• Center on Health Equity and Access
  • Clinical
  • Health Care Cost
  • Health Care Delivery
  • Insurance
  • Policy
  • Technology
  • Value-Based Care

Contributor: How Balancing Compliance, Comprehension, and Privacy Can Optimize Access to Patient Data


In preparing for the upcoming implementation of the Interoperability and Patient Access final rule by CMS, best practices for health plans include prioritizing data mapping, sensitivity codes for privacy, and consumer-friendly language in accessible data for patients.

CMS has made clear its intent to provide patients access to their health information in a user-friendly format, when and where they need it. The Interoperability and Patient Access final rule applies to CMS-regulated health plans, and the agency fully expects health plans to be ready for enforcement starting on July 1, 2021. That means there are just a few months left to prepare.

CMS further communicated their intent to advance the cause of interoperability when they released the Reducing Provider and Patient Burden Proposed Rule in December of last year. This rule would require automation of pre-certification activities using fast health care interoperability resources (FHIR)-based API.

The federal push to liberate patient data requires a lot of work on the part of payers and their technology partners. In addition to modernizing legacy IT infrastructures, payers will need to be ready to shoulder the increasing burden of member transparency, and some payers are further along than others.

Plans should make no mistake that enforcement is coming and be prepared to do much more than check a box. Disparate and siloed data across health plan organizations will need to be completely transformed to achieve compliance but also to ensure sensitive patient information is protected and patients can understand the information being shared with them. Balancing compliance with patient comprehension and privacy is no small feat, but best practices are emerging.

Data mapping

CMS has identified FHIR as the key to unlocking valuable data for consumer and developer use and made clear its commitment to FHIR-based APIs in supporting the needs of patients and fueling innovation.

By July 1, payers must have in place a FHIR-based API that “allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice.” Further, as part of the Cures Act final rule, the ONC adopted the US Core Data for Interoperability standard for electronic health information to be accessed and shared using certified API technology. This standardized set comprises 16 data classes and 52 data elements.

Health plans will need to have robust data management and governance strategies in place. First, a single source of reverential data is required for the accurate exchange of information through FHIR APIs. Second, the ability to map non-standard data to the common health care terminologies that are identified in the FHIR implementation guides will become an essential component of their interoperability strategy. In short, a FHIR terminology service with advanced data mapping capabilities will prove to be a strategic advantage as health plans strive to capture maximum value from their data.

Sensitivity codes for privacy

Certainly, the increased exchange of information will present new challenges to health data security and privacy. As health care organizations deploy the frameworks to support meaningful data sharing and greater care coordination across the continuum, one area that must not be overlooked is the compliant protection of sensitive health information. The mechanism for sharing data may be changing but the need to protect that data as it is exchanged remains the same.

Health plans may consider the use of sensitivity codes to help identify and filter sensitive diagnoses, procedures, labs and drugs across 6 key categories:

  • substance abuse
  • mental health
  • family planning
  • genetic testing
  • HIV
  • STDs

Sensitivity codes will require ongoing management and many payers are looking to experienced partners to fill that role.

Consumer-friendly descriptors for comprehension

Perhaps most important is acknowledging that for patients to act on their health data, they need to be able to understand it. The gap that exists between the language that clinicians and payers use and what patients understand is well known, but the Patient Access rule is forcing the issue to the fore.

The right strategy for effectively communicating with members and increasing transparency begins with terminology management that can generate consumer-friendly descriptions alongside industry codes within patient-facing documents. For instance, while a typical claim might designate a foodborne bacillus cereus intoxication, an accompanying consumer-friendly description would simply read food poisoning. These consumer-friendly descriptions may also be used in member portals, EOBs, and paper-based communications to truly engage patients.


By taking proactive steps to communicate with stakeholders—especially patients—payers can design and execute an implementation plan that not only satisfies the requirements of the Interoperability and Patient Access final rule but also moves the industry closer to the goal of putting patients truly at the center of health care.

Related Videos
Dr Jeffrey Sippel
Dr. Jeffrey Sippel
Takiyah Durham, MBA, and Margaret Larkins-Pettigrew, MD
Related Content
© 2023 MJH Life Sciences
All rights reserved.