Interoperability Deadlines Are Coming:
Are You Prepared?

24 August 2020
By Claudia Miller, Chelsea Wyatt, Paul Murphy and Robert Faix

Since the onset of the pandemic, healthcare executives have been leading through the crisis to deliver more, faster — with fewer operating, capital and human resources. With an already-full agenda, executives are now faced with looming interoperability compliance deadlines, effective November 2. Given competing demands and time, many are questioning whether to address new requirements now or wait until further clarity on penalties are published by the Office of the Inspector General (OIG).

Taking action now is essential. Those who do not meet deadlines risk near-term public reporting exposure, and substantial penalties still stand, even if enforcement has been pushed out in recognition of the COVID-19 impact. Moreover, waiting means a missed opportunity to leverage the effort to achieve broader IT and organizational goals.

In this first article in a series aimed to help healthcare executives take a strategic approach to compliance, we explore the rules, timelines and provider responsibilities.


of CIOs indicate they are
concerned about being ready
to meet the November 2
compliance deadlines.

"There’s growing concern that health systems are falling behind in addressing requirements. The level of effort over the next three months will be sizable, complex and enterprise-wide."

The Impact and Risk of Noncompliance

The rules were released March 9 amidst the outset of the pandemic and became effective June 30, with compliance deadlines beginning November 2. Noncompliance will impact quality payment incentives and include public reporting — which some liken to HHS’ cyber-security “Wall of Shame.” For providers promoting apps or working on an extension of their EHRs, they may be considered a developer, with penalties as high as $1M per violation. Despite advocacy efforts by numerous organizations pushing for delays, changes to the November 2 deadline don’t appear to be on the horizon. Additionally, the OIG is slated to drive enforcement and publish its rules for enforcement of information blocking in October, with no plans to delay.

There’s growing concern that health systems are falling behind in addressing requirements. The level of effort over the next three months will be sizable and enterprise-wide. It will require a mindset shift from protected health information (PHI) to electronic health information (EHI) and complex process, policy and technology changes. In fact, in a June CHIME survey, 70 percent of CIOs indicated they are concerned their organizations won’t be able to address the steps needed by the November 2 compliance deadlines. Another 7 percent noted they hadn’t had time, given the demands of COVID-19 response and recovery, to figure out how to respond as an organization. Based on our conversations with CIOs across the country, we suspect that an even higher portion of organizations may be challenged to meet requirements.

The Rules at a High Level

In the two highly anticipated rules, HHS laid out a vision where a patient’s health information can move seamlessly between health plans and providers and where every American can see and use EHI through common technologies such as smart phones, home computers, laptops and tablets. Key components of the Cures Act interoperability rules are summarized in Figure 1. The ONC released one set of components; concurrently CMS released a complementary set of rules and components. Together, they form the basis for the interoperability rules.

Figure 1: Cures Act Interoperability Rules and Key Components

What's the Provider Effort, and Why is This Time-Sensitive?

The rules include aggressive timeframes for compliance with the information blocking, digital contact information, and attestation and reporting components of the regulations by November 2, with additional rolling compliance deadlines affecting providers for the next two years.

Chartis has identified five provider responsibilities for compliance with the ONC and CMS interoperability rules, shown in Figure 2.

Figure 2: Provider Responsibilities and Compliance Timeframes

Below are the deadlines, implications and key considerations for each of the five provider responsibilities.

November 2, 2020

Providers must share EHI with patients, community providers, HIEs and other actors securely with patient authorization (first United States Core Data for Interoperability [USCDI] data, then all EHI).

Key Considerations and Actions Required
This represents a dramatic shift in data management, from guarding to open access for patients and authorized third parties. Not only are technical changes required; material operational changes will be required to respond to data requests, including updating HIPAA, other business agreements and policies, and new processes and clinical workflows to ensure that the necessary data is available, accessible and provided in a timely manner in the method requested. This necessitates a comprehensive change management and operational readiness program. Plus, since EHR developers are not required to implement functionality for USCDI now, providers will need to develop their own request response workflows to include all USCDI items. Use case analysis outlining the various operationally impacted workflows will be critical.

November 2, 2020

Health systems must ensure their providers’ digital contact information is up to date in the National Plan and Provider Enumeration System (NPPES) database — the CMS provider digital contact information database — and have an ongoing maintenance program.

Key Considerations and Actions Required
The effort may be large as current noncompliance is high. Providers must complete updates themselves or delegate access, and contact information like DirectTrust address is not always known by the provider. Bulk uploads are possible but require setup and accurate contact information.

