In the last months of the Obama administration, the 21st Century Cures Act was passed. It was and remains a strongly bi-partisan statement of government frustration with the healthcare industry. The message is simple: the data needed for the treatment and management of healthcare must flow.
Aggressively implemented by the Trump administration, we now see the fruit beginning to emerge in 2021 under the Biden administration. It is a very broad law with many aspects, including a new approach for Health Information Exchanges (HIE) called the Trusted Exchange Framework and Common Agreement (TEFCA) that is only now being defined. But the most impactful part of the new law are the mandates around the new Patient Access API.
There are technical and policy reasons why this will work. Starting with the technical, the decision to mandate an API was brilliant.
As noted above, other healthcare data moves through point-to-point batch, or batch transaction streams, or through alerts. But our modern technology such as smartphones and the internet work best when APIs are used as they handle security, data standardization, and scalability. The use of APIs is a technology-based decision that suits an internet-based world, instead of the mainframe-based methods to date.
Patient Access API: New Formats Provide Context for All This Data
Another vital and disruptive aspect of the Patient Access API is its use of a new family of data formats called Fast Healthcare Interoperability Resources (FHIR). The new law requires the common adoption of a brand-new version of this HL7 standard, which builds upon all the lessons learned from previous versions of HL7. The FHIR formats (and the mandated specifics about which ones to use) bring much needed prescriptive requirements about the specific data elements to share, a standard data set that is sufficiently broad to deliver business value. It brings needed terminology or vocabulary standards, along with metadata, that enable the context of the data being shared.
The nuance here is vital; clinical data requires context to be used. A blood pressure reading of 150/90 is not at all useful by itself. It cannot be used to understand a person’s condition without knowing whether this is taken when at rest or right after a surgery, a single reading or an average over a year, the highest reading ever for a person or the lowest.
FHIR allows the creation of “Implementation Guides” that are intended to drive this context into the data being shared. The government has also mandated a single automation workflow for applications to call these APIs called SMART on FHIR, which ensure privacy and security of the data movement in a standardized way. Finally, HL7 and public/private organizations have created a robust governance process to manage changes to these formats and the needed vocabulary over time.
New Interoperability Methods Address the Failures of the Past
Patient privacy is constructed throughout the rule and requirements. Perhaps most importantly, a patient has to authenticate (meaning prove who they are) and consent to any use of these new standards for their data. In this part of the new law, patient data only moves if the patient wants it to do so.
From a policy perspective, the government has mandated that the primary creators of healthcare data (insurance companies and healthcare providers) must publish the data with these APIs. The first deadline was July of 2021, when insurance companies were required to publish both clinical data and administrative data (cost, utilization, coverage) in these APIs for about 40% of insured Americans (based on different types of healthcare insurance). The next deadline will be January of 2023, when almost all hospitals and physicians will publish clinical data in these APIs.
This industry-wide mandate will be successful in both the creation of an effective common format and delivering the accessibility of the data at scale across the industry. By requiring the data to be available and usable, many businesses will now make voluntary investments in accessing and using the data, because the conditions are met to do so profitably.
Thus, “new” interoperability based on the Patient Access API addresses the failures of previous efforts: it has an excellent format with mandated broad access that will delivery strong business value. It also has much in common with the successful EDI, with armies of clinical informatists, standard implementation guides, major new software investment that is occurring in 2021-2022, professional organizations to work out the details (such as CARIN and Da Vinci), and a likely creation of an industry to make accessing this data practical by solving variation across all the payers and providers.
LexisNexis Risk Solutions is one of the companies creating the capability to access many of these APIs, standardize the results, and enrich the results with additional data.
What Comes Next
As the industry meets the mandates, we should expect more work that needs to occur along with widespread change.
First, the government will certainly need to enforce compliance with the new requirements. It also needs to make the law broader, by mandating compliance for the remaining 60% of insured population, adding additional data (such as Social Determinants of Health), and making strong standards even stronger, with more prescriptive mandates of implementation guides. Finally, the standards would be more valuable if additional patient consent approaches were standardized and mandated, which would allow for both broader and narrower data access, as desired by the patient.
Next, we should expect to see all kinds of organizations adopt the use of these new APIs. This “Business-to-Business” use was not the central focus of the government, but is likely to occur at scale quickly.
While we expect to see other insurance companies and healthcare technology companies act first, because of the immediate value they can attain, many businesses in and out of healthcare will ask their customers for permission and access the data, using it to support their current business models and enabling new business models.
Finally, we should also see a widespread use of this data by patients over time. Some will scoff at this prediction, based on how little use of healthcare data has occurred by patients in the past. But, until now, patients have simply not had the ability to act.
Conclusion: Healthcare Will Realize True Interoperability
While some will simply want to download and centralize their data on their phone, it will be far more common that patients will download apps and access websites that can use this data to make a person’s life easier, to help them make medical decisions, and eventually to have more ownership of their healthcare. As noted above, once the ability to access and use data has meaningfully occurred, consumers have completely transformed how they shop (Amazon), how they travel (Travelocity), how they move (Uber), how they manage money, work, learn, etc.
Some will claim that healthcare is unique and therefore not in common with these. But does a person’s healthcare data need different security than their banking data? Are healthcare decisions more complex than investing decisions? Is the choice of doctor more important than the choice of a spouse? Is it more dangerous for a person to make informed treatment choices than it is for them to decide to buy a house and take a mortgage? In each of these areas, over the last 20 years, our society has embraced the ability to use software and data in ways unimaginable; it will be no different in healthcare.
A wise technologist once said: “We always overestimate how much change will occur in a year and underestimate how much change will occur in 10 years.” This will be true for Interoperability, whose time has finally come.