How to Leverage the CMS FHIR APIs to Support Broader Interoperability Initiatives

Since the publication of the Centers for Medicare and Medicaid Services (CMS) Advancing Interoperability and Promoting Prior Authorization final rule in January 2024, impacted health plans have been heavily focused on how to best prepare for the new FHIR API (or Fast Healthcare Interoperability Resources Application Programming Interface) requirements.

While for many, much of the effort will be focused on how to best meet the direct requirements of the regulation, some plans are using this as an opportunity to evaluate their current data sharing strategy. While the regulation does require the use of FHIR APIs for certain use cases, namely payer-to-payer and provider access, CMS does proactively encourage payers to leverage those APIs as their “standardized mode” for data sharing.

For those plans (or more importantly their health information teams) who have decided to focus less on “how do I get to compliance” and more on “how can I use FHIR APIs to support all my interoperability needs,” there are few key privacy considerations to take into account when exchanging protected health information (PHI) via FHIR APIs.

Those considerations can essentially be addressed by asking the following three questions for every disclosure made via a CMS-mandated FHIR API:

1. Under what legal grounds is data being exchanged?

If a payer wishes to use its CMS-mandated FHIR APIs to share population-level data with other covered entities, for both compliance with the payer-to-payer and provider access requirements under the CMS regulation (or any other applicable federal or state interoperability law) and for other legally permitted data sharing use cases, then the most important question that the payer needs to be able to answer is under what legal grounds is that data being shared.

In the context of population-level data sharing, we are looking for mechanisms under which data can be shared without the need to obtain patient consent, which is typically required for data sharing under the Health Insurance Portability and Accountability Act (HIPAA). There are two main legal avenues under which data can be exchanged between covered entities without the need to obtain patient consent: disclosures “required under law” and disclosures made under the treatment, payment, and operations (TPO) exception.

For any data sharing done in direct conformance with the final regulation for either the payer-to-payer or provider access (or for any other applicable federal or state regulation) such disclosure would be categorized, and legally permitted, as a disclosure “required under law.” For data sharing between two or more covered entities that is for (a) treatment purposes, (b) payment purposes, or (c) healthcare operations purposes, as each such term is expressly defined by HIPAA, such disclosure would be legally permitted under HIPAA’s TPO exception.

A key thing to call out here is that this assessment cannot just be done at the disclosure level, as it is possible that based on the data elements being disclosed, a singular disclosure could either be considered both a disclosure required under a law and a disclosure made under TPO; or in the case of disclosures made under the TPO exception, can be made for more than just one purpose.

In order to do this assessment, a disclosing organization needs to look at the data elements being shared and determine if they are the same or broader than what is outlined by the regulation. If they are broader, it's likely the grounds for disclosure will be both “required by law” and TPO. Similarly, if a payer is sharing certain information with a provider where some elements of the data shared support care coordination efforts, while other data elements help the provider determine reimbursement requirements, then it is likely the former elements would fall under treatment and the latter would fall under payment.

While this feels like a somewhat arduous process to undergo, it is critical that the discloser goes through this assessment, as it can be very helpful in the context of addressing any restrictions on data sharing that could apply based on the terms of the regulation. For example, while there is no patient consent requirement for payer-to-payer and provider access, the regulation does impose an opt-in requirement for payer-to-payer, and an opt-out requirement for provider access, that could impact a payer’s ability to share data as a disclosure “required by law.”

However, if the data elements being shared can also be legally shared for one of the enumerated purposes in the TPO exception or in furtherance of another state or federal regulation, then, as subject to any restrictions outlined in response to question two and three respectively, the payer can still take advantage of the alternative legal avenue for data disclosure, as described above, to disclose the data via the FHIR API. 

It is also important to undergo this assessment because it will be incredibly relevant as we move on to question two.

2. Does the Minimum Necessary Standard apply to the disclosure?

As alluded to above, our assessment of whether a certain disclosure of PHI can be made via the FHIR API is not yet complete. Now that we understand under what legal grounds we are making the disclosure, we need to take the additional step of determining whether the minimum necessary standard applies. The minimum necessary standard is an additional disclosure restriction enforced by HIPAA onto certain types of disclosures that requires the disclosing organization to essentially limit its disclosure of PHI solely “to the amount reasonably necessary to achieve the purpose of the disclosure.”

While the minimum necessary standard applies to most disclosures of PHI, it does not apply to disclosures of PHI that are “required under law” and it does not apply to disclosures of PHI that are made in furtherance of treatment purposes. This is why it’s important to first understand the legal grounds under which the disclosure is being made, as it directly impacts whether or not the minimum necessary standard needs to be met.

In order to best address the question of whether a disclosure meets the minimum necessary standard, you should refer to your internal data sharing policies and data use agreements. This may be a good time to revisit those policies and agreements to make sure they appropriately define and support your ability to leverage the FHIR APIs in support of your overarching data sharing needs.

3. Are there any additional restrictions that apply to the data being disclosed?

This last question is really intended to be a catchall to ensure you are not overlooking any other important data use restrictions. The three most common areas for additional restrictions on data sharing include: (a) any restriction on the use of disclosure of PHI requested by an individual and that is agreed to by the covered entity; (b) any federal or state privacy law that has obligations that are more stringent than HIPAA; this could include federal or state laws pertaining to restrictions around the use or disclosure of data related to mental health, substance use, HIV status, or reproductive health services; and (c) any contractual restrictions on data use imposed on the discloser by way of its data use agreements. While this list is illustrative, for most organizations this will likely be a good starting point to help address the final part of the assessment.

Even though this framework is inherently designed to allow health information professionals to take advantage of the CMS FHIR APIs for use cases beyond compliance, the three questions outlined above apply to the sharing of PHI via any mechanism.

With all that being said, I do want to acknowledge that as a privacy attorney, I appreciate that the sharing of healthcare data is never really quite as clear cut or as easy as answering three simple questions. However, as someone who is deeply invested personally and professionally in improving our healthcare system, I know that no real progress will be made until we can easily, effectively, and securely share data. 

I am deeply encouraged by the movement toward data standardization using FHIR, but I am also very much aware that its success is heavily contingent on adoption. While the CMS interoperability regulations provide a lot of support in that direction, payers and their data professionals need to fully lean in and invest in FHIR for all of their data sharing requirements to make this happen. I am hoping that by providing a tangible framework to start thinking about how to make that transition within your own organizations, that it will at least encourage you to consider the potential value of using FHIR beyond just compliance.

Eden Avraham-Katz is vice president of legal and compliance for 1upHealth, a health data management platform provider for claims and clinical data interoperability. From her years of experience as an in-house attorney for a variety of healthcare technology vendors, Avraham-Katz has knowledge on the complexities of the healthcare regulatory landscape and general legal issues.