November 2, 2020

Health systems continue to submit quarterly attestations for CMS Quality Program (Promoting Interoperability) incentives indicating they are not information blocking, but now these blocking attestations will be reported.

Key Considerations and Actions Required
A structured process to track data requests and responses is needed to support the attestation responses. Third parties can also file a complaint that information is blocked by a provider, and if found to be true, the provider organization will be publicly reported and incur penalties, expected to be disincentives.

May 1, 2021

Health systems must notify community providers on patients’ primary care teams of any admission, discharge or transfer (ADT) — not just the Primary Care Provider (PCP) or referring providers, as is common practice.

Key Considerations and Actions Required
Automating notifications may create alarming new levels of “alert fatigue” which will need to be addressed early on. Enterprise notification services, with CRM embedded, can prevent this and improve satisfaction. Care teams and providers will need to be correctly updated in EHRs from potentially multiple provider databases. CIOs need to know what data is going to whom now and through what route in order to identify those primary care team providers who are not already receiving the notification via HIE, interface, DirectTrust, fax server or other route.

May 1, 2022

Health systems must identify all applications that are patient data sources, including the EHRs and understand/monitor vendor plans for CEHRT compliance.

Key Considerations and Actions Required
Technical updates and assurances will be needed from vendors to ensure the health system is not exposed to information blocking by having a business relationship with them. Inventory the applications, identify the contracts and set up a tickler system.

Interoperability rules impact
strategic decisions across
digital health, partnerships,
COVID-19 operational changes, consumer engagement and
patient experience.

Next Steps for Preparing for the Cures Act

Interoperability rules impact strategic decisions health systems are making today — across digital health, partnerships, COVID-19 operational changes, consumer engagement and patient experience, among others. CIOs must take immediate actions to assess and educate the organization on these impacts and build an interoperability plan that will advance their strategic agendas, while meeting the November 2 deadlines.

Consider these questions regarding readiness:

  • To what extent is your organization successful at sharing medical data with stakeholders — within the health system, with ACOs, with patients, with other health systems? And what data in the USCDI V1 is not shared now?
  • How ready will the organization be to respond to data requests — technically and operationally? And what implications will a use case like clinical notes sharing have?
  • Is Marketing aware that blocking information or inaccurate NPPES data for providers could result in public reporting of the organization, and does HIM have a process to respond to release of more information on November 2?
  • How accurate is provider data currently in the NPPES? Do you have a centralized source-of-truth provider contact directory that holds provider preferences including primary DirectTrust address?
  • Have you attested to positively blocking information in 2019 on the quarterly Promoting Interoperability attestation, and are staff aware that patients and other third parties can report the organization (and an individual) for information blocking?
  • How much change will be required to alert the full care team — not just PCPs or referring providers — of admission, discharge or transfer? Are clinical advisory groups involved in decisions on how ADT notifications will be sent to reduce notifications and “alert fatigue”?
  • What are your vendors’ roadmap for CEHRT certification, and will they be ready? (Consider all that have EHI.)
  • Have you considered how interoperability serves as a springboard for digital transformation and consumer empowerment and as a driver of the digital front door?

Our next article will focus on how interoperability rules impact the strategic decisions health systems are making today.

Contact us
for a review of the rules and implications for your organization.


  1. CHIME IT Executive Survey June 2020.

Learn More from the Authors

Claudia Miller
Associate Principal
[email protected]

Chelsea Wyatt
[email protected]

Paul Murphy
[email protected]

Robert Faix
[email protected]

Related Content

Technology’s Role in Achieving Health System Imperatives in the Age of

For weeks, CIOs and their teams have supported their health systems in preparing for and combating the COVID-19 pandemic. As many look beyond the initial surge, CIOs face a new stage of challenges as they consider how to best leverage technology to help their organizations survive and ultimately thrive in the “new normal."

Read More >

Under Attack: Five Practical Steps to Thwart Increased Cyber Threats

While health systems have focused on the immediate health needs caused by COVID-19, cyberattacks have increased as hackers have exploited the outbreak's disruption. Learn five immediate key areas for health system focus that can have a positive impact on security and business continuity without incremental cost.

Read More >

Clinical Informatics Checklist for
COVID-19: Bridging the Gap

Clinical informatics (CI) programs have always been important to driving technology-enabled clinical transformation but are even more so during the current COVID-19 pandemic. Solutions to the present crisis rely heavily on technology as an enabler to support onsite and offsite diligent care of providers and other caregivers.

Read More >

Interoperability Deadlines Are Coming: Are You… - The Chartis Group