elenabs/istock via Getty Images
Tripathi: Behavior is biggest health data exchange barrier
With hundreds of information blocking complaints reported to ASTP/ONC, the agency is ramping up oversight and enforcement efforts to address health data exchange barriers.
Behavior remains a significant challenge in ensuring seamless health data exchange, according to a blog post authored by Micky Tripathi, assistant secretary for technology policy, national coordinator for health information technology and acting chief artificial intelligence officer at HHS.
The 21st Century Cures Act (Cures Act) of 2016 required certified EHRs to support the access, exchange and use of data without special effort through APIs. Since January 1, 2023, all certified EHR users are required to have standardized FHIR APIs for patient and population services to exchange data with patients and authorized business partners.
According to Tripathi, the majority of certified developers have published their certified APIs and associated documentation on the publicly accessible Certified Health IT Product List.
CMS also requires that regulated payers use modern API technology to share data with other payers, providers and patients. Additionally, the Cures Act also banned the practice of "information blocking" to ensure that these EHR and API technologies are accessible "without special effort."
However, hundreds of information blocking complaints have been reported to the Assistant Secretary for Technology Policy and ONC (ASTP/ONC). The agency has held several listening sessions to understand barriers to accessing API and EHR technology in the way that the law intends.
"What is abundantly clear is that it is behavior, rather than technology, that is far and away the biggest impediment to progress," Tripathi wrote.
Challenges for API use include the following:
- Publicly accessible API documentation is not available or not usable. API users have described the unavailability or lack of usability of the required disclosures of business and technical information about the developer and its certified API technology.
- API users have described certified API developers' conditioning API access on onerous fees, pricing practices, contractual terms and intellectual property requirements prohibited by regulation.
- Installed EHRs are hidden behind generic API endpoints, making it challenging for API users to connect directly with healthcare systems. Third-party developer applications are not available to all EHR user systems or given the opportunity to sell to EHR users.
- Provider organizations and/or certified API developers are requiring that patient-access API developers sign HIPAA Business Associate Agreements, which is not required in order for patients to have electronic access to their information.
- API users have indicated that certified API developers and/or healthcare providers are not providing written and timely responses to denials for access to electronic health information as required by regulation.
Consequences and enforcement
Among the concerns raised is the possibility of certified API developers potentially being out of compliance with conditions and maintenance of certification requirements for APIs and information blocking, Tripathi noted.
Micky TripathiAssistant secretary for technology policy, national coordinator for health IT and acting chief AI officer, HHS
Additionally, certified API developers that engage in any practice they should know is likely to interfere with access, exchange and use of electronic health information may be committing information blocking (unless the practice is required by law or covered by an exception).
"Failing to comply with any of the conditions and maintenance of certification requirement not only violates terms of the certification program but also undermines the spirit in which the requirements were created," Tripathi wrote. "Such conduct on the part of certified API developers leads to reduced trust in health IT, lower adoption of new technologies, higher costs, ongoing inefficiencies in the healthcare system and ultimately, poorer outcomes for patients."
ASTP/ONC will continue to review certified API developers and their health IT to evaluate compliance with certification program requirements. Certified health IT developers with identified noncompliance in their business practices or certified health IT could face suspension or termination of the affected certification(s).
Tripathi pointed out that terminating the certification of one or more of a developer's health IT modules also bans the developer from the certification program.
"Simultaneously, our partnerships with the HHS Office of Inspector General (OIG) and CMS are crucial in deterring and addressing information blocking," he wrote.
OIG will investigate cases of potential information blocking and impose civil monetary penalties of up to $1 million per violation on health IT developers, health information networks or health information exchange (HIEs) that have committed information blocking. OIG will also refer any providers suspected of information blocking actors to CMS for the application of appropriate disincentives.
What to expect going forward
Over the coming weeks and months, ASTP/ONC will strengthen oversight and enforcement by implementing a more rigorous review process for API documentation at the initial certification stage and throughout ongoing certification maintenance.
"We will also closely monitor trends seen through multiple data points, including the surveillance of complaint logs that certified API developers are required to maintain under the certification program," Tripathi said.
The agency will also continue to address HIE challenges in the following ways:
- At its upcoming quarterly virtual roundtable event with developers on October 23, 2024, ASTP/ONC plans to discuss issues linked to developer API requirements under the certification program. The agency also plans to hold additional webinars on API conditions and maintenance of certification requirements for certified API technology and its developers.
- ASTP/ONC will add new educational materials to its Health IT Certification Program page, including updated fact sheets, some examples of API "do and don't" scenarios, and a template outlining expectations for certified API developers regarding business and technical documentation requirements for publication and accessibility.
- The department has added a dedicated section for API-related complaints and inquiries to its Health IT Feedback and Inquiry Portal to swiftly address nonconformity with certification program requirements.
"HHS is committed to fulfilling the vision of the 21st Century Cures Act and ensuring that our digital health ecosystem is a vibrant, competitive landscape for innovative health IT solutions to deliver value to the American people," Tripathi concluded. "We recognize that enforcement of these policies is critical to achieving this vision. We strongly encourage any person or organization to report complaints about information blocking to the ASTP/ONC Information Blocking Portal and/or the HHS OIG Hotline."
Hannah Nelson has been covering news related to health information technology and health data interoperability since 2020.