Home | Blog | HL7 & Interoperability | The Complete HL7 Compliance Checklist

Reading time: 12 minutes

The growth of health information technology in the last ten years has been unprecedented. Most recently, the industry has seen a rise in HL7 and Interoperability implementation due to increasing demand and need for telehealth services, better working conditions for medical professionals, and patient-centered care.  

As of the end of 2020, the new Interoperability and Patient Access final rule (CMS-9115-F) requires payers to satisfy requirements concerning the release of patient care and payment data. Payers must integrate interoperability compliance projects across their organization to meet the 2021 Patient Access API and Provider Directory API targets.

Below we provide a brief checklist of considerations, actions, and mandatory actions to ensure HIPPA and HL7 compliance for your healthcare business.  

Understand The New Interoperability Requirements

Firstly, it is crucial to fully understand the details within CMS Act final rule and the CMS (Center for Medicare and Medicaid Services), paying close attention to: 

  • Terminology standards that have been disclosed 
  • The deadlines for requirements to be met 
  • Education resources and requirements
  • Monitoring and testing requirements 
  • The use of HL7 FHIR


HL7 Free Appointment

Understand The New Requirements While Considering Of Regulations And Laws

It is important to consider previous laws and regulations as Interoperability, and the Patient Access final rule indicates that they remain unchanged. Previous regulations and laws to check: 

  • HIPPA (Health Insurance Portability & Accountability Act) 
  • Age of consent 
  • State laws (i.e., the California Consumer Privacy Act)
  • Any association with federal, state, local, and tribal regulations.

Establish A Strategy And Coordinate The Organization

Make Decisions Based On The Requirements

Implementing the correct FHIR server and API systems will be determined by: 

  • If you intend to buy (external) or intend to build (internal) 
  • If you intend to use a FHIR data repository, hybrid approach, or dynamic services
  • If you intend to choose propriety or open-source option 

Other decisions that need to be made are how patients are informed of their risks and right and how application developers are engaged.

Establish An Interoperability Blueprint

When establishing an individual blueprint, consider: 

  • Is there an interoperability vision statement? 
  • Proactive marketing vs. minimum compliance approach 
  • Does the corporate mission correspond with the vision statement?

Coordinate The Organization

For a health care business to succeed, especially with the linking of multiple departments through Interoperability and HL7, the organization needs to have clear checkpoints: 

  • Metrics
  • Vision and Strategy 
  • Definition of success 
  • Responsibilities and roles 
  • Relevant tools and technologies

Strategize For Milestones

Strategize For Milestones for HL7

Circulate A Patient- access API

Key points to note to reach Patient Access API compliance: 

  • The use of FHIR 
  • The use of CARIN Common Payer Consumer Data Set (CPCDS) 
  • The use of OpenID and OAuth 2.0, 
  • And the use of U.S. Core Data for Interoperability (USCDI). 

Implement exchange of payer-to-payer data

When requested by the member (patient), payers must be able to send or receive the requested data to any payer or individual. Considerations to reach the payer-to-payer data exchange compliance date: 

  • The Data must be incorporated into the members’ record 
  • Data must be provided from the smaller plan(s)
  • Only data collected after January 1, 2016, are eligible 
  • The deadline to meet the compliance date was January 1, 2022 
  • Within the five-year period after a member has left the plan. 

Circulate A Directory API For The Provider

The final rule of HL7 compliance mandates that insurers circulate director data via API. This solves the problem of inaccurate provider data. Important points to consider to reach Patient Access API compliance: 

  • No authorization or authentication of information from insurers 
  • There is public access and discovery 
  • Data formatting and terminology standards are utilized.

Understand Fundamental Skills

Understand Fundamental Skills

When referring to all the requirements of the interoperability rule, FHIR is at the center with complementary technologies; DaVinci, RxNorm, SNOMED CT, ICD, -10, USCDI, and security technology OAuth 2.0 and OpenID. 

It is imperative that the organization’s team is experienced and able to efficiently operate FHIR and the complementary technology.  

Complete Solution Systems

A Privacy Engine

The privacy engine needs to successfully ensure that privacy is maintained when tagging sensitive data, auditing data with sensitive disclosure, and managing consents. The privacy engine ensures that the following features occur: 

  • Access and disclosure logging and auditing of sensitive data such as mental health, HIV/AIDs, 
  • Sensitive data filtering mask
  • Consent management with extensibility, 
  • Sensitive data segmentation, labeling, and tagging…

An Orchestration Hub

As the orchestration hub does more than both an API gateway and FHIR serve, the following needs to be managed: 

  • Support for API Orchestration 
  • Repository 
  • FHIR server 
  • Points of integration
  • Support for data consolidation, and 
  • Business rules.

An API Gateway

Even though the new rule does not specify an API Gateway, if implemented, it should offer the following API capabilities: 

  • Rate limiting 
  • Authentication 
  • Authorization 
  • Statistics and Logging, 
  • Security protection against SQL injections, denial of service attacks, etc.

Provide The Organization With New Capabilities

Develop Data Management Policies

Interoperability provides more opportunities for the world to view information. It is important to address and review the systems version volatility with standards such as USDCI and FHIR noted in the Interoperability and Patient Access final rule.

Label Highly Sensitive Data

Payers must ensure that they comply with laws governing sensitive data such as; mental health and rehabilitation, drug abuse or dependence, alcohol abuse, and sensitive health statuses (i.e., HIV/AIDS). This can often be overlooked as the interoperability API does not allow data segmentation based on sensitivity and types.

Equalize Data Sharing With Data Protection

Implement a transparency policy comprising audits, logs, trackings, and reports to ensure HIPPA compliance, address liability concerns, and review liability risks. 


HL7 Free Appointment


With an increase in worldwide integration of HL7 and interoperability systems, final rules and outlines for compliance needed to be introduced to secure data, ensure standardized terminologies are used, etc.  

The successful implementation of healthcare interoperability is a significant undertaking, made even more challenging for organizations and stakeholders to ensure that HL7 compliance is achieved. To further secure and protect healthcare data healthcare industry needs to implement rules and compliance requirements. Regarding HIPPA compliance, organizations can find themselves with a significant fine if the deadlines and rules are not met. 

Share On:

Leave a Reply

Your email address will not be published. Required fields are marked *