- ONC is laying out certification criteria for app developers in developing standardized healthcare APIs to allow individuals to securely access structured and unstructured electronic health information (EHI) using smartphones and other mobile devices.
In a wide-ranging notice of proposed rulemaking (NPRM) released Feb. 11, ONC has laid out a series of measures intended to implement sections of the 21 Century Cures Act. The NPRM was delayed for months while it was reviewed by the Office of Management and Budget, a process that was further delayed by the U.S. government shutdown.
Among the many NPRM provisions, ONC lays out new API certification criteria, new standards and implementation specifications, and conditions and maintenance of certification requirements.
For the proposed API certification criteria, the following technical requirements need to be met:
- Use the Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR) standard along with a set of implementation specifications that would provide technical requirements against which applications and other services can be built
- API access to and search capabilities for all data proposed as part of the U.S. Core Data for Interoperability for a single patient and multiple patients
- Secure connections that include authentication and authorization capabilities in ways that enable patients to use an app to access their EHI without needing to log in each time they use the app
In addition, the following security requirements need to be met:
- API technology needs to be able to establish a secure and trusted connected with apps that request data
- Healthcare providers would retain control over how their workforce and patients authenticate when interacting with the API
- No app will have access to patients’ specific credentials
- Patients will be able to limit the data they authorize their apps to access
ONC also laid out API conditions of certification, including transparency, permitted fees, and openness and pro-competitive conditions.
In terms of transparency, app developers must publish terms and conditions of their API technology, including fees, restrictions, limitations, obligations, software application registration process requirements, and other materials needed to develop, distribute, deploy, and use software applications that interact with the API.
In terms of permitted fees, app developers would be permitted to charge healthcare organizations fees to recover costs reasonably incurred to develop, deploy, and upgrade APIs and fees to cover the incremental costs reasonably incurred to support the use of APIs. And app developers would be permitted to charge API users fees for valued-added services. All other fees would be prohibited.
In terms of openness and pro-competitiveness, app developers would have to comply with a number of requirements to promote an open and competitive marketplace, such as providing API technology on terms “based on objective and verifiable criteria that are uniformly applied for all substantially similar or similarly situated classes of persons and requests.”
To maintain certification, an app developer needs to register and enable all apps for production use within one business day of completing its verification of an app developer’s authenticity and support publication of FHIR server endpoints for all customers.
“With the requirements we are proposing today — including the FHIR requirements — I am optimistic that we as patients and consumers will finally have deep insight into our health and new data to prevent sickness,” wrote National Coordinator for Health IT Donald Rucker in a blog post.
“We will have better control of our medications and their costs. We will be able to bring machine learning and artificial intelligence directly to our health records on our smartphones. Apps we choose can help us to live more healthy and productive lives by integrating medical data into our daily lifestyle choices, including choices we make around exercise and eating,” he added.
In a separate proposed rule also released Feb. 11, CMS said that organizations must conform to the same API standards as proposed for certified health IT in the ONC NPRM.
“We are proposing to require Medicare Advantage (MA) organizations, state Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers in FFEs to implement, test, and monitor an openly-published [HL7 FHIR]-based APIs to make patient claims and other health information available to patients through third-party applications and developers,” explained CMS in a fact sheet.