcare stakeholders, including carriers. Secondly and more importantly, however, is that carriers should be cautious of data partners who claim to be a member of any of these networks. Many vendors do not yet fully understand the data standards, frameworks, use cases, and certification testing required to participate in the NON-TREATMENT exchange of data.

At Clareto, we continue to utilize our participation in these networks, as well as our deep healthcare expertise, to expand our access to data for insurance carriers.  Clareto is already leveraging its eHealth Exchange connections and when the Carequality Framework becomes available, there will be no additional technical work for us to connect to other networks exchanging data. A visual overview of these networks is provided here.

For carriers interested in learning more about how Clareto works, or our roles on industry workgroups, please contact us at: http://clareto.com/contact/