By Aneesh Chopra

Today, ONC & CMS finalized landmark rules to ensure safe, secure, standardized access to health information. Having spent some time on these issues, I’m pleased to read this White House post that puts these rules in historical context, and celebrates the bipartisan nature of this important endeavor.

I had been looking for answers to three policy debates – how HHS would balance consumer access and privacy; whether we would extend the economics of FHIR APIs to population-level use cases via “bulk” access; and if consumers could access all data elements without burden. I’m excited to report that HHS delivered on all three!

Prior to the rules dropping, I had pre-recorded an interview on today’s Gist Healthcare Daily, and prepared an op/ed with Governor Mike Leavitt. After an initial review of both rules, I am more excited than before, and thought to share 5 key takeaways:

#1) Payers “Up First” on New Interop Deadlines: EHRs already provide consumer API access via the 2015 Edition and most have voluntarily adopted the FHIR Argonaut IG. The new rules standardize on the normative FHIR R4 standard with a two year window for EHR developer certification and deployment. CMS put a more aggressive marker by setting a 1/21 deadline for all government sponsored plans to deliver FHIR-based data to any consumer-designated app (such as via the CARIN IG); for context, CMS telegraphed these requirements back at HIMSS 2018 and via this op/ed that May so even if it feels like a quick turnaround, the industry has had some time to prepare.

#2) “Bulk” Requirements for Payer / Providers: ONC/CMS has extended the economics of FHIR-based data sharing from consumer use cases to “bulk” access for population level data sets beneficial across myriad use cases by 2022 (using the standard we are testing as announced at the Blue Button Developers Conference last July). Much of the technical thought leadership here comes from the brilliant SMART team who shared some history over the past decade, and a collection of “bulk” use cases from a recent symposium.

#3) “All Data Elements” to Consumer Apps w/ IP Provisions: ONC held firm on requiring certified EHR vendors to enable consumer access to “all data elements” (as described in the CURES Act) via EHI export, but has offered a window for vendors to negotiate IP rights to access proprietary APIs (via a new “content and manner” exception for information blocking) before offering a standards-based alternative within three years. Stay tuned for a great deal of activity on this subject in the months to come.

#4) Balancing Privacy w/ a Consumer’s Right of Access: CMS and ONC allow payers and providers the flexibility to communicate clear warnings on suspected apps that fail to adhere to enforceable privacy codes of conduct (such as the CARIN Alliance Code) in a manner akin to the skull and crossbones warnings web browsers publish before taking users to a suspicious website.

#5) More Open Data to Reduce Friction: CMS requires hospitals to share ADT feeds within 6 months for physicians who request them as a condition of participating in the Medicare program; by 2021, payers must disclose up to date provider directory information and physicians are incentivized to disclose their digital endpoints. Similarly, ONC added pro-competitive provisions allowing providers the ability control their own API endpoints rather than relying solely on their EHR vendors.

As such, I advise health plans and providers to build consumer and bulk FHIR servers simultaneously to lower implementation burdens, despite the lag time in compliance requirements; similarly, both should build FHIR apps alongside the servers, starting with a consumer-facing version (if it aligns with strategy) for testing and as a benchmark on the administrative burdens for data sharing across an interop portfolio; finally, every health organization should take this moment to establish data governance policies that can be implemented via locally controlled API gateways across consumer and “bulk” uses, including health networks or apps that are built on de-identified data sharing.

In the months and years to come, I’m hopeful this moment results in the rise of a new class of consumer-focused healthcare applications that operate akin to a fiduciary, trusted to aggregate health information and offer valuable decision support that is in a consumer’s best interest, rather than that of any individual healthcare supplier or service provider. While it is possible a tech startup might play such a role, I’m equally hopeful that many current healthcare service providers might take the mantle to offer their own health information fiduciary applications, even if it means adversely impacting their economic model. Imagine a future where every consumer takes the next best action, as advised by a health information fiduciary, to stay healthy, or if ill, to navigate the delivery system in the most efficient route available to get better.

I can’t wait!