Skip to main content
Email

The latest news in Healthcare IT – straight to your inbox.

Home
  • Main Menu
  • Subscribe
  • Topics
    • Video
    • Analytics
    • Artificial Intelligence
    • Cloud Computing
    • EHR
    • Government & Policy
    • Interoperability
    • Patient Engagement
    • Population Health
    • Precision Medicine
    • Privacy & Security
    • Telehealth
    • Women In Health IT

Regions

  • ANZ
  • ASIA
  • EMEA
  • Global Edition
Global Edition
Compliance & Legal

How the consumer app API rule of the Cures Act will push interoperability

An expert from LexisNexis offers a closer look at a policy that could make a big difference enabling more widespread and seamless data exchange.
By Bill Siwicki
August 05, 2022
11:20 AM

LexisNexis Risk Solutions Senior Director of Healthcare Strategy Jonathan Shannon and his family – and a long-necked onlooker

Photo: Jonathan Shannon

The 21st Century Cures Act was signed in 2016 and covers various components of healthcare, including modernizing the FDA approval process. Another part of the law deals with interoperability.

While HIPAA was designed to safeguard data, the portability component of the HIPAA mandate became a huge issue. There was no standardized format or means to make moving data from one place to another possible, and data holders like EHR vendors believed they owned patient data.

With the 21st Century Cures Act, policymakers now have said no; health data belongs to individuals, and there needs to be an easy means for them to access it.

The Cures Act sought to make some fundamental rules around this for interoperability. Lawmakers thought there needed to be a very specific, well-articulated means by which data is moved from where it is held to where it needs to go.

The Interoperability and Patient Access final rule (CMS-9115-F), which came out in 2020, articulated the roadmap and data standards. The Cures Act includes provisions related to the information blocking rule, which relates more to providers and their IT vendors – for example, EHR vendors. These two rules have laid the groundwork for how interoperability is expected to look.

Jonathan Shannon is an expert in these laws and rules. He is senior director of healthcare strategy at LexisNexis Risk Solutions. We sat down with him to discuss the consumer application programming interfaces rule of the Cures Act and the need for interoperability without compromising data security.

Q. Please describe the consumer app API rule section of the Cures Act, and explain its goals.

A. When you think about who is using APIs, one example that many people relate to is customers of banks and financial services institutions accessing data from other entities to create a consolidated view of their financial profile. Using software that interfaces with their database, APIs make a connection.

This is game-changing for healthcare, where APIs are becoming more prevalent. Previously, interoperability could mean chart chasing by a nurse who would physically find the chart, digitize it and send the info to whoever needed it, an incredibly arduous and expensive process. API technology enables the querying of a database much more quickly.

The second thing to come out of this was the standards. HL7 came out with 4.0, called FHIR, which was also game-changing in terms of being able to get data in a standardized way. This is what we expect you to have; this is how we want the data to be organized and what we accept. This delivers a much easier ingestion capability which you can do through the machine, AI or machine learning, giving you a fundamental lift from the data.

Finally, there are now expectations around the completeness of the data and what kind of data needs to be available. The FHIR standard is critical, but health plans must make six years of claims available, presenting the clinical information they have on each patient.

Payers have to be fully open, saying, "This is all we have on you, this is what we've been collecting, and this is how we view you," and allow patients to share this with whomever they choose.

These mandates have created an opportunity to increase the speed of delivery via API, convert the data into digestible information by FHIR standards, and create a holistic patient profile due to the data that needs to be available.

Years ago, patients often felt they were not considered integral to decision making related to their care. Today, these mandates insert patients directly into it: It's their health, it's their data, and they have the right to do what they want with it, sharing it with wellness apps, providers, other health plans, really anyone an individual believes can support their healthcare journey.

Q. Regarding patient data access, how is the deployment of APIs going?

A. Under HIPAA, there has been this idea of provider-driven continuity of healthcare. For instance, when interacting with passive patients, a provider may say, "Can I share your data with a provider?" or "Can I request your data from another physician?" People respond "sure" because it is easy. They have come to rely on that without knowing about credentials or releases or anything operational about access.

