Skip to main content

Nation’s clinical informatics professionals also urge ONC to protect patient privacy and security in emerging API-driven environment

(BETHESDA, MD) — In comments submitted to the Office of the National Coordinator for Health Information Technology (ONC), the American Medical Informatics Association (AMIA) applauded ONC on its thoughtful and faithful translation of the 21st Century Cures Act into statute. However, the group also strongly cautioned ONC against an approach that “will solidify a dynamic where health data must be standardized before it is available for patient care or research,” and called on the agency to “flip [this] paradigm.”

ONC released the “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program proposed rule” (NPRM) in February, which calls on the healthcare industry to adopt FHIR as the standard for APIs, while also proposing a requirement that patients must be able to electronically access all of their data through an “Electronic Health Information” Export (EHI Export). The rule additionally seeks to implement the information blocking provisions of the Cures Act, proposing seven exceptions to the definition of information blocking. Finally, the rule lays out requirements for Conditions and Maintenance of Certification (CMCs) for health IT and the first version of the U.S. Core Data for Interoperability (USCDI).

The USCDI, first proposed in 2018 as a data policy, had three distinct categories of data classes and elements: “emerging,” “candidate,” and “supported” data.  In comments submitted to ONC in 2018, AMIA noted that the policy construct failed to account for the constantly-evolving category of non-standard or unstructured data, produced in vast quantities from information systems ranging from wearables to genomic sequencing labs. While ONC provided the technical underpinnings for “supported” data elements in this NPRM, AMIA wrote, it has failed to account for the overwhelming majority of data elements that could be considered “candidate,” “emerging,” or “unstructured”

In response, AMIA strongly recommended that ONC establish a “share now, standardize as needed” policy supported with the “Unstructured Document” document-level template (and corresponding C-CDA-on-FHIR Implementation Guide) as part of USCDI’s Clinical Notes data class. While the proposed EHI Export for Patient Access and Database Export provide mechanisms to make data elements available, AMIA wrote, “we are concerned such criteria will be insufficient to flip the paradigm of dependency where patients, clinicians, and researchers are at the mercy of health IT developers to access their data routinely.”

AMIA further recommended amending the EHI Export for Patient Access criterion to make data available via functional API, without necessarily standardizing the API or the data payloads. The group wrote that this would allow industry stakeholders and government regulators to work toward a standardized API for managing export requests in future rulemakings, even as candidate, emerging, and unstructured data elements themselves are likely to remain developer-specific (i.e. non-standardized) for some time into the future.

“These proposals represent the most consequential health informatics policies since the first Meaningful Use regulation was proposed a decade ago.” said AMIA President and CEO Douglas Fridsma, MD, PhD, FACP, FACMI,. “The new policies outlined by ONC will fundamentally and dramatically change the landscape for health IT and data availability. But we must go further to put patients, providers, and researchers in the driver’s seat.”

In commenting on CMCs, AMIA applauded the proposed CMCs for Communications, which requires, with some exceptions, that a health IT developer not prohibit or restrict communication regarding health IT usability, interoperability, security, user experiences, business practices, and the manner in which a user of health IT has used such technology. AMIA strongly supported the proposals as written, noting that the new policies will enable users and researchers of health IT safety to communicate broadly about their experiences and add to the corpus of research related to usability and health IT safety.

As it relates to the much-anticipated information blocking provisions, AMIA strongly recommended that ONC finalize its proposal so that all EHI is subject to the information blocking rule. While the organization weighed an alternative recommendation to constrain the universe for which a claim of information blocking could be levied to a subset of EHI (e.g. the USCDI or ARCH) such an approach would perpetuate the “standardize first, share later” paradigm AMIA cautioned against. Further, AMIA noted that such a constraint would leave a host of “emerging,” “candidate,” and “unstructured” data classes outside the reach of this policy and likely prove more difficult to access, exchange and/or use because there is no legal requirement to share those data. “Such a constraint would keep in place the status quo, which is clearly insufficient,” AMIA said in comments.

