Everything You Need to Know About the Healthcare Interoperability Rules

I read 400+ pages so you don't have to.

Waiting Room is a blog that explains incentive misalignments in healthcare and health tech. Today, we’re covering the final CMS rules on quality and accessibility of health information (21st Century Cures Act and Executive Order 13813).

Sometimes shortcuts catch up to you. I realized after reading the entire CMS rules on healthcare interoperability that I made a few assumptions (some right and others wrong) and overlooked opportunities. It’s even possible I missed great investments because I didn’t put in the work. It’s not necessarily *fun* and it’s definitely not scalable to synthesize hundreds of pages but it’s what great investors and builders do.

The CMS document is worth examining in full but I’ve jotted down a few thoughts on interesting subsections and their wider implications. The rules are a big win for consumers and for:

  • API businesses (B2B and B2B2C) enabling patients, insurers, and the government to access electronic health information (EHI) like Redox and Noyo

  • Care coordination platforms that empower health information networks/exchanges like PatientPing

  • Provider directory software like Ribbon Health


In March, CMS and its lesser known counterpart, the Office of the National Coordinator for Health Information Technology (ONC), released separate but related final rules addressing interoperability. These policies advance the 21st Century Cures Act, which among other provisions, urges the implementation of APIs to modernize data exchange across healthcare stakeholders.

Actors and Data Sharing via FHIR APIs

Deadline: March 2022

Providers, health IT developers, and health information exchanges / networks are all considered "Actors." Actors must make EHI (Electronic Health Information) - clinical, encounter, claims, and other types of data - shareable to patients, insurance plans, and federal agencies through Fast Healthcare Interoperability Resources (FHIR)-standard APIs.

  • Healthcare Providers include doctors, nurses, pharmacists, technicians, assistants, admins, and the institutions they work for.

  • Certified Health IT includes EHRs, e-prescribing technology, patient communication software, etc. used by providers.

  • Health Information Networks and Exchanges (HIN and HIE) exchange EHI between unaffiliated providers and entities for the limited purposes of treatment, payment, and healthcare operations. Some examples include nonprofit, state-run HIEs (like SHIN-NY) and proprietary HIEs for accountable care organizations and integrated delivery networks like Kaiser Permanente.

Actors are prohibited from information blocking – any practice likely to interfere or materially discourage access, exchange, or use electronic health information. Noncompliance will subject Actors to penalties (amounts not yet specified by CMS’s Officer of the Inspector General), though there are a handful of notable exceptions: 

  • The Content and Manner Exception allows Actors to limit the EHI content they provide depending on the kind of request. There is still a minimum/floor on the clinical data elements that must be provided to avoid noncompliance.

  • The Security and Privacy Exceptions allow Actors to reject data requests if a patient requests confidentiality and there’s a reasonable belief data sharing will bring harm to a patient. 

  • The Infeasibility Exception permits Actors to restrict data requests due to uncontrollable events like public health emergencies and war. Covid-19, anyone?

  • The Fees Exception allows Actors to charge non-discriminatory/uniform fees for data sharing (e.g. hospitals can charge insurers to access a patient’s clinical data). If those fees are too high, Actors may be fined for information blocking.

  • The Psychotherapy Exception excludes mental health providers from these rules.

The ONC also requires two privacy and security criteria (encrypt authentication credentials and multifactor authentication).

CMS repeatedly noted that it does not have the authority to regulate EHI data sharing on non-HIPAA, third-party applications like Whatsapp. Actors have no expectation to share data with these kinds of entities. Insurers/health plans are also required to educate their enrollees about the risks associated with sending their personal health data to third-party apps.

Waiting Room’s Take: This is the biggest change to healthcare since the Affordable Care Act. I think of the CMS interoperability regs much like the federal rules on consumer-authorized financial data that advanced transfer networks / aggregators Plaid and Yodlee in the 2010s. 

The burden falls on provider organizations and health IT to become API literate. EHR vendors like Epic are slowly opening their APIs but need much better docs and developer relations. And how will every provider practice and hospital achieve compliance by 2022 with a dearth of developer talent in healthcare? Most do not have, and can’t afford, teams like Mt. Sinai’s Consumer Digital group. 

I believe most Actors will continue to focus on their bread and butter value propositions…which is chiefly providing care, not interoperability. 

Redox on FHIR! Learn how Redox supports FHIR integrations

That creates a massive opportunity for API interoperability businesses to help Actors exchange data with each other, insurers, and relevant government bodies (B2B) and with patients (B2B2C). Developer experience and network effects also matter; as an Actor, I would want to pick an API network that everyone else is using because my access to other Actors scales with the network.

CMS-Regulated Payers and Social Determinants of Health

Deadline: July 2021

Like Actors, payers (covering Medicare, Medicaid, Children's Health Insurance Program) and Qualified Health Plans (QHP) on the ACA exchanges like Molina and Oscar Health are required to implement FHIR APIs. 

  • Payer APIs must incorporate data for population health purposes like social determinants of health, in-home care, meal preparation / delivery, and transportation.

