By Micky Tripathi, ONC
LinkedIn: Micky Tripathi
LinkedIn: ONC
Our country has made tremendous strides and invested billions of private and public dollars in establishing the digital future of the health care system. We are thus highly concerned about ongoing and recent reports that we have received about potential violations of both the letter and spirit of the various laws and regulations now in place to ensure information-sharing to improve our health care system and enhance the lives of all Americans. In this blog post we describe some of the issues that have been brought to our attention and the steps that we are taking to address them.
More than 96% of hospitals and 78% of physician offices now use electronic health records (EHRs) certified through the ONC Health IT Certification Program. To catalyze adoption of modern interoperability approaches, the 21st Century Cures Act of 2016 required that those EHRs be configured to enable data to be “accessed, exchanged, and used without special effort through the use of application programming interfaces (APIs).” Since January 1, 2023, all certified EHR users are now required to have standardized FHIR APIs for patient and population services available to exchange information with authorized business partners and with patients. As we discussed in a January 2024 blog post, the vast majority of certified developers have published their certified APIs and associated documentation on the publicly accessible Certified Health IT Product List. In addition, our agency partners at the Center for Medicare and Medicaid Services (CMS) now require that regulated payers use modern API technology to interoperate with providers, other payers, and patients.
Furthermore, to remove any doubt about the policy imperative of information sharing, the 21st Century Cures Act also banned the practice of “information blocking” to ensure that these EHR and API technologies are actually accessible “without special effort.” Those provisions are now in effect through separate but linked rules promulgated by the U.S. Department of Health and Human Services and CMS, the Office of the National Coordinator for Health IT, and the HHS Office of the Inspector General.
This is a tremendous achievement made possible only through many years of hard work by the private and public sectors. It is thus of great concern that there still exists considerable friction to information-sharing. In recent months, in addition to reviewing the hundreds of information blocking complaints that have been reported to us, ASTP has had a number of listening sessions with API users and healthcare organizations to better understand the challenges faced by patients, providers, payers, and developers who simply want to access API and EHR technology in the way that the law intends.
What is abundantly clear is that it is behavior, rather than technology, that is far and away the biggest impediment to progress. These are some of the experiences we’ve heard about:
- Publicly accessible API documentation is not available or not usable. API Users have described the unavailability or lack of usability of the required disclosures of business and technical information about the developer and its certified API technology. They indicate they are finding inconsistent and incomplete documentation about the access terms and conditions, fees structure, and the process to register applications.
- Third-party application developers are effectively being closed out. API Users have described Certified API Developers’ conditioning API access on onerous fees, pricing practices, contractual terms, and intellectual property requirements prohibited by regulation. API Users have also stated that Certified API Developers delay or give unequal treatment to application registration requests to access deployed certified API technology, which is prohibited by the Certification Program.
- API Users are being prevented from connecting with providers. Installed EHR systems are hidden behind generic API endpoints, making it difficult for API users to connect directly with health care systems. Third-party developer applications are not available to all EHR user systems or given the opportunity to sell to EHR users.
- Third-party developers serving patients are being presented with false regulatory hurdles. Provider organizations and/or certified API developers are requiring that patient access API developers sign HIPAA Business Associate Agreements, which is NOT required in order for patients to have electronic access to their information.
- Failure to respond to API access requests. API Users have stated that Certified API Developers and/or Healthcare Providers are not providing written and timely responses to denials for access to electronic health information as required by regulation.
Consequences and Enforcement
Among the many concerns raised is the possibility of Certified API developers potentially being out of compliance with Conditions and Maintenance of Certification requirements specific to APIs (45 CFR 170.404) and information blocking (45 CFR 170.401). Moreover, as actors subject to information blocking regulations (45 CFR part 171), Certified API Developers that engage in any practice they should know is likely to interfere with access, exchange, and use of EHI may be committing information blocking (unless the practice is required by law or covered by an exception).
Failing to comply with any of the Conditions and Maintenance of Certification requirement not only violates terms of the Certification Program but also undermines the spirit in which the requirements were created. Such conduct on the part of Certified API Developers leads to reduced trust in health IT, lower adoption of new technologies, higher costs, ongoing inefficiencies in the healthcare system, and ultimately, poorer outcomes for patients.
ASTP will continue to direct review Certified API Developers and their health IT to assess compliance with all applicable Certification Program requirements. Certified health IT developers with identified non-conformities in their business practices or certified health IT could face suspension or termination of the affected certification(s). Termination of certification of one or more of a developer’s Health IT Modules carries the added consequence of the developer being banned from the Certification Program.
Simultaneously, our partnerships with the HHS Office of Inspector General (OIG) and CMS are crucial in deterring and addressing information blocking. OIG stands prepared to investigate cases of potential information blocking and to impose civil monetary penalties of up to $1 million per violation on health IT developers, health information networks, or health information exchanges—and refer to CMS for application of appropriate disincentives on any health care providers—determined by OIG to have committed information blocking.
What should you expect from ASTP going forward?
Ensuring that certified API technology is working in healthcare is a top priority for ASTP. We will be working with ONC-Authorized Certification Bodies (ONC-ACBs), engaging with OIG, and hearing from more API Users to monitor the health information sharing landscape for areas where help is needed. Over the coming weeks and months, here is some of what you can expect to see:
- Monitoring and enforcement: ASTP will strengthen oversight and enforcement by implementing a more rigorous review process for API documentation, both at the initial certification stage and throughout ongoing certification maintenance. We will also closely monitor trends seen through multiple data points, including the surveillance of complaint logs that Certified API Developers are required to maintain under the Certification Program.
- Engagements with developers: At its upcoming quarterly virtual roundtable event with developers on October 23, 2024, ASTP plans to discuss issues we’ve heard about and developer API requirements under the Certification Program. Moving forward, we also intend to hold additional webinars focusing on API Conditions and Maintenance of certification requirements for Certified API Technology and its developers.
- New Educational Resources: Our Health IT Certification Program page contains multiple resources on the API Condition and Maintenance of Certification requirements such as the API Certification Companion Guide (CCG), API Resource Guide, learning modules, and fact sheet. In response to the issues raised, we will soon release new educational materials, including updated fact sheets, some examples of API “do and don’t” scenarios, and a template outlining expectations for Certified API Developers regarding business and technical documentation requirements for publication and accessibility, and information blocking resources related specifically to certified APIs.
- Improved Feedback Channels: We are enhancing our feedback mechanisms to make it easier for stakeholders to communicate with us. A dedicated section for API-related complaints and inquiries has been added to the Health IT Feedback and Inquiry Portal. This new channel will help us receive timely feedback and take swift action to address any nonconformity or misinterpretation of Certification Program requirements. We encourage any end user or third-party application developer who is experience problems to let ASTP know about the issue.
By staying informed and sharing your insights, questions, and concerns, you can help us shape ASTP’s direction and ensure that APIs are effectively serving the needs of the healthcare community. Share your input through the Health IT Feedback and Inquiry Portal, and make sure to attend the ONC Health IT Certification Program Developer Roundtable on October 23, 2024, which will focus on API Compliance.
HHS is committed to fulfilling the vision of the 21st Century Cures Act and ensuring that our digital health ecosystem is a vibrant, competitive landscape for innovative health IT solutions to deliver value to the American people. We recognize that enforcement of these policies is critical to achieving this vision. We strongly encourage any person or organization to report complaints about information blocking to the ASTP/ONC Information Blocking Portal and/or the HHS OIG Hotline.
This article was originally published on the Health IT Buzz and is syndicated here with permission.