Alert: ASTP/ONC Warns of Information Blocking and Calls for Action

This week, Micky Tripathy, the Assistant Secretary for Technology Policy, National Coordinator for Health Information Technology, and Acting Chief Artificial Intelligence Officer at the U.S. Department of Health and Human Services, published a blog post addressing significant gaps in the implementation of the 21st Century Cures Act. It’s frustrating to see how, despite the investment of substantial tax dollars, regulations often move forward without ensuring proper enforcement of prior mandates. Many in the industry seem to have lost faith in the potential of APIs mandated by the Cures Act, which should have been available since 2023. Instead, attention has shifted to TEFCA as the next 'silver bullet' solution. That was the prevailing sentiment until this blog post brought the focus back to EHR APIs.

 
 

Here are the 5 key points that Micky made very clear in his blog:

1. Intentional information blocking by EHRs is happening, and ASTP/ONC is aware of it. He refers to “behavior” as the biggest impediment to progress.

2. APIs must be available for both “patients” and “EHR Users.” The Cures Act is often confused with just patient access. The intent of API regulation was to provide patients, EHR Users, and business partners with access to data with apps of their choice.

3. HIPAA/BAA does not apply to patients’ access to their data. You can’t put any legal or financial requirements around patients accessing their data through apps of their choice.

4. There is a severe lack of technical documentation. He explicitly mentions app registrations. We have personally experienced that it takes weeks, if not months, to register an app with an EHR to start.

5. Generic endpoints make it difficult for API users to connect directly with healthcare systems. In many cases, EHRs have published a single endpoint, and then the app developers need practice IDs, headers, or other parameters to figure out which organization they are trying to connect to. We are so glad that this practice has been called out as it is one of the most frustrating techniques commonly used for delaying API access.

It is important to note that these issues are occurring with EHRs already certified under the updated ONC certification criteria. This highlights significant gaps in the regulation, where compliance is being reduced to a mere “check-the-box” exercise. He emphasized that ASTP/ONC is actively working to address these shortcomings. One of the most promising steps he mentioned is the upcoming publication of a comprehensive list of dos and don’ts by ASTP/ONC. We hope this list will be enforced as mandatory standards, rather than being treated as mere "recommendations" or "best practices."

Ultimately, it all comes down to one phrase, “Without Special Effort.” We feel it is time that ASTP/ONC clearly defines that phrase and does not leave anything to interpretation. For anyone who has worked with APIs in any industry, it is as simple as 1-2-3.

  1. Register an app on a developer portal.

  2. Access a sandbox account to test the integration of my app without PHI.

  3. Get a list of production endpoints and credentials that can be swapped from the sandbox when ready.

ASTP/ONC has consistently emphasized that all endpoints must be published by the December 31, 2024, deadline, which should help address the current endpoint issues. However, we also hope to see further clarification on two other key areas: the app registration process and the availability of sandboxes for testing.

What other changes or clarifications do you think are necessary? Micky has invited everyone to join the developer’s roundtable conference on October 23. Let’s connect there and ensure we make this happen.


Latest Posts