Final Interoperability Rule Has Implications for APIs, FHIR

March 12, 2020 - Earlier this week, the Office of the National Coordination for Health IT (ONC) announced a new interoperability rule which requires certified health IT developers to establish secure, standards-based application programming interfaces (APIs) to support patient’s access to vital data in their electronic health record (EHR).

The 21st Century Cures Act: Interoperability, Information Blocking final rule and the ONC Health IT Certification Program Final Rule aims to provide patients with transparency into the cost and outcomes of medical care and ensure convenient health data access on computers, cell phones, and mobile applications. 

The new rule uses modern day technology to promote patient access to electronic health information (EHR), support provider needs, and advance industry-wide information blocking practices. 

“The need is evident. We use technology in so many facets of life. We send email, buy airline tickets, keep up with friends and family on social media, and order food from the convenience of our smartphones,” said Elise Sweeney Anthony, executive director of policy at ONC. 

“Some of these tasks like online banking-even involve sensitive data that is transmitted through application programming interfaces (APIs) using privacy and security protocols. Yet, obstacles continue to be encountered by patients trying to access their own electronic health information (EHI). It is time to change that paradigm.” 

READ MORE: Most Healthcare IT Execs Unaware of Proposed Interoperability Rules

Technical certification criteria were necessary to implement the 21st Century Cures Act to significantly enhance interoperability. 

One of the criteria was the Standardized API for Patient and Population Services, which requires the use of HL7 Fast Healthcare Interoperability Resources (FHIR). FHIR is the next generation standards framework created by HL7 and is built from a set of components called resources. 

Experts believe FHIR offers many improvements to existing standards including a focus on implementation, multiple implementation libraries, strong foundation on web standards, and conciseness. 

A few additional improvements FHIR offers are:

• Interoperability out of the box, in which base resources can be used as is, but can also be adapted as needed
• Evolutionary development path from HL7 Version 2 and CDA, which allows standards to co-exist and leverage each other
• Support for RESTful architectures, seamless exchange of information using messages or documents
• A human-readable serialization format for easy use by developers
• Ontology-based analysis with formal mapping for correctness (currently under development)

Privacy and security are roadblocks throughout modern computing environments. But when implemented properly, APIs are rarely the source of security issues. The final rule outlined that a patient should be able to select an application to use for accessing their personal health data and use highly secure protocols called OAuth 2, ONC stated. 

Therefore, ONC’s final rule requires two types of API-enabled services. One focuses on serving a single patient’s data and one services multiple patients’ data. The APIs will be made available in a way that is safe, secure, and affordable, the announcement highlighted. 

“As a practical matter, just like consumers select reputable banks, we expect patients to use a similar level of judgment with their medical records and choose respected brand name providers or apps that have garnered a level of trust before sharing sensitive data,” ONC stressed. 

Although the rule released today ensures a step forward for patients, it also advances the needs of healthcare providers as well. It will help enhance innovation and competition as well as prevent the information blocking that many providers face when looking to provide informed care for their patients. 

But clinicians will also have a common sense operation flexibility, which includes protecting patient privacy and security as well as handling situations where moving data is technically unworkable.  

The rule calls for open APIs which will support secure data and boost innovation in the marketplace for health IT and app developers. Health IT users may also communicate visually through screenshots and video that identify particular issues including usability, user experience, interoperability, and security. 

The rule adoption of the US Core Data for Interoperability (USCDI) will set a baseline for interoperability, help improve the workflow of electronic health information, and ensure that the information is able to be deciphered. This will be updated as the baseline set is enhanced over time. 

“Placing patients at the center of care is critical to all that we do at ONC and the final rule continues to advance that goal, including provisions that support the ability of patients to securely and easily obtain their EHI at no additional cost when electronically accessed,” ONC concluded.