APIs in healthcare information technology systems are now required in federally certified software, but healthcare...
CIOs and vendors are chafing at what many consider an unworkable mandate.
The Centers for Medicare and Medicaid (CMS) and the Office of the National Coordinator of Health Information Technology (ONC), after years of emphasizing health information exchanges and EHR patient portals, recently turned to APIs in healthcare as the simplest way to stimulate interoperability.
Under last year's MACRA (Medicare Access and CHIP Reauthorization Act), healthcare providers will be required to use 2015 Edition certified systems by 2018 to attest to key measures such as securing patient health data and allowing patients electronic access to their data.
APIs in healthcare are part of the EHR definition
In the 2015 Edition rules for certified EHR technology, APIs in healthcare systems are required, by definition, to provide application or consumer level access to the Common Clinical Data Set developed during the meaningful use program. The data set includes basic patient health information ranging from patient name, sex and birth data to allergies, medications, lab results and care team members.
Patient access to health data
Steve Posnack, director of the office of standards and technology for ONC, said one of the API requirement's key aspects is allowing third parties easy access to individual data requests, as well as requests for larger data sets, such as the clinical data set.
"If you're a healthcare provider and you're going to be participating in CMS programs that reference certified EHR technology, you're going to need to have API functionality," Posnack said. "That's kind of a baseline fundamental requirement."
Not only are health IT developers obliged to include API functionality, Posnack noted, but they also must submit to ONC full documentation of their APIs, including programming information and syntax. This documentation must also be publicly available via hyperlink on ONC's certified health IT product list.
CHIME says the mandate is unneeded
Critics of the APIs in healthcare requirements include the College of Healthcare Information Management Executives (CHIME), the main healthcare CIO organization.
"We support the technology behind APIs. APIs hold so much promise. We completely understand the value of APIs, but when it comes to healthcare, we think it's premature for us to have a hard mandate on it," said Mari Savickis, CHIME's vice president for federal affairs. "It's still evolving, and the standards are not fully baked in."
Indeed, it is still unclear how many times, and with how many patients, providers will have to demonstrate how they use APIs. And Posnack acknowledged that there is no specified API standard in the regulations.
Under meaningful use stage 3, the provisions for which were similar to MACRA key measures, some of the attestation requirements were downgraded so providers only had to show how they used IT functions for a single patient. Among those was "view, download and transmit" -- an important measure that shows that patients can get their data electronically.
FHIR plus APIs
Posnack emphasized that APIs are not the only way EHRs can provide access to patient data. He noted that CMS and ONC officials have been encouraging the use of the popular, but not yet mature, interoperability standard FHIR (Fast Health Interoperability Resources), which works directly with APIs.
In fact, the 2015 Edition language recommends that developers use FHIR to create applications that allow for the easier exchange and capture of health data.
Meanwhile, the EHR Association, a vendor group, argued in comments during the 2015 Edition Final Rule approval process that there are significant security problems with APIs, among other issues.
"We are concerned that the current combination of standards, infrastructure and identity proofing processes is either not widely adopted and/or is inadequate to fully support a reliable, secure API/application environment where the consumer can confidently access their data," four members of the group's executive committee wrote to ONC in February 2016.
ONC enumerates API benefits
But the 2015 Edition states that APIs can be deployed securely, and Posnack said the benefits of APIs and FHIR-related development tools to patients, providers and developers are compelling.
"APIs provide an easy way for software systems to talk to each other and interact with third parties," Posnack said.
For developers, APIs are an effective method for connecting to larger software systems without the enterprise system exposing its entire infrastructure, Posnack said, adding that APIs also "provide a lot of potential benefits to patients in terms of engagement and access to the app ecosystem that we're living in now."
Similarly, for providers, APIs and FHIR tools "are a way for apps to be built on top of electronic health records and can give providers better user experience and functionality, as well as workflow," Posnack said.
In any event, Posnack said ONC will enforce the APIs in healthcare requirement by only certifying compliant systems and ordering corrective action if post-certification vendors don't provide documentation.
Some highlights of the MACRA healthcare law
CMS official says APIs in healthcare are a critical part of the post-meaningful use era
CRM healthcare system uses APIs to link to EHRs