Recommendations On the CMS’ Hospital Inpatient Prospective Payment System Proposed Rule By AHA


The American Hospital Association (AHA) members are concerned about the proposed rule by HHS — Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system for fiscal year 2019. In relation to this, concern is raised on allowing health apps that a patient selects to link to the healthcare providers’ APIs.

Mobile health applications could gather and maintain a lot of personal and medical data including data that can be classified as protected Health Information (PHI) by the HIPAA. The problem is HIPAA doesn’t typically apply to health app creators hence, health information obtained, kept, and transmitted by these applications is probably not secured to the degree mandated by HIPAA. Any time users input data into the apps, they might not know that the security set up to safeguard their privacy is not as rigid as those enforced by their healthcare organizations.

There is a reason for worry any time PHI passes from a hospital to a health app. Patients is probably not informed that their PHI stops to be PHI if it is moved to the app. App developers aren’t restricted by HIPAA Privacy Rule requirements which forbid the giving of medical information like diagnoses, prescribed medicines or test results with third parties.

AHA proposes that CMS ought to work closely with the OCR and the FTC to have a consumer education program to tell the following to people.

  • the difference between PHI and medical information in health apps
  • app developers could disclose health information with third parties
  • the importance of thoroughly reading the privacy policies and terms of conditions of the applications to know what is going to happen to their data and with whom the data is probably to be shared.

Health apps make it possible for patients to interact with their physicians and motivate them to have more concern in their own medical care. The CMS has recommended that hospitals can permit any application that a patient selects to link with their APIs, so long as they conform to the technical specs of the API. Though sharing medical data like this will help patients be active in their own health, security concerns should be taken into account.

To strengthen confidence in the reliability of provider to patient exchange, AHA advises that stakeholders must come together to produce a risk-free app ecosystem for sharing medical information. There must be benchmarks to make certain a baseline of protection, comparable to the Payment Card Industry Data Security Standard (PCI DSS) and a vetting method for apps, related to that employed by the CMS before apps could connected to Medicare claims information via the Blue Button 2.0 API.

Regarding PCI DSS, safety measures should be included to make sure the protection of payment card data. With regards to the Blue Button 2.0 system, an app evaluation procedure is available to assess applications before they’re authorized to connect. Developers also need to accept the terms and conditions of the CMS. It’s not possible to hook up any app that complies with the technical requirements of its API. The AHA advises the defenses integrated by the CMS can be a basis for a sector-wide method to creating a reliable app ecosystem.

Concern is likewise raised regarding the possibility of healthcare companies that deny an app from hooking up to their API because of security problems such as data blocking, therefore putting them susceptible to a meaningful use payment penalty. CMS proposes that CMS work together with ONC and OIG to make certain that these security measures are incorporated in the pending guidance on actions which is not construed as data blocking. CMS must likewise work together with ONC and FTC to establish a place for hospital and health networks to report suspicious apps so others could know and take necessary steps.