Download PDF

December 6, 2022

Submitted via the Federal eRulemaking Portal: http://www.regulations.gov

Administrator Chiquita Brooks-LaSure

Centers for Medicare and Medicaid Services

7500 Security Boulevard

Baltimore, MD 21244

RE: Request for Information; National Directory of Healthcare Providers & Services [CMS-0058-NC]

Dear Administrator Brooks-LaSure:

The College of Healthcare Information Management Executives (CHIME) respectfully submits our comments to the Centers for Medicare & Medicaid Services (CMS) in response to the “Request for Information; National Directory of Healthcare Providers & Services” as published in the Federal Register on October 7, 2022 (Vol. 87, No. 194).

Background

CHIME is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs) and other senior healthcare IT leaders. With over 5,000 members, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate; exchange best practices; address professional development needs; and advocate for the effective use of information management to improve the health and healthcare in the communities they serve.

This request for information (RFI) solicits public comments on establishing a National Directory of Healthcare Providers & Services (NDH) that could serve as a ‘‘centralized data hub’’ for healthcare provider, facility, and entity directory information nationwide. Through this RFI, CMS seeks input on the current state of healthcare provider directories and steps that they could or should take if they conclude that adequate legal authority exists to establish an NDH and proceeds to do so. In our comments, CHIME provides responses to address the questions and assertations in the RFI. Additionally, we offer feedback and recommendations to constructively improve a future NDH.

Key Recommendations

CHIME appreciates CMS’ belief that they “may have an opportunity to alleviate some […] burdens and improve the state of provider directories through a CMS-developed and maintained, Application Programming Interface (API)-enabled, national directory.” CMS states that an NDH, “could serve as a “centralized data hub” for directory and digital contact information containing the most accurate, up-to-date, and validated (that is, data that is verified by CMS against primary sources) data in a publicly accessible index.”

You will get no stronger champion than CHIME when it comes to the needs for the use of standards aimed at facilitating better patient care and thus we agree with the concept of an NDH. We furthermore agree that standardization and payer participation, as detailed further below, are the only ways that an NDH could serve as the “centralized data hub” CMS has envisioned. However, where we diverge in our thinking is that without making an NDH a joint responsibility across stakeholders specifically with the entire ecosystem of healthcare payers – not simply a subset – CMS will simply shift more burden onto providers that are already severely strained, understaffed, and under-resourced.

Across all stakeholders, different provider data sets from the provider directories flow down into the foundational healthcare transaction systems to support different operational workflows. The difference in data sets, the integration of the data across the stakeholders and the flow down of data to the operational transactions systems, needs to be more deeply understood before an NDH can be designed. Without greater standardization, integration understanding, and participation by all payers, an NDH cannot lead to the efficiencies CMS envisions and most certainly will not better enable providers to coordinate care for their patients and for patients to find providers. It furthermore could constitute a significant burden on small and under-resourced providers. Most providers are experiencing significant challenges related to post-pandemic burnout, workforce shortages, and rising cybersecurity attacks.

We urge CMS to give thoughtful consideration to the implications of imposing this new requirement. Again, while we agree that the concept is well-intended, we worry this will result in an unfunded mandate and will not address some of the key challenges it aims to solve. Therefore, CHIME is respectfully requesting that CMS not move forward with an NDH at this time.

Detailed Recommendations

As CMS acknowledges, consumers use provider directories and online searches more than any other resource; we agree these are important resources and that the fragmentation of current provider directories requires inefficient, redundant reporting from providers. As CMS notes in this RFI, “healthcare directories that contain aggregated information about healthcare providers, facilities, and other entities involved in patient care are crucial resources for consumers and the healthcare industry.” CHIME also agrees with CMS’ statement that healthcare providers must submit directory information in various ways, including by fax, credentialing software, provider management and enrollment software, phone, and physical mail. We furthermore broadly agree that this “disjointed system results in barriers to patient care, administrative burden on providers and their staff, and increased cost for the entire healthcare industry.”

