In the Line of FHIR: Health IT Developers Are in the Information Blocking Crosshairs

The healthcare industry continues to embrace FHIR as the preferred standard for data exchange. Fueling adoption on several fronts are regulations such as those from the Office of The National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS).  The ONC’s 21st Century Cures Final Rule and the CMS Interoperability and Patient Access Final Rule, respectively, have imposed mandatory criteria requiring health IT technologies and payer systems to provide access to and support for their system APIs. While it’s commonplace to develop an API and provide documentation for that API—the requirement to onboard and support API users is not. This added burden for health IT developers makes it more difficult for them to comply due to the conflicting priorities created by these mandates. This is especially true for EHRs as there is a measurable difference in the number of client applications (“Apps”) marketed to them. 

Challenges in Health IT API Access Compliance

To better understand why health IT struggles with API access compliance, we must first understand the information-blocking criteria mandated by the ONC. The ONC’s Information Blocking Provision in the Cures Act Final Rule requires that health IT developers, among other actors that include HIEs and providers, not engage in practices that interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI). This includes EHI captured by and stored in their health IT systems. 

Therein lies the challenge whereby health IT must enable access to their data via an API and not restrict access to that data or face an Info Blocking inquiry.   Essentially, health IT developers must provide support to any App developer who wants to use their API.   Supporting this demand is daunting, especially for those deployed across a large customer base. 

Open Access Fosters Open Interpretation

Health IT developers understand the benefits of cooperating given the gains which include the development and marketing of solutions that contribute to improving patient outcomes and branding themselves as champions of interoperability.  Up until now, integrating solutions for data sharing was measured in terms of working with technology partners to contract, develop, test and deploy.  With mandates pushing open exchange via FHIR APIs, the demand by Apps developers to connect to health IT systems has exploded.  Information Blocking provisions place timeframes for responding to requests for access, albeit with some room for exceptions.  Whether or not the support provided to access an API is adequate can be a point of contention. An Info Blocking claim and finding could lead to expensive enforcement action and reputation damage. In addition, the costs associated with providing very niche and experienced professionals to help troubleshoot and educate app developers—developers not employed by or affiliated with the health IT system—are incredibly high.  Not only does this required API support not provide ROI for the health IT developer it could result in negative-ROI. 

To address these challenges, health IT developers must implement robust strategies for API management, that include straightforward navigation of their API suite, comprehensive documentation for App developers as well as their customer users. Additionally, compliance oversight must be included with or as part of a staff augmentation plan to manage the inevitable requests that go along with an onboarding process.  

In the ongoing wave of demand for patient data access, it’s important to remember that not every IT professional or organization claiming to be adept at FHIR and APIs truly has the requisite know-how. As organizations and app developers increasingly try to capitalize on this demand, inexperienced, ill-equipped, or ill-intent entities risk causing more harm than good. Yet, due to Info Blocking, health IT developers are wary of developing rigorous vetting mechanisms to assess the proficiency and intent of app developers using their API or to gauge the app developer’s ability or desire to adhere to regulatory standards.  

Preserving Autonomy While Ensuring Compliance

Health IT developers have a vested interest in ensuring that their clients reap the benefits of a secure and reliable ecosystem of apps. They aim to empower their clients with the autonomy to select integrated apps that best suit their needs and to assure their consumers that the connected apps they choose are trustworthy, accurate, and safe. However, they find themselves in a precarious situation. While health IT developers desire to guide clients in their app selection or impose specific security standards on apps using their APIs, they risk being perceived as engaging in information blocking. To avoid inhibiting the access, exchange, or use of EHI, developers must tread carefully, balancing the need to ensure safety and accuracy against the mandates prohibiting them from exerting too much control over their own ecosystem. 

To help guide their clients and consumers with app selection, developers may need to rely on impartial third-party testing and certification organizations. These entities can play a crucial role in helping clients and app consumers discern which applications are correctly configured and best protect their data. Testing and certification organizations can provide unbiased assessments of an app’s security, functionality, and compliance with data exchange regulations and implementation guides—but only if the criteria being tested are robust and include how client apps send, receive, utilize and present patient data, ensuring it’s used correctly and ethically. 

By employing impartial third-party services, developers can foster a secure and reliable app ecosystem without directly influencing the selection process or being accused of information blocking. Thereby preserving their clients’ autonomy and assurance while also complying with mandates. 

Bridging the Gap

The rapid adoption of FHIR in the healthcare industry provides opportunities for health IT developers to better engage with app developers and create a more connected ecosystem. However, current government mandates have made a difficult framework for developers to navigate. Nevertheless, by developing robust APIs and documentation as well as partnering with trusted 3rd party app assessors, health IT technologies can be compliant and still provide an optimal consumer experience. 

It is a challenge that must be tackled to bridge the gap between healthcare providers, developers, and patients—and to achieve better outcomes for all, including the better population and patient health long promised by interoperability.