Interview Transcript: Final Rule Means CIOs Must Share ADTs, But Had Better Know Where They’re Going

PatientPing’s Co-Founder & CEO says the benefits to care quality will be significant if done securely.

PatientPing CEO, Jay Desai, sat down with HealthSystemCIO to discuss CMS’s Interoperability and Patient Access Final Rule and how it will impact the industry. Below is the transcript of the interview.

On March 9, HHS and ONC published the long-awaited and hotly-debated 21st Century Cures Interoperability Final Rule which also covers information blocking and certification. While the interoperability rule may have been the most hotly debated part, an important section requiring hospitals and health systems to send electronic notifications to other healthcare providers when a patient is admitted, discharged, or transferred could have the greatest impact on care quality. In this interview, Jay Desai, Co-Founder & CEO of PatientPing, breaks down the rule and offers advice on how CIOs can get into compliance.

Listen to the full podcast here.

Guerra: Hi Jay, thanks so much for joining me today. I really appreciate it.

Desai: Thanks so much for having me.

Guerra: Can you tell me a little bit about your organization and role.

Desai: I’m Jay Desai, the CEO and co-founder of PatientPing. PatientPing is a care coordination platform. We have a number of products but our flagship product is called Pings which are real-time notifications when patients are admitted or discharged or transferred from a variety of facilities including ERs, hospitals, skilled nursing facilities, home health agencies, and a number of other points of care.

Guerra: All right, very good. So this will be a bit of a long question but, don’t worry, I’ll get to an end at some point (laughing). The long awaited and anticipated final rule on interoperability, information blocking and certification, as I’m sure you know, was just released. It establishes a new condition of participation. I’ll call it the CoP, I suppose, for all Medicare and Medicaid participating hospitals. And it requires them to send electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred. So let’s start with the pre-final rule, the existing situation, so to speak, what do hospitals have to do or not do in this area today and how will this new rule change that?

Desai: So today, actually prior to today, hospitals really didn’t have any federal requirements to make their ADT or admission, discharge, and transfer feeds available to the various providers that may have an interest in knowing about it or the providers that are designated by that patient for who they may want to receive a notification. There are some states that have specific requirements. Sometimes they’re tied to Medicaid specifically or they may be a broader initiative at a state level facilitated by a health insurance provider within their region. But for the most part, there isn’t an explicit requirement for hospitals to share this information. Now that doesn’t mean that many aren’t doing it. Many of them do provide ADT event notifications through a variety of means. I could break it into two principle mechanisms by which those notifications are delivered.

One is patient directives. So if I’m a patient I show up at the hospital and I say my doctor is Dr. Manning and I need to send a notification, the hospital provider then can see who their doctor is and then send a notification. Often that’s done by the EHR. The other is sort of a roster-driven or provider-driven event notification where doctors may have a list of patients they’re responsible for, let’s say through an ACO relationship, that they want to take accountability for and deliver high quality coordinated care. And so if any of the patients on their panel or their roster have an event at an ER or a hospital, they want to receive that notification. So basically there’s a requirement (for some intermediary often) to listen for the event notifications on that panel of patients. And then for that intermediary to route the notification to the right provider who wants to receive that information.

So those are the two different mechanisms. I’d say that, in many instances the former, the patient-directed notifications, is an EHR capability, the discharge information is shared through some of the requirements under the discharge planning rule for meaningful use. But this is just adding a little bit more specificity around an event notification. I think on the roster-driven, panel-driven event notification, I think it’ll add more opportunities for accountable care organizations, risk-sharing entities, primary care groups, and prior post-acute providers to be able to receive notifications about those patients.

Guerra: So everyone’s definitely not starting from the same point.

Desai: Absolutely. There are some hospitals in the country that are sending ADT feeds to their state, i.e., to vendors like PatientPing, and then other vendors have their own interfaces set up with high volume referral practices within their region. They’re sending patient-directed notifications with attached CCDs and really making it very easy for the community providers that may sit outside of their hospital to access the information and get the information they need both through push event notifications or through exposure to a portal that providers can get access to. There are some hospitals that are far on that end of the spectrum.

And then there are other hospitals on the other end of the spectrum that I would say have really closed off the walls, not necessarily because that is what they want to do. They may not have the organizational resources or the market demand for receiving this information, or they resisted sharing this information for business reasons. There could be a variety of reasons why they’ve done that. And for those groups, they may not be exposing ADT messages or making it available to the various providers who want to receive that.