To align with national standards for interoperability, CMS suggests that an NDH could be built on the standards established by the Office of the National Coordinator for Health Information Technology (ONC). CMS states that: “Specifically, an NDH could use HL7® Fast Healthcare Interoperability Resources (FHIR®) APIs, the latest standard for which is codified at 45 CFR 170.215(a)(1), to enable data exchange. FHIR is a standard for exchanging healthcare information electronically that enables rapid and efficient data transactions through an API.” There are several practical issues that must be addressed before the efficiencies envisioned by CMS are realized: 1) Participation by all payers, not just “impacted payers”; 2) Greater standardization and a thorough analysis on the security implications; and 3) A more thorough review of the provider burdens that will ensue without addressing these practical considerations.

CMS should recognize that a future NDH, as envisioned in this RFI, must truly reduce reporting burdens for healthcare providers. Additionally, ensuring that standardization and thorough testing to ensure accurate provider information is transmitted securely will be an essential part of a patientfriendly, secure, and functioning NDH. Currently, with the ongoing evolution of healthcare exchange facilitate by application programming interfaces (APIs) it is essential to ensure that the data needed is standardized and ready to be exchanged via API, and that the burden of implementation is jointly placed on the vendors and payers, not just the providers. For these reasons, and the additional detailed below which we outline further below, CHIME is urging CMS, to not move forward with an NDH at this time.

Participation Needed Beyond “Impacted Payers”

Per the CMS Interoperability and Patient Access final rule, “impacted payers” are only required to make the data they maintain in their systems available through the Patient Access API and for exchange with other payers. If a payer does not maintain clinical information for covered patients in its systems, the payer will not have to share clinical information through the Patient Access API or for exchange with other payers. CMS finalized that impacted payers are required to include through the Provider Directory API for in-network providers and contracted networks a public facing Provider Directory API which must include data on a payer’s network of contracted providers. Impacted payers include: Medicare Advantage (MA) organizations; Medicaid state agencies; Medicaid managed care plans; Children’s Health Insurance Plan (CHIP) state agencies; and CHIP managed care entities.

CHIME broadly agrees with CMS that “a modern healthcare provider directory should serve multiple purposes for end users.” We further agree that: “In addition to helping patients locate providers that meet their individual needs and preferences, a modern healthcare directory should enable healthcare providers, payers, and others involved in patient care to identify one another’s digital contact information, also referred to as digital endpoints, for interoperable electronic data exchange.” However, without requirements for private payers to utilize the Provider-Access APIs, there remains limited applicability for providers to utilize this API, as it would not impact a significant portion of their patient population. According to Definitive Healthcare, private payer revenue was $713 billion in 2020 as contrasted with Medicare revenue which was $178 billion. Furthermore, as CMS notes, providers contract with 20 payers on average – leading to a multitude of complexities, especially if you are not including all payers when building an NDH. In other words, without all payers – including private payers – being subject to the same requirements as providers and clinicians, a future NDH as envisioned by CMS in this RFI will be nearly impossible; especially given most providers’ patient populations fall into either private payers or MA plans.

Greater Standardization, Security & Use of APIs

CHIME supported the development of a Provider Directory API during the proposed rulemaking phase. However, we urged both CMS and payers to ensure that the burden for collecting and verifying the data contained within the Provider Directory API remains the payer’s responsibility and is not a burden that is shifted to the provider organization. We are reiterating these statements again in our response to this RFI. Provider Directory API remains a joint responsibility and is not a burden that should be shifted unilaterally to providers.

The above impacted payers are required to make certain information accessible through the Provider Directory API, including provider names, addresses, phone numbers, and specialties. Directory information must be available to current and prospective enrollees and the public within 30 calendar days of a payer receiving provider directory information or an update to the provider directory information. There are additional content requirements for the provider directory under the Medicaid and CHIP managed care program. Verifying data should be appropriately assigned to stakeholder use cases. Until the integrated workflows and an associated data standard can be identified across all stakeholder workflows, a FHIR API cannot be designed.