The first part of this law required health plans to go live with these APIs in July of 2021. However, for some health plans, their APIs are difficult to find. You can search "health plan XYZ patient access API" with no results. Even if an app developer can connect to it, registering and facilitating data exchange can be challenging, requiring a lot of special effort for all parties.

The rulemaking, in fact, noted that this was to occur "without special effort." As you think about the amount of resources provider organizations have to chase down data, it is incredibly limited. Their core competency is treating, diagnosing and engaging with patients, not handling IT issues. Interoperability was supposed to be easy, but we are not there yet.

There is undoubtedly a role for enforcement and better articulation of understanding, not just the letter of the law but the spirit of the law.

Q. How does this rule impact payers?

A. It has had an enormous impact. I do not envy health plan CTOs and the amount of work they have to do related to making themselves "Interoperability Ready." After the March 2020 rulemaking, they had to orchestrate all this data based on the rules in about 18 months.

Luckily, payers have pretty savvy IT personnel who sprinted to get it done or engaged with third-party firms to support their efforts. However, some have struggled to respond to a law given the fact it was a massive undertaking.

Not only did they have to build an API, they also had to orchestrate all the data from all their different systems – claims, marketing, clinical and care management – so the longitudinal data is available when a patient requests it, all in FHIR format and available by API.

Payers also had to beef up security to account for people requesting data that would go outside their four walls. The Cures Act essentially established that once this occurs, HIPAA no longer applies but rather it's an FTC issue and the apps' responsibility to safeguard that data.

But you can imagine that a large health plan would not want its data compromised. This is friction on top of the robust data demands, compliance concerns and pandemic challenges. Logistical and technical challenges have proven too much for some payers, while others have done an outstanding job.

Q. How do we address the need for interoperability without compromising data security?

A. I think it is a carrot/stick situation. First, you must celebrate the people doing a good job. CMS and ONC can say publicly, "Great job, XYZ plan! This is what interoperability should look like." On the flip side, numerous health plans are not meeting the letter of the law or the spirit of the law.

The governing bodies must enforce this if they believe this is the future. There needs to be monetary and reputational harm to organizations not embracing this.

This was one of the most bipartisan bills ever passed. The data sharing provisions are vital: putting more power in the hands of the consumer. Suppose that happens at the stakeholder level – the health plans, the EHR vendors – where it is obvious that CMS is serious. In that case, you will start to see consumerism pick up as these technologies become available.

We also will see more precise definitions of what it looks like to be a good app and how to enforce data security more effectively. Traditional healthcare players (for example, health plans, providers) all understand HIPAA, but what does an app developer working in his basement do with all this sensitive data? What does this world look like?

There needs to be more transparency in terms of data security expectations. Once we understand the technology and consumer rights better, we will trust the technology and what the data can do.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Compliance & Legal, Connected Health, Electronic Health Records (EHR, EMR), Government & Policy, Patient Engagement

More regional news

Patient does a virtual care consult

Castlight Health intros virtual urgent care for members

By
Mike Miliard
April 18, 2025
HIMSSCast logo

HIMSSCast: Should every healthcare organization have an AI strategy?

By
Mike Miliard
April 18, 2025
Nurse checks tablet to communicate on shift

Zoom launches agentic AI-powered mobile comms for frontline staff

By
Andrea Fox
April 18, 2025
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Nurse checks tablet to communicate on shift
Zoom launches agentic AI-powered mobile comms for frontline staff

Most Read

How UCHealth is reducing fall injuries with AI-enhanced risk modeling
2025: AI enhances personalized care; caregiver experience in the spotlight
Millie secures $12M to expand its maternity care platform
Australia infuses $85M in digital mental health and more briefs
Korea University Medical Center pursues brain, heart AI development and more briefs
Texting the CEO proves wildly popular at Banner Health