So I think this regulation will make it so that those folks at the bottom end of the spectrum (in terms of their sophistication as it relates to sharing this ADT information) kind of move closer towards at least the middle. The requirements aren’t that onerous or that strict; however, they do put a burden on hospitals to make this information available which I think over the long term they’ll really value because it does make the hospital a better partner within their region and a higher quality provider.

Guerra: Well let’s say we’re talking to those CIOs of hospitals or health systems that are at the lower end of the spectrum in terms of their capabilities in this area. What’s your best advice for them on how to get started working towards compliance?

Desai: So I think that one thing is to really understand the regulation. The regulation requires hospitals to make a baseline set of demographic fields and identifying information available to a range of the patient’s established providers. And that could be their primary care provider, that could be a prior post-acute provider, or one to whom the post-acute referrals are being made and then possibly the patients practice group (that the provider is a part of) which may include their ACO or other care management organization.

So I think it’s important for hospitals to understand who those groups are that are going to want that information and need that information to deliver high quality care. They may already know about it because they have established referral relationships within their community, but there may be other providers that exist outside of their state – even outside of their traditional data sharing relationships – that do have an interest in knowing about these ADT events, so that’s one.

Two, is I think really prioritize security and stability here. I think we’re in this era now where hospitals are going to be required to share their data broadly with third-party vendors, with referral partners within the community, and I think CIOs rightly are feeling anxious and nervous about what’s happening with that data. Where is it going? Who’s seeing it? And I think it’s important that they work with partners that make it really clear to them how that data is being used. Where it’s going? So that when the CIO does make this information available out to the various participants that may want the information, the CIO is able to see where it’s going and have some control over that.

I think that’s another important dimension. So know who this data has got to go to, know what data needs to get shared, as I said there’s baseline requirements on it. Insist on security and stability from the vendors that you do work with or, if you’re doing it in-house, set up the infrastructure to be able to do it in-house with security and stability as a core part of the solution that you’re building. I think it’s important to understand the ecosystem of your options available to you. There’s a number of ways that folks can meet this need. There’s HIE’s, there’s vendors like PatientPing and others, and then there’s ways of doing it in-house. You can set up your own access to your ADTP. I think understanding that it may not be one solution that you go with. You may partner with multiple solutions to ensure that you have compliance. You could sort of outsource this delegation, this task of helping other entities get access to that information, but understand what the ecosystem out there is for possible solutions. Because there may be several that are very cost effective and easy for folks to stand up while still ensuring they’re compliant.

Guerra: Have you made yourself familiar yet with the timeline of when people have to comply, and do you think it’s manageable for those that are getting started and not very advanced?

Desai: It’s definitely manageable and it’s fast approaching. May 1, 2021 is the timeline for implementation. The good news is all that is ADTs. You’ve got to send your ADTPs out and make them available and then make sure that they’re getting routed to the right destination.

Now I suspect every hospital in America at some point has sent their ADTPs either to an immunization registry or local public health agency or they use it internally for census tracking and management. So it’s just reflecting that feed out into the various providers that may want to access it, having the system capabilities to be able to do that and working with intermediaries to get that information communicated to the right entities in a simple and low cost way.

Guerra: Does that surprise you – that six months? That seems surprising to me.

Desai: The notice for proposal rule making has been out for quite some time, so I think the industry has had time to think about this regulation and anticipate its arrival. The final rule is out now and, like I said, it’s typically a 60 day timeline for implementation. So they did extend that from 60 days out to six months.

In the original interoperability roadmap that ONC released, I think they had a January 1, 2021 date for implementation of the ADT requirement. So it’s a little bit earlier than that. But at the same time, I think there’s broad recognition that this capability is one that is emminently achievable; many folks already have partial solutions or are working on this today, and to get to the place where they’re compliant I think shouldn’t be that difficult.

Guerra: In the final rule they talk about healthcare facilities, community providers and practitioners. Do they need to be taken separately in terms of complying with the rule?

Desai: It’s a good question. CMS, in the final rule, (compared to the original notice of proposed rule making) did narrow the definition of what’s considered an established care relationship. I think that language makes it pretty clear as far as who those providers could be. Mostly it’s directed by the patient, who the patients name as their primary provider. But primary providers who are doing the work of coordinating care and improving quality, and for treatment purposes, may exist within an ACO as a care management entity, and that ACO actually is affiliated with the primary care group.

