Skip to main content
Skip to footer

Consumer Access APIs Are Coming – Is Your Organization Ready?

Published on 11/10/2016

Join Dr. David McCallie, Meg Marshall and Lucia Savage, chief privacy officer with the ONC, in a panel discussion Preparing your org for the implications of consumer controlled APIs: App access via the patient portal, 4:15 p.m., Wednesday, Nov. 16, at the Cerner Health Conference in Kansas City, Missouri.

Consumers have greater expectations for personalization when seeking care than ever before, and they want access to their electronic health information anytime, anywhere. The term view, download and transmit (VDT) is a now-familiar Meaningful Use (MU) requirement that provides consumers with multiple options for access to their electronic health record (EHR) data. VDT is only the beginning. Application programming interfaces (APIs), which have been the backbone of the ecosystems that have revolutionized many other industries, are coming soon to health care. Providers need to get up to speed on what's required and have a plan to meet those requirements.

APIs offer direct programming access to the underlying health IT system and enable 'app' developers to create tools that can ingest EHR data and provide new services to consumers. Through projects like SMART® on FHIR®, providers are becoming familiar with APIs that support customization of the EHR experience. However, API access is not limited to providers. A new class of APIs will give consumers the ability to access their health information on demand via apps of their choice. These APIs are emerging not simply based on consumer demand, but also are driven by major regulations coming into effect in the near future.

Under the Office of the National Coordinator for Health Information Technology (ONC) 2015 Edition requirements, which will start being enforced in 2018, and Meaningful Use Stage 3 (MU3) requirements, patients must be granted access to portal-hosted APIs upon request. ONC's expectation is that patients will be able to select apps which can then be connected to the patient's portal account. The patient can use their portal login information to authorize the app to download their health data from the EHR. Unlike provider-facing APIs, a consumer's app can only access the patient's own data, but otherwise, the provider and patient API specifications are very similar.

Granting patients access to EHR data through the use of APIs was a major change, so ONC designated a joint task force (co-chaired by Meg Marshall, senior director of health policy with Cerner, and Josh Mandel, formerly with Boston Children's) to survey various stakeholder opinions and concerns. The task force concluded there were no 'show stopping' barriers that would prevent the deployment of APIs within the timelines for ONC 2015 and MU3. The task force also recommended that ONC continue its pursuit of an API strategy as another important mechanism for enabling patient choice and promoting a more efficient health care marketplace.

One of the first uses of the new consumer access APIs will be the Sync for Science (S4S) pilot program. In February, the National Institutes of Health (NIH), in collaboration with the ONC, launched S4S to enable individuals to access their health data and share it with researchers associated with the NIH Precision Medicine Initiative (PMI). The PMI intends to create a 1 million-member volunteer research cohort, with the expectation that many of the participants in the cohort will be consumers who choose to 'donate' their health data to the PMI.

Cerner is one of several EHR suppliers involved in S4S working to verify that these APIs can accurately retrieve the patient's data. The APIs used for S4S are the same ones that will help our clients meet the Meaningful Use requirements for API-based patient access.

Cerner is proud to be a leader in the movement to enable consumers to have more control of their health care data. However, we believe we should enter this new 'app era' cautiously, because there are still numerous unanswered technical and policy questions to be worked out.

Here are just a few scenarios a provider may be faced with as these API rules come into effect.

  • A provider wishes to 'prescribe' a trusted app to patients, with the hope the app will help with management of a health condition,
  • A patient wants to connect an app from a commercial app store to access clinical data through the patient portal, even though the provider may have never seen the app or heard of the app's vendor,
  • Informatics staff at the hospital develops an app in-house and wants to make it available to all patients,
  • A medical or IT student, who is also a patient, creates a personal app to access their health data and wants to connect it to their own portal account.

How far will providers need to go to ensure that each of these scenarios, and potentially many others, are feasible by Jan. 1, 2018? There are many questions:

  • Once these APIs are turned on, will patients find apps and actually come seeking API access?
  • What are the liability issues providers should be concerned about?
  • Do APIs present new threats to privacy and security?
  • Will apps need to be certified by Cerner before access is granted?
  • Will providers be able to promote or exclude specific apps?

While we don't have all the answers yet, we think it's worth a broader discussion because it's not a question of whether consumer API access is coming, but when - and the industry needs to be prepared.