Escalating Requirements and Enforcement
The Office of the National Coordinator (ONC) is building its focus on promoting interoperability with the rollout of two required export capabilities—the (g)(10) standardized API in 2022 and the (b)(10) bulk export capability for 2023. As a result, the demand for patient data access capabilities continues to soar. ONC and CMS have announced even more rules for standards advancement, clinical decision support, and provider-payer use cases (notably for prior authorizations). Hand-in-hand with these patient, provider, and payer-facing data access capabilities comes increasing attention to a major interoperability obstacle—information blocking.
As EHI-access functionality comes to market, providers, patients, and other stakeholders want to know how they can get access, how it impacts their organization, and if it works. Regulators, responsible for preventing information blocking, have started focusing their attention here as well. Adding to the complexity is the expansion of the information blocking scope to all ePHI as of October 6, 2022—which is well beyond the previous requirement for only USCDI v1 data elements.
Most EHR (Electronic Health Records) developers met the (g)(10) Standardized API for patient and population services requirements and implementation deadline of December 31, 2022. As with all certified Health IT functionality requirements, developers attest on an ongoing basis to the availability of this new API capability—providing the assurance that the developer did not “take any action to interfere with a user’s ability to access or use certified capabilities.”
A recent survey of EHR developers suggests a significant number of developers may face challenges with the practical availability of their API. Many reportedly did not respond to the 3rd-party app developer who inquired about accessing their API, and some who responded said they would be unable to discuss app access for many months. If the ability of 3rd-parties to successfully connect and use these APIs is as problematic as this survey suggested, more complaints and enforcement actions are the likely outcome.
The Lantern surveillance project, currently active, could also expose more FHIR API availability concerns. While not intended for enforcement purposes, the tool (developed by the ONC and MITRE) “provides analytics about the availability and adoption of FHIR API service base URLs (endpoints) across healthcare organizations in the United States.” While ONC pursues its goal of promoting interoperability, Lantern increases its visibility to the working availability of FHIR APIs as part of Base EHR certification requirements.
Finally, new information blocking enforcement rules and penalties are also expected, as Micky Tripathi, the National Coordinator for Health IT, stated this spring at the ViVE 2023 conference. He shared that the healthcare community can expect “the release in September of a draft rule for offenders.”
Recommended Best Practices
With the growing prospect of both surveillance and enforcement of (g)(10) API access requirements in the near future, what should EHR developers be doing to avoid becoming entangled in information-blocking issues? Simply put, follow operational best practices. As best practices regarding API access evolve, Drummond Group will continue to work with the EHR community to help them ensure their APIs are used for their intended purposes.
As an EHR developer, ensuring that data is easily accessible while avoiding Information Blocking can be a complex task. It is crucial to avoid accidental information blocking; our research has identified two important focus areas:
- Onboarding to 3rd Party Apps:
- Include the endpoint publication as part of your development efforts
- Apply quality control testing to the complete onboarding process
- Create clear policies and documented procedures to help app developers understand how to successfully use the API
- Provide an external-facing sandbox for app connectivity testing
- Assign technical staff to assist app developers with connecting to an API
- Develop and monitor service levels for connectivity to your APIs to ensure timely access
- Educate your customers about the availability of apps and the impact of information blocking
- Making Electronic Health Information available through bulk export processes:
- Review EHI storage points within your solution and conduct a gap analysis
- Enhance your EHR solution to enable bulk export
- Provide documentation and pathways to your customers for providing EHI and not restricting access
- Assess the operational needs for (b)(10) export management, such as request handling processes and secure export file delivery processes
By paying attention to these areas, EHR developers can overcome challenges and ensure that their data is easily accessible for consumption. To address the focus areas mentioned above, Developers should consider a technology and policy focused approach.
- Combine Application Onboarding with Real World Testing Activities:
EHR Developers should consider accomplishing two tasks at once for their API infrastructure. First, ensure workability through onboarding of third-party applications, and second, leverage those efforts when executing on measures in Real World Testing activities. In 2022 many developers did not have a standard API; in 2023, the adoption of (g)(10) provides the justification needed for it to be part of their Real World Testing. Having it in use will bolster proof points for Real World Testing reporting due in Q1 2024.
- Leverage Lantern to Assure Ongoing API Availability:
Publishing API endpoints is a requirement of maintaining certification. Developers should familiarize themselves with the Lantern Project’s self-service toolset. EHR Developers can use it as a milestone in the deployment of their API’s and it can be useful when pairing API solutions. While publishing endpoints depends on a provider organization’s ability to work with an EHR developer to implement the API functionality successfully, it nonetheless should be a motivator to support a robust interoperability platform. EHRs can learn from implementing the first few instances and streamline the process for future deployments.
- Continue Testing with ONC-Approved Tools:
Additional toolsets such as Inferno or AEGIS’ Touchstone provide developers with further opportunities to ensure that in-the-field deployments are in fact working. If your organization is platform and development challenged, we recommend an exploratory session with Drummond as it relates to AEGIS Touchstone which provides a true test-driven-development (TDD) approach to deployment validation of your FHIR API capabilities–with (g)(10) as a start.
Operational Process Development to Avoid Information Blocking
- Educate Your Customers:
While your organization must provide certified technology, your customers will need help when it comes to implementation and onboarding of new capabilities, particularly those that implicate information blocking. A sound policy of advising your customers as to the provisioning of data through your technology, including access to an API (g)(7, 9,10) as well as providing EHI bulk export through (b)(10), is paramount. A well-intentioned and working platform can find itself in the middle of an Info Blocking claim if providers do not understand how to turn on and build necessary operational processes around the technical data access functions provided by the EHR.
- Understand the Designated Record Set – Yours and Your Customers’:
As the primary EHR solution within a provider organization, you may be tasked with addressing other data sources as part of the EHI requirement. This will, at a minimum, include data elements your solution manages (the EHR’s Designated Record Set). Your relationship may also need to extend to advice on assessing the EHI inventory for other solutions in their environment.
- Build Your Operational Support for Client Apps:
Our research has uncovered that many EHRs are becoming burdened with requests to onboard client apps to API solutions. Often the requesting app is not well versed in FHIR, requiring an education and onboarding effort that can strain EHR resources. With API adoption growing and as standardization on FHIR becomes the norm, consider staff augmentation plans and training to handle both the increased demands on your interoperability team and the new processes you may need to avoid information blocking.
The demand for patient data access capabilities is escalating rapidly, and with the ONC’s increased focus on promoting interoperability, EHR developers need to ensure that their APIs are fully available. Following good management practices for application onboarding, monitoring availability with tools such as Lantern, and focusing on operational process development will help EHR developers avoid becoming entangled in information blocking issues. With proper attention to people and processes, EHR developers can avoid the scrutiny and ensure greater information access for patients and providers.