There’s a lot of ways for patients to have an established care relationship with their provider, and I think that there’s a well-developed point of view and well developed literature on how that all maps.

Guerra: So regarding the specific terms, what does the final rule say about that?

Desai: They actually updated the language in the final rule regarding what’s considered the patient’s provider team, which I can actually read.

Guerra: Okay, real time. Let’s hear it if you have it.

Desai: The way they define it is “the patient’s established primary care practitioner, the patient’s established primary care practice group or entity, or other practitioners or practice groups or entities identified by the patient as the practitioner or practice group or entity primarily responsible for his or her care.” So that’s one group.

Guerra: That’s clear (laughing).

Desai: So then the second group is “applicable post-acute care services providers and suppliers with whom the patient has an established care relationship prior to admission or to the patient being transferred or referred.” Those, I would say, are the two broad cohorts, and there’s examples within the final rule language of what that looks like.

Guerra: I don’t mean to make light of it; I’m sure people put a lot of thought into these words and did the best they could.

Desai: It’s important. If you’re a hospital and you’re disclosing information to who you think the patient’s doctor is or provider is, you don’t want that data going all over the place. You want it going to that patient’s provider or providers, which may include a small cohort. And that shouldn’t be everybody.

If you were a patient’s primary care provider six years ago, you probably shouldn’t get a notification of the admission. There’s probably a reason that they haven’t seen you again. So I think it’s important that we get it right as far as who is seeing this information from the hospital’s perspective.

Guerra: Let’s talk a little bit about intermediaries. The rule states that hospitals can use intermediaries to be compliant. Does that mean hospitals using HIEs are compliant?

Desai: I think that the burden on the hospital is to make this data available to the patient’s care team, those established care relationships. A state health information exchange may provide the capabilities to make this data available to a range of providers. Now, if that’s limited to their state, there may be providers outside the state who want access to that information – that may or may not constitute compliance, if the HIE doesn’t has the capability to meet that need.

Sometimes there are HIEs that don’t have the ability to accept certain types of patient lists/patient rosters. If the HIE is able to handle a broad range of provider types, operate at scale, work across the country, work across the nation and then meet the requests of the various providers that may want access to the data, then theoretically the hospital could meet compliance. If the HIE in turn has a policy where they make the data available to other organizations that have an interest in knowing about those encounters, then that may be another way that the HIE is compliant.

So I think what’s going to happen is that hospitals will realize there’s a handful of groups out there that have patient lists that they’re taking accountability for delivering notifications to their customer partners around, and it will probably make sense for hospitals to partner with multiple entities because it’s relatively straightforward; it just mirrors an ADTP. And they may have their own process around how they manage the matching process or otherwise.

Again, this is speculation. I think it will be important to see how the market meets this need, but the way the language is written right now it appears that it will be in the best interests of the hospital to work with multiple partners. And, over time, I think the intermediaries will ideally work with each other as we have done in several states and that’s another way that the solutions will develop in the market.

Guerra: How do you think this is working out on the ground, in terms of budgeting and dollars? For example, if you’re a CIO as we mentioned on that lower end of the spectrum, you need some dollars to get this done, you need to spend some money. What if you don’t have it and you haven’t allocated for it and budgeted for it, and you’ve got to get this done in six months. What do you think is playing out down there in the trenches in terms of compliance? Is there a big dollar amount associated with getting in compliance if you’re starting from ground zero?

Desai: You know, really, there shouldn’t be. I think that CMS in their final rule did offer some information or some general guidelines around the level of effort required for something like this is. I think they pointed to possibly a one-time set up fee and then some recurring maintenance fees. Those dollar amounts should not be very large. They probably are a function of the size and scale of any given hospital. But making an ADTP available to those providers in the community is not necessarily the heaviest lift; it’s not like buying an EHR.

But at the same time the CIO should feel secure and confident that the data they are sending out into the market is being appropriately handled and only delivered to the right providers who should actually be in an established care relationship with the patient, they should know where this data is going. And I think that will probably be the only burden that a CIO would take on – that they should feel obliged to pay for – is the added peace of mind. I don’t think this is going to be a heavy cost burden, and it shouldn’t be breaking the bank for hospitals.