  • Data must be made available no later than one business day after a claim is adjudicated or encounter data are received.

Waiting Room’s Take: I can’t overstate the importance of population health data on outcomes. Don’t just take my word for it: studies show population health management saves lives and money.

CMS is enforcing a meaningful opportunity for health systems, agencies, and organizations to work together and improve community outcomes. Not only do the pop health data requirements allow Actors to have a full picture of patient health (outside of mere condition codes), the regulation enhances reimbursements. Medicare, Medicaid, and CHIP plans increase per member per month payments from the government if they help enrollees sign up for social services.

Payer-to-Payer Data Exchange

Deadline: January 2022

Medicare, Medicaid, and CHIP payers must comply with patient requests to send their clinical data to other payers, ensuring record exchange if enrollees change plans.

Waiting Room’s Take: If this gets extended or picked up as a practice by commercial insurances, it would solve a huge amount of wasteful/repetitive care. Dare I say, billions in savings? Every time an individual switches insurers, the payer moves mountains to encourage the new enrollee to see a doctor. You’ll see plans offering incentives like free Amazon cards for a visit or exempting copays.

That first physician-patient encounter structures the payer’s understanding of the enrollee’s health and wellness. It’s often incomplete. Payer-to-payer data exchange would reduce this conventional but inefficient practice.

Care Coordination Platforms and Admission, Discharge and Transfer (ADT) Notifications

Deadline: March 2021

As Conditions of Participation (CoP) in Medicare / Medicaid reimbursement, CMS will require healthcare facilities to send key event notifications to other providers who are also caring for a patient, known as admit-discharge-transfer (ADT) notices. 

  • This requirement focuses on event notifications for any patient who accesses emergency department services or inpatient hospital services (like surgery). 

  • The minimum event notification must include patient name, treating practitioner name, and sending institution name.

  • The health system’s ADT platform has to send notifications to all applicable post-acute care providers and suppliers (like nursing homes, specialists, rehab centers, or care at home).

Waiting Room’s Take: For complex hospital stays, coordinating information and post-acute care effectively is a huge challenge. UMich researchers conducted a 3-year study on Medicare patients and found that some hospitals spent 3 times as much on post-acute care than other hospitals. Care settings were a key driver of cost variability (e.g. skilled nursing facility versus in-home care) as was ease of clinical data sharing.

70% of hospitals participate in a national HIE, but a majority use mixed paper-based and electronic methods to share clinical data. This is an opportunity for care coordination platforms that power health information exchanges (HIEs). Many health systems already use some of these tools but the 2021 enforcement date will accelerate adoption. Relatedly, remote patient monitoring (RPM) companies should take advantage of providers and systems improving care coordination; RPM is reimbursable and can bring in net new revenue to Actors.

Provider Directory

Deadline: July 2021

Payers/insurance plans must make standardized information about their provider networks available through a published API.

Waiting Room’s Take: The data included in provider directories largely comes from physician practices via CSV files. The data quality is mixed at best due to providers operating in different facilities. Some sites are just administrative offices for billing and record requests. Other inpatient facilities are for certain kinds of surgery, while some outpatient facilities are barely frequented by a provider. That complexity is rarely reflected in the data. 

Payers improve provider data by manually contacting practices to verify and update their information. According to Berkeley Research Group, 19 states require provider directory updates at least on a monthly basis; CMS requires Medicare Advantage plans to contact providers quarterly.

Interestingly, the onus falls on insurers rather than providers to get better at reporting. That might make sense, considering the average practice works with 20 insurers according to a 2019 CAQH study. But it also results in providers reporting directory information in too many ways, “by fax (38%); credentialing software (13%); email (13%); provider management and enrollment software (5%); and phone or mail (14%).” 

Practices spend at least one day per week on directory maintenance at $998.84 per month, costing practices $2.76B annually. That spend could be halved using APIs. 


So where do these pending changes leave us? A number of companies I mentioned like Redox, PatientPing, and Ribbon have been building for years. In some cases, they anticipated CMS’s rule changes but most were founded by identifying the most impactful yet cumbersome areas of health information exchange. These companies have fought an uphill battle against the inertia of health systems and IT incumbents. Like EMRs that stymie data exchange within and outside of health systems. Or vendors (like CiOX) whose billion-dollar medical record retrieval businesses succeed with lack of digitization. 

Meaningful data exchange will enable more informed decision-making by providers, insurers, government bodies, and consumers. More importantly, it’s part of the long, noble pursuit of affordable, efficient, and better care.

The CMS and ONC rule changes were a long time coming, and disruptors are poised to become the next big healthcare companies as Actors seek compliance by 2021/2022. 

It pays to be on the right side of healthcare.


Thank you to Dhruv Vasishtha and Anat Gilboa for being collaborators and thought partners on this piece. I’m always lucky to have their counsel and friendship. 

Disclosure: RRE is an investor in Redox.

If you liked this post from Waiting Room, subscribe for more.