Overview
On October 8, 2024, Micky Tripathi, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP), released a blog post titled “Getting Real About Information Blocking and APIs.” In the post, Tripathi notes that ASTP is “highly concerned” about reports that developers of application programming interfaces (APIs) certified under ASTP’s Health IT Certification Program are engaging in practices that violate the Certification Program’s conditions and maintenance of certification requirements specific to certified APIs and ASTP’s information blocking regulations adopted under the 21st Century Cures Act. The blog post, which notes that ASTP has received “hundreds” of information blocking complaints, appears to be a warning to developers of health information technology certified under the Health IT Certification Program (certified health IT developers) and health care providers that enforcement of ASTP’s information blocking regulations is coming soon.
In Depth
CURES ACT ENFORCEMENT AND PENALTIES
On July 3, 2023, the HHS Office of Inspector General (OIG) issued its final rule to implement OIG’s authority under the Cures Act to investigate claims of information blocking and assess civil monetary penalties of up to $1 million (subject to inflation adjustments) for information blocking violations by a certified health IT developer or a health information network or health information exchange (HIN/HIE). The effective date of the OIG final rule was September 1, 2023. For a discussion of the OIG final rule, see our Special Report. To date, OIG has not publicly released information about any investigation or enforcement action under the OIG final rule.
On July 1, 2024, HHS issued a final rule to implement the Cures Act provision establishing penalties (called “appropriate disincentives”) for certain health care providers determined by OIG to have committed information blocking. The disincentives for certain Medicare-participating hospitals and clinicians became effective July 31, 2024, while disincentives associated with the Medicare Shared Savings Program will become effective January 1, 2025. For a discussion of the appropriate disincentives final rule, see our On the Subject. To date, there have been no public reports of any OIG investigation under the appropriate disincentives final rule.
CERTIFIED API PRACTICES RAISING CONCERNS AT ASTP
In the blog post, ASTP discusses what it considers to be the “biggest impediments to progress” on interoperability and data sharing. In ASTP’s view, these impediments are alleged “behaviors” by certified health IT developers or health care providers, as opposed to technology issues. ASTP does not address or otherwise note any explanations or potentially available defenses by certified health IT developers, their health care provider customers that deploy the certified APIs, or other stakeholders.
Specifically, ASTP names the following alleged behaviors as impediments to interoperability and data sharing:
- API documentation is unavailable or unusable. The conditions and maintenance of certification require a certified API developer to publish complete business and technical documentation via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps. According to ASTP, certified API users have alleged that the required documentation is unavailable or not usable, and is inconsistent and incomplete about access terms and conditions, fees structure, and the process to register applications.
- Third-party application developers are effectively being closed out. API users have claimed that certified API developers have conditioned API access on onerous fees and other terms prohibited by ASTP regulations, and engaged in other practices prohibited by the Certification Program.
- API users are prevented from connecting with providers. API users have alleged that “EHR systems are hidden behind generic API endpoints, making it difficult for API users to connect directly with health care systems.” ASTP also raised concerns about third-party applications being unavailable to electronic health record (EHR) systems users and third-party developers being denied the opportunity to sell their applications to EHR users.
- Third-party developers serving patients are presented with false regulatory hurdles. Third-party developers have alleged that health care providers or certified API developers require third-party developers using patient access APIs to sign HIPAA business associate agreements in order for patients to have electronic access to their information, even though the developers are not business associates because they are serving patients.
- Developers or providers fail to respond to API access requests. Certified API users have claimed that certified API developers and/or health care providers do not provide written and timely responses to denials for access to electronic health information as required by regulatory requirements.
Notably, the blog post does not address practices with respect to noncertified, proprietary APIs. The omission is consistent with ASTP’s prior statements that it is focused on standards-based technology rather than bespoke solutions.
POTENTIAL ENFORCEMENT
ASTP notes in the blog post that HHS can take action in two ways to address the certified API practices:
- ASTP may directly review certified API developers and certified health IT to assess compliance with applicable Certification Program requirements, suspend or terminate certifications of certified health IT modules, and ban developers from the Certification Program.
- OIG may investigate alleged information blocking practices by certified API developers and other actors subject to the information blocking regulations. As noted above, if OIG determines that information blocking occurred, OIG may impose civil monetary penalties on health IT developers and HIN/HIEs and refer information blocking violations by health care providers to CMS for application of appropriate disincentives.
NEXT STEPS
Developers of certified API technology should consider the following next steps:
- Review their deployments of certified API technology to confirm compliance with the Certification Program’s conditions and maintenance of certification requirements specific to certified APIs.
- Review their certified API practices, as informed by the practices highlighted by ASTP in the blog post, to confirm compliance and to identify potential information blocking exceptions that may apply to related practices.
- Promptly evaluate and, if appropriate, address any complaints from certified API users alleging noncompliance with any certification requirements.
Health care providers should consider the following steps:
- Review their certified API practices, as informed by the practices highlighted by ASTP in the blog post, to confirm compliance and to identify potential information blocking exceptions that may apply to related practices.
- Promptly evaluate and, if appropriate, address any complaints from certified API users alleging noncompliance with any certification requirements.
For more information about how to prepare for HHS enforcement of the information blocking regulations, view our webinar titled “Information Blocking: Defense of Cures Act Investigations and Enforcement.” If you would like to evaluate your certified API compliance, contact any of the authors of this On the Subject or your regular McDermott lawyer.