Research

White Papers

More Whitepapers

Telehealth
Create secure, connected omnichannel communications
Telehealth
Let us guide you to HIPAA compliance
Cloud Computing
How a cloud communications platform puts connection at the center of care

Webinars

More Webinars

Analytics
Standby Eligibility and Claims Solutions: Diversify Your Risk & Ensure Business Continuity
Interoperability
Nursing Leadership, Operational Innovation, and Emerging Technologies with AONL
Artificial Intelligence
Loving the AI Revolution: How Automation is Humanizing Healthcare and Improving Provider Well-Being

Video

Ilir Kullolli, Stanford Medicine Children's Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
HIMSS-ACCE working together to advance digital health
Vik Bajaj, Foresite Labs_Medical research Photo by Edward Jenner/pexels.com
Healthcare research is being affected by federal budget cuts
Priyanka Jain, Evvy_Hand holding sample vial Photo courtesy of Evvy
How one women's health startup tests fertility outcomes
Keisuke Nakagawa, UC San Diego Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
Can technology help bring the human touch back to medicine?

More Stories

Lee Kim, HIMSS_Las Vegas skyline Photo by halbergman/E+/Getty Images
Past year's data breaches often stemmed from remediable cybersecurity gaps
Cathy Menkiena, Health Catalyst_Las Vegas skyline Photo by halbergman/E+/Getty Images
Innovative – and useful – tech is key to empowering care teams
Sameer Sethi of Hackensack Meridian Health on AI
Hackensack Meridian Chief AI Officer on the intersection of business and technology
Doctor checking and tracking information on a computer
HHS updates regulatory guides for the safe use of EHRs
Sameer Sethi, Hackensack Meridian Health_Computer neural network concept Photo by dan/Moment/Getty Images
Chief AI Officer on becoming one and working with the C-suite
Businessperson signing piece of paper
White House releases guidance on federal AI use and procurement
Dr. Ateev Mehrotra of Brown University School of Public Health on telehealth policy
Brown University policy expert talks about the future of telehealth flexibilities
Micky Tripathi, former HHS acting chief AI officer
Former National Coordinator headed to Mayo Clinic, reports say
Home

More News

  • MobiHealthNews
  • Healthcare Finance News
  • Healthcare Payers News

Newsletter Signup

HIMSS25 European Health Conference & Exhibition
HIMSS25 European Health Conference & Exhibition
Get ready for knowledge-sharing, all the latest innovations, and in-depth demos with Europe's most influential healthcare community.
10 - 12 June, 2025 | Paris
Learn More
AI in Healthcare Forum
AI in Healthcare Forum
The HIMSS AI in Healthcare Forum cuts through the hype to showcase real-world examples illustrating the transformative potential, and realistic challenges of AI application across the care continuum.
10 - 11 July 2025 | New York
Learn More

Footer Menu

  • About
  • Advertise
  • Reprints
  • Contact
  • Privacy Policy

© 2025 Healthcare IT News is a publication of HIMSS Media

X

Topics

  • Video
  • Analytics
  • Artificial Intelligence
  • Cloud Computing
  • EHR
  • Government & Policy
  • Interoperability
  • Patient Engagement
  • Population Health
  • Precision Medicine
  • Privacy & Security
  • Telehealth
  • Women In Health IT

Career

  • Events
  • Jobs
  • Research Papers
  • Webinars

More

  • About
  • Advertise
  • Contact
  • Special Projects
  • Video

Regions

  • ANZ
  • ASIA
  • EMEA
  • Global Edition

The Daily Brief Newsletter

Get daily news updates from Healthcare IT News.

Search form

Top Stories

Nurse checks tablet to communicate on shift
Zoom launches agentic AI-powered mobile comms for frontline staff
HIMSSCast logo
HIMSSCast: Should every healthcare organization have an AI strategy?
Vik Bajaj, Foresite Labs_Medical research Photo by Edward Jenner/pexels.com
Healthcare research is being affected by federal budget cuts