CMS did not, however, specify how payers manage access to APIs for provider directories for providers managed through contracted networks. Therefore, “ payers may make appropriate business decisions for ensuring availability of the Provider Directory APIs, making them accessible, and providing information or links on the payer website to direct interested parties to those APIs [emphasis added].” Additionally, the Provider Directory API must be publicly available and exclude the security protocols related to user authentication and authorization and any other protocols that restrict the availability of this information to particular persons or organizations. Given the myriad cybersecurity challenges faced by our sector we question why CMS states in their provider directory FAQs that that security protocols are excluded. The CMS FAQ states:

* Question. May a payer require the developer of a third-party application or the third-party application itself to register in order to use the Provider Directory API?

Response. No, a payer may not require the developer or the application that accesses the Provider Directory API (or its documentation) to register to use the Provider Directory API. The Provider Directory API endpoint must be made publicly accessible and payers subject to the Provider Directory API requirement must make that API publicly accessible. The API technical standards for the Provider Directory API exclude the security protocols related to user authentication and authorization and any other protocols that restrict the availability of this information to particular persons or organizations* . (emphasis added) In addition, payers must make sure that the API and its documentation are accessible via a public-facing digital endpoint on the payer's website. Specifically, the final rule requires payers make the Provider Directory API accessible via a public-facing digital endpoint on their website to ensure public discovery and access. Given this is generally publicly available information at this time, restrictions are not permitted. However, under the payer’s obligation to keep its systems secure under other rules, payers may put certain information behind an initial firewall in order to protect against a denial of service attack, much as they would currently protect data for any website. Otherwise this must be a truly public and unrestricted digital endpoint.

Furthermore, in the CMS Interoperability and Patient Access final rule, CMS did not require a specific mechanism for the payer-to-payer data exchange. Rather, CMS required impacted payers to receive data in whatever format it was sent and send data in the form and format it was received, which ultimately complicated implementation by requiring payers to accept data in different formats.

According to CMS:

Since the rule was finalized in May 2020, multiple impacted payers have indicated to CMS that the lack of technical specifications for the payer-to-payer data exchange requirement is creating challenges for implementation, which may lead to differences in implementation across industry, poor data quality, operational challenges, and increased administrative burden. Differences in implementation approaches may create gaps in patient health information that conflict directly with the intended goal of interoperable payer-to-payer data exchange.

After listening to stakeholder concerns about implementing the payer-to-payer data exchange requirement and considering the potential for negative outcomes that impede, rather than support, interoperable payer-to-payer data exchange, CMS is exercising enforcement discretion to delay the payer-to-payer data exchange requirement until future rulemaking is finalized.

CMS outlined within the final rule how providers will be able to utilize these APIs in order to fill gaps in patient records and retrieve prior authorization decisions for covered and denied services. However, given that the payer-to-payer data exchange requirement has been delayed until future rulemaking can be finalized, we urge CMS to delay moving forward with any proposed rulemaking regarding an NDH. Understanding the long-term ramifications of these policies is important and CHIME urges CMS to ensure payers do not inadvertently pass down burden through the implementation of an NDH that is likely to fail without all stakeholders being able to participate (e.g., a functional payer-to-payer data exchange is required).

CHIME previously recommended that CMS and payers work with the vendors of electronic health record (EHR) technology and other provider utilized technology to ensure that access to the Patient Access API for providers does not require additional costly deployments of updated EHR technology for providers. Without this collaboration a scenario could present itself where payers are encouraging providers to utilize an API that they are not able to access or utilize in a care setting. We also have significant concerns around payers self-policing their APIs – and strongly believe more oversight will be needed. CMS needs to build to roadmap first; they need to outline a set of standards for use with a provider directory (i.e., USCDI) before attempting to develop a FHIR API. Examining a potential NDH should be done through a broader lens – including the challenging landscape providers have faced and continue to face over the last nearly three years – and taking into account other current mandates and mandates on the horizon.

Reducing Provider Burden

In this RFI, CMS asserts that an NDH: could serve as a “centralized data hub for directory and digital contact information containing the most accurate, up-to-date, and validated (that is, data that is verified by CMS against primary sources) data in a publicly accessible index. An NDH could both streamline existing data across CMS systems and publish information in an easier-to-use format than is available today. More useful public data could help patients find providers, facilitate interoperable provider data exchange, and help payers improve the accuracy of their own directories [emphasis added].” The true burden most of our members experience is with payers providing updated information in a timely manner – or not at all – to providers. Additionally, the API technical standards – which do not yet exist – would require additional staff to implement them.