Guerra: I’m sure you heard there were some concerns with the proposed rule, specifically from Epic. Did you hear those issues and did you agree with them?

Desai: In all candor, I’ve focused heavily on the 70-odd pages that are focused on the condition and participation for the ADT notifications or the electronic notifications. But I do think that there’s a similar theme to the broader information blocking type of legislation that is in the ONC rule. Regarding Epic, I think their point that if the data is just free flowing and going wherever it needs to go – meaning it’s going to third-party vendors and anybody who asks for it – there’s a legitimate concern around what those vendors are doing with this data that’s coming out of the EHR, and who are they selling it to and what’s happening with it. I think that’s a legitimate concern.

Obviously there’s counterpoints to that and there’s infrastructure and there’s mechanisms with which you can protect the data, so I wouldn’t say that’s a reason to delay the rule or cancel the rule; but rather it’s a reason to ensure that appropriate safeguards are met to make sure that patients’ data is protected and secure.

As it relates to the ADT point, there isn’t anything explicitly called out as far as data privacy and security beyond ensuring that the delivery or the provisioning of the electronic notifications is subordinate to any HIPAA or state or local regulation, which I think is obviously critically important, otherwise you’re breaking the law.

But beyond that, I think it’s going back to the point that we were discussing earlier which if you’re a CIO and you’re sending out your data, that could be ADTs or that could be other data, it’s really important that you know where it’s going. Because you don’t want that getting into the wrong hands. We don’t want another Cambridge Analytica with this health data that’s taking the information and doing something wrong with it. So the burden is on the intermediaries that are facilitating the exchange of information to ensure that it’s going to the right place. And I think that CIOs should put that burden on their intermediary partners because it’s a shared burden. We as intermediaries need to make sure that we’re not sending this data to anybody other than folks who are falling within the parameters of legislation and have a valid reason to receive this information for care coordination or treatment or quality improvement. That’s really important.

I think that CIOs and vendors need to work together to ensure that’s what’s happening. I think that same parameter, that same kind of general principle, applies to the broader community.

Guerra: Overall, is this rule a good thing?

Desai: Absolutely. I think PatientPing is not really focused on whether the rule should be a condition of participation or it’s within the promoting interoperability legislation or how the ultimate rule is provisioned. To date, Medicare has clearly taken the stance that this is a condition of participation. So that’s what it is now. Our role is to facilitate the implementation of this rule and make it really easy for hospitals.

I don’t think if you talk to hospitals and you ask them: would it be useful to send a notification out to the patient’s provider of that encounter; that hospitals would say that’s not a good thing. I think it’s well known and highly understood that better coordination of care between acute care providers and the community of providers that support those patients, particularly in real time during clinical encounters, is the right thing to do for patients. PatientPing has been doing ADT notifications now for over six years and we have reams and reams of examples of how patients’ lives have just meaningfully improved when their doctor and the providers in the hospital are working together, both during the encounter and during the handoff after the discharge.

And I definitely know that if it was my mom was hospitalized I would want her primary care doctor to know about it, so that when she leaves, that doctor can make sure that the meds she got prescribed while she was in the hospital are not going to interact adversely with the meds she may be already on. I think that’s what this is all about; it’s about making sure the patients don’t fall through the cracks, that care transitions are supported and care is just better. I think this legislation is going to go a long way towards making that a reality.

Guerra: Any final thoughts, more advice, parting words for our CIO listeners?

Desai: I think CIOs are likely going to experience an uptick in the requests from their community partners – that could be providers, primary care, ACO type relationships – that want to know when patients present at their hospitals and EDs, and those requests are going to come from their local community partners that they’ve been working with for decades, and they’re going to come from providers that may be further outside their immediate community or even outside their state, and unusual types of providers, like a home health agencies or SNFs that they’re not used to typically exchanging data with. We’re excited to help them along that journey. This won’t mean new problems for them, but it will be an exciting and interesting time for them to think about prioritizing some of these issues and think about solutions for how they’re going to meet the need.

Guerra: Jay, I think that will about cover it today. I really appreciate your time. I think this is a lot of great information and will really help people get a sense of what they need to do now.

Desai: Great. Thank you so much. I appreciate you having me on and it’s great to chat, Anthony.

Guerra: Have a great day.