CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.*

On March 3, 2019, the Centers for Medicare & Medicaid Services (CMS) released a Proposed Rule (click here) to advance the exchange, and prevent blocking, of information in electronic health records (EHRs). These are key objectives under the 21st Century Cures Act.  Many reports about this Proposed Rule have focused on the planned mandate for Medicare Advantage plans and ACA health benefit plans to provide insureds with access to health information maintained on them by the plans.  However, buried in the Proposed Rule are new Medicare Conditions of Participation (CoPs) affecting hospitals (including psychiatric and critical access hospitals).

The proposed CoPs will require hospital EHRs to transmit certain patient event notifications to other providers in an effort to improve care coordination.  Post-acute care (PAC) providers would need to prepare to receive and operationalize these electronic notifications.  In fact, CMS highlights the interplay of patient status change notifications with the goals of the Improving Medicare Post-Acute Care Transformation Act of 2014 (IMPACT Act).  One of the IMPACT Act’s “priority areas” is to promote effective communication and coordination of care.  Accordingly, both hospitals and PAC providers will need to implement policies and procedures to comply if the proposed CoPs are finalized.

The proposed patient event notifications must electronically notify certain providers of a “patient’s admission, discharge, and/or transfer to another health care facility or to another community provider.” The CoPs would require hospitals to send “electronic patient event notifications” to a wide range of providers who have an “established care relationship with the patient relevant to his or her care.”  Providers who might receive electronic notifications would include “licensed and qualified practitioners, other patient care team members, and post-acute care services providers and suppliers” (i.e., PAC providers).  The notifications would be sent via a hospital EHR that has been certified by the Office of National Coordinator of Health Information Technology (ONC) to the PAC providers directly or indirectly through an intermediary that facilitates health information exchange between providers.

CMS noted that “virtually all [hospital] EHR systems generate the basic messages commonly used to support electronic patient event notification” because they generate admission, discharge, and transfer (ADT) messages to communicate information about key changes in a patient’s status within the EHR.[1]  Although, as CMS acknowledged, current ONC standards do not require EHRs to send ADT messages outside of the EHR system[2], CMS believes EHRs could use the internal change in ADT status to trigger an external message to a receiving provider.

Although the exact content of the event notification has not been established, CMS proposes that it minimally include the patient name, treating practitioner name, sending institution name, and, if not prohibited by other applicable law[3], the patient’s diagnosis.  In addition, CMS says that hospitals would need to demonstrate that the notification was a) transmitted at the time of the ADT, b) for treatment, care coordination or quality improvement purposes, c) to a provider with an established care relationship with the patient relevant to his or her care, and d) for whom the hospital has a reasonable certainty of receipt of notifications.  Although not stated by CMS, these requirements, in part, appear to be safeguards against inducing unlawful referrals.  Hospital EHRs will need to be configured to not only send the notifications but also to confirm compliance with these specific requirements.

Even if the hospitals have EHRs that are able to send the notifications, many PAC providers are not ready to receive them.  PAC providers were not provided financial incentives to adopt CEHRT under the HITECH Act, and there has been no other comparable mandate. As a result, many PAC providers are using EHRs that are not designed to exchange health information with a hospital’s EHR and are, thus, not “interoperable.”[4]

Moreover, both the hospital and PAC provider will be responsible under HIPAA for ensuring that the transmission of electronic health information between them complies with HIPAA. As CMS notes, the HIPAA rule permits health care providers to share health information for treatment and coordination of care purposes.  That is only one-half of the HIPAA compliance puzzle, though.  The method of transmission must be secure including, among other things, properly configured routers and firewalls and IT cybersecurity software.

CMS is soliciting public comment on this proposal:

We seek comment on requirements for patient notice and consent, and applicable legal and regulatory requirements, and whether or how this data transfer could be cumulative over time and between various providers. We seek input on the utility to providers of obtaining all of their patients’ utilization history in a timely and comprehensive fashion. We also seek input on potential unintended consequences that could result from allowing a provider to access or download information about a shared patient population from payers through an open API. Finally, we seek comment on the associated burden on plans to exchange this data, as well as the identification other potential statutory or regulatory barriers to exchanging this data.

Comments are due on Friday, June 3, 2019.*

*On April 19, 2019, CMS extended the comments deadline from May 3, 2019 until June 3, 2019.  This original article posted April 9, 2019 was revised on May 14, 2019 to add more information about the proposed CoPs and their potential impact on providers. 

[1] 84 Fed. Reg. 7650.

[2] Most hospitals have adopted EHR technology that has been certified as meeting the standards set by ONC certifications standards that were established pursuant to the HITECH Act of 2009 for certified electronic health record technology (CEHRT).  Eligible hospitals that certified the adoption and/or use of CEHRT received financial incentives under HITECH.

[3] For example, mental health, drug and alcohol use disorders and AID/HIV diagnoses are subject to more restrictive disclosure standards.

[4] 84 Fed. Reg. 7616.  Statistics cited from ONC 2016 were that “only three out of 10 SNFs electronically exchanged (that is, sent or received) key clinical health information, and only 7 percent had the ability to electronically send, receive, find, and integrate patient health information.”  An 2017 ONC survey found that more HHAs (78%) adopted EHRs than SNFs (66%), but integration of received information continued to lag behind for both HHAs (36 percent) and SNFs (18 percent).”