The 21st Century Cures Act, which became effective on June 30, 2020, mandates important changes in interoperability, information blocking, and the Health IT Certification Program administered by the Office of the National Coordinator (ONC) for Health Information Technology. Among its many provisions, the law requires patients eventually be given access to all of their electronic health information (EHI), structured and/or unstructured, at no cost. While implementing the rules has the potential to improve care, it also poses challenges for providers, health information exchanges (HIEs), and tech developers, including EHR vendors, who must put the rule into effect.
April 5, 2021 was an important landmark because it marked the date when all providers, vendors, and HIEs were expected to comply with regulations by:
- Offering the public access to their health care data through application programing interfaces (APIs) and
- Doing their part to alleviate information blocking.
There are 8 types of clinical notes that must be made available to patients. All eight elements are part of United States Core Data for Interoperability and include:
- Consultation notes
- Discharge summaries
- History and physical exam notes
- Imaging narratives
- Lab reports
- Pathology reports
- Procedure notes
- Progress Notes
The deadline for standardized API functionality allowing patients to be able to use their smartphones to connect with their health data is end of 2022. The Cures Act doesn’t just require that providers share data with patients, it also requires them to share information with other health care systems. The latter requirement has been a contentious issue for several providers and vendors, who have been accused of blocking access to the data to others to gain a competitive advantage.
There are two important exceptions to the sharing rules. The first is psychotherapy notes that have been separated from a person’s medical record by a mental health professional in which the clinician is “documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session.” The second exception applies to information that will be used in a civil, criminal, or administrative hearing.
Providers will no doubt have technical questions about exactly how they should make data available to the patient population through the required API. The role of an API is to serve as a bridge between two software programs. For example, Apple provides developers with an API that allows their third-party programs to talk to Apple’s operating system. Similarly, APIs can bridge the gap between a collection of data elements like clinical notes in an EHR with a third-party application that lets patients view their notes on their smartphone or computer.
The ONC has provided a standards-based API certification criterion to implement the 21st Century Cures Act’s requirement that developers of certified health IT publish APIs that can be used “without special effort.” The new certification criterion requires standardized API access for single patient and population services and is limited to API-enabled “read” services using the HL7 Fast Healthcare Interoperability Resources (FHIR). The FHIR standard, in addition to a set of adopted implementation specifications, provides known and consistent technical requirements for software developers.
Regardless of the API a provider chooses to implement, it needs to meet certain security standards to reduce the risk of exposing protected health information (PHI) to unauthorized person or entity. More specifically, the app will have to use Transport Layer Security (TLS) version 1.2 or higher for all transmissions. It will also have to perform authentication and authorization using implementation specifications. In addition, the API technology will be required to respond to requests for data specified in the USCDI v1 according to the US FHIR Core implementation Guide for FHIR Release 4.
In order to remain compliant with the law, it’s important for providers, IT developers and HIEs to understand the timeline set up by ONC. While April 5 was the deadline for giving patients access to the structured data from USCDI, by October 6, 2022, they will be required to make unstructured data available as well. That will include narrative notes, transcriptions, and similar content — essentially all EHI in a patient’s record. Accomplishing that will require the use of algorithms, machine learning, and natural language processing. Giving patients and other eligible groups access to this treasure trove of valuable data has the potential to transform patient care. The rule deadlines can be found here.
During a recent Zoom call with Mayo Clinic Platform team, Micky Tripathi, PhD, the National Coordinator of health IT, explained that: “By October 6, 2022, providers, developers, and HIEs will be required to offer all the EHI in whatever form it exists, as long as it is in a computable or machine-readable format. By the end of 2023, however, a publicly available export format must be provided by these organization so that patients can make sense of the information.”
While the journey to full data access is a long one, ONC has made major strides in the right direction. Now it’s up to the health care community to take the reins and turn these rules into actionable insights for clinicians and patients alike.