Health plan achieves interoperability compliance through cloud implementation

Client background

The client is a recently established medical savings account (MSA) health plan that contracts with Medicare. At the time of this engagement, the company was less than three years old.

The business challenge

Because the company is a Medicare Advantage (MA) plan, the company was subject to the Interoperability and Patient Access final rule (CMS-9115-F). First and foremost, the company needed assistance with understanding and complying with the final rule, which required the client to adhere to specific technology standards, including:

• Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR) 4.0.1
• OAuth 2.0
• OpenID Connect
• Substitutable medical applications, reusable technologies (SMART) on FHIR app launch

The health plan also did not have any existing digital touchpoints with their members compared to larger, more established health plans and needed assistance choosing a cloud-computing platform. While the client utilized a third-party administrator vendor for all claims processing, the new interoperability ruling required the client to (1) establish a patient access application programming interface (API) allowing members access to their health information via third-party applications (effective July 2021) and (2) support a payer-to-payer data exchange to achieve compliance (effective January 2022).

The Baker Tilly approach

Baker Tilly helped the health plan interpret the operational implications of the final rule as well as what processes and technology were required in order to become compliant. With the company having a minimal amount of digital assets, Baker Tilly assisted in developing the technology infrastructure needed to comply with the final rule and in deploying a custom software solution to implement all the requirements.

Baker Tilly led the selection of the cloud-computing platform, an out-of-the-box managed service from which Baker Tilly used several components of the technology stack to build a custom solution for the client’s particular needs, including:

• Supporting the HL7 FHIR 4.0.1 standard, allowing for SMART on FHIR app launch and securely storing protected health information (PHI) in a compliant cloud environment
• Identifying a management service that, in conjunction with custom user flows, enables the client’s members to verify their digital identity and create online accounts via client-branded registration/sign-in screens
• Creating a web portal that leveraged much of the same infrastructure built to comply with the final rule, namely the Patient Access API, and enabled client’s members to access health information such as coverage details and claims without the use of a third-party consumer application
• Forming a process to register third-party consumer applications so  they can connect to the Patient Access API
• Integrating client-branded authorization screens that explain to members the risks of sharing their data with third-party applications (e.g., data shared with third-party applications is likely not covered under HIPAA) as well as additional information about the privacy policy practices of the third-party application  

Baker Tilly also helped with the development of the operational infrastructure of the new business processes so the company could become self-sufficient and sustainable after the end of the engagement, including the creation of:

• Job aides to assist with the client’s customer support center so its representatives were able to answer questions about the newly implemented assets (e.g., patient access API and member portal)
• A privacy policy attestation form for third-party consumer applications to review and respond to, which documents whether the third-party application attests that they upload data according to industry best practices
• Business processes and training employees to maintain the newly built technology asset
• Member education materials such as the “Guide to Sharing Information with Third-party Applications” that explains to members the various ways they can leverage third-party applications to access their health information and the risks of sharing their data with third-party applications

The Baker Tilly impact

The client achieved compliance with part one (i.e., patient access API) of the Interoperability and Patient Access final rule by the law’s implementation date. In addition, the company now has built a solid foundation for its technology infrastructure to build off for further operational enhancements.

For more information on this topic, or to learn how Baker Tilly’s interoperability specialists can help, contact us now.