One of the most significant challenges inhibiting the safe and secure electronic exchange of health information is the lack of a national, recognized patient identification standard. As our healthcare system moves toward nationwide health information exchange, the lack of this essential core functionality is the single biggest barrier to achieving true interoperability. CHIME has consistently advocated for a national, digital patient identification standard. As the exchange of health data becomes more commonplace, the accurate, efficient identification of patients with their medical record data is a foundational component to interoperability and without it – is a major threat to patient safety.

We would like to take this opportunity to re-emphasize the recommendations we offered CMS previously in our letter to CMS related to Medicare Advantage plans in response to their RFI on ways to strengthen these plans. We believe that increasing standardization across the thousands of MA plans and MAOs – including, but not limited to, standardized submission processes, response times from MA and MAOs to providers regarding delays/denials of services, payment time frames, and time requirements to respond to appeals – will reduce the burden on providers. Standardization across the policies regarding how MA plans are paid and administered would offer a significant reduction in burden on clinicians across the care continuum, decreasing the current urgent “clinician burnout” that our country is facing. Importantly, reducing the substantial time providers must spend navigating individual MA plans and their evolving rules would “unlock” countless hours of time that could be used to improve patient care and innovate new workflow and care processes. Before CMS undertakes a complex process of establishing an NPD, we recommend they address some of the foregoing issues related to MA plans.

In many instances, each payer has the option to choose how to meet the above indicated “legal requirements”, such as providing a patient list to a provider. By continuing to allow each payer the option to choose their own process, a significant burden is placed on providers. For example, providers that accept multiple different payers will continue to face scenarios where retrieving a patient list could include as many as ten – if not more – different processes. If CMS chooses to simply ignore the shared responsibilities of payers – and legal obligations – and require equal participation of payers, an NDH will create additional burden on providers and would render CMS’ stated intention to reduce provider burden completely moot.

CMS must recognize that a future NDH, as envisioned in this RFI, must truly reduce reporting burdens for healthcare providers. Additionally, ensuring that standardization and thorough testing to ensure accurate provider information is transmitted securely will be an essential part of a patientfriendly, functioning NDH. If and when CMS decides to move forward, that we strongly recommend that the NDH be tested in a pilot mode.

Finally, it is crucial that these APIs are standardized. As previously discussed above, if each payer creates its own specification for how providers should access their respective API, then a scenario exists where a provider needs to maintain a multitude of specifications to connect to each individual API – this would defeat the intent of standardization. With each connection implementation different, providers would inherit a significant burden of having to work through potentially 10 or more different APIs for as many as 20 different payers and connection specifications. With provider participation in these APIs voluntary, exponentially increasing burden to retrieve the information has the potential to discourage participation and utilization of the provider access API. Taken together, we fail to see how, without addressing the collective issues we raise, that the estimated $1 billion in savings CMS says could occur will indeed materialize.

Conclusion

In addition to the above recommendations focused on standardization, existing challenges, and provider burden, we would like to reiterate that we are respectfully requesting that CMS not move forward with any proposed rulemaking to implement an NDH at this time. Healthcare providers are still recovering from the COVID-19 pandemic and public health emergency (PHE), and we do not believe that the NDH as “envisioned” by CMS, would achieve any burden reduction for providers – and could potentially be detrimental and add additional burden.

CHIME appreciates CMS’ issuance of this important RFI on a future NDH. CHIME and our members would appreciate the opportunity to further discuss this RFI with CMS, in order to provide a better understanding of industry readiness to meet the requirements an NDH would require and help to ensure CMS achieves a successful implementation of future requirements.

In closing, we would like to thank CMS for providing the opportunity to comment on this important Request for Information. Should you have any questions or if we can be of assistance, please contact Chelsea Arnone, Director, Federal Affairs at [email protected] .

Sincerely,

Russell P. Branzell, CHCIO, LCHIME | President and CEO | CHIME