To help stakeholders adjust to these new policies for information blocking, AMIA recommended OIG institute a period of enforcement discretion to better understand how actors are interpreting new requirements and avoid wasteful litigation. Such enforcement discretion would have OIG require corrective action plans – rather than levy fines which would likely lead to litigation – where claims of information blocking are found to be warranted. AMIA recommended this period be limited to three years from finalization of this rule, and all claims of information blocking – substantiated and unsubstantiated – should be made publicly available for stakeholders to study.

While AMIA largely supported the NPRM’s policies to empower patients as mediums to the clinician-, researcher- and patient-facing apps ecosystem, it urgently cautioned against the significant potential to create privacy risks and opportunities for fraud. It noted that there are currently few consumer protections in this area outside of the HIPAA-regulated environment, but that completely addressing the risks currently fall outside the statutory authority of ONC and HHS more broadly. AMIA thus encouraged Congress to act to fill the consumer protection gaps residing just beyond the reach of HIPAA. To address privacy and security concerns in the near term, AMIA recommended a host of actions for ONC to take:

  1. ONC should disambiguate API Users into two distinct stakeholder groups. 3rd Party API Users who develop software and interact with API Technology Suppliers and 1st Order API Users who are end users of the software developed by 3rd Party API Users;
  2. ONC should, as an API Condition and Maintenance of Certification provision, ensure that API Technology Suppliers require 3rd Party API Users to attest to having in place a Privacy Notice, modeled from ONC’s work, for each app the 3rd Party API User develops as part of the API Technology Supplier’s registration process; and
  3. ONC could define “patient authorized representative” narrowly as “a person within the continuum of medical care or with a medical power of attorney or legal guardianship” for purposes of EHI Export for Patient Access (§170.315 (b)(10)(i)) as it defines “users” of such functionality. This would be distinguishable from requests made by insurers or third-party legal requests that seek information without appropriate patient-direction and beyond what is part of the HIPAA “Designated Record Set;” and
  4. Take immediate, explicit, and public steps to implement recommendations of the 2016 API Task Force to foster secondary markets for application endorsements, where stakeholders (e.g. health IT developers, patients, consumer advocacy groups, clinical specialty societies and provider organizations) can endorse apps for meeting specified expectations of performance. This kind of infrastructure would enable third-party app discovery services where consumers can filter apps based on those criteria they consider most important. Further, it would ensure API Data Providers, API Technology Suppliers, and 1st Order API Users that apps of potential use have met specified requirements, as prioritized by various stakeholders.

“We are entering an exciting new era where patient data will more easily be available for clinical care, research, and patient empowerment,” said AMIA Board Chair, Peter J. Embi, MD, MS, FACP, FACMI, FAMIA, President and CEO, Regenstrief Institute. “Of course, with this progress comes new challenges. AMIA and the informatics community stands ready to offer our members’ expertise to continue to both empower and protect patients.”

Finally, AMIA issued a series of process recommendations to better ensure that the rule’s policy objectives can be achieved. First, AMIA joined other organizations in asking ONC to issue an interim final rule (IFR), or other regulatory mechanism, to garner more input from stakeholders on outstanding questions once the rule has been finalized. An IFR will also give ONC the option to incorporate stakeholder feedback on a range of options and ideas it did not propose in this NPRM, but which will nonetheless increase the likelihood of ONC achieving its policy objectives. Second, AMIA voiced concern with ONC defining both development and deployment requirements for new certification criteria and functionality. “While we understand the need for, and agree with, policies that compel adoption of new standards and functionality, we recommend that ONC remain focused on certification and technology requirements, not provider adoption policies,” AMIA said.  “A preferred approach would be to define explicit timelines for deployment and leave other HHS agencies – such as CMS – to establish adoption/deployment timelines. This division of regulatory authority provides stability for regulated industry, accountability for regulators, and transparency for all stakeholders.”

Click here for AMIA’s full response to ONC’s proposals.


AMIA, the leading professional association for informatics professionals, is the center of action for 5,500 informatics professionals from more than 65 countries. As the voice of the nation’s top biomedical and health informatics professionals, AMIA and its members play a leading role in assessing the effect of health innovations on health policy, and advancing the field of informatics. AMIA actively supports five domains in informatics: translational bioinformatics, clinical research informatics, clinical informatics, consumer health informatics, and public health informatics.