If you’ve ever been stuck using a health provider’s clunky online patient portal or had to make multiple calls to transfer medical records, you know how difficult it is to access your health data.
In an era when control over personal data is more important than ever before, the healthcare industry has notably lagged behind — but that’s about to change. This past month, the U.S. Department of Health and Human Services (HHS) published two final rules around patient data access and interoperability that will require providers and payers to create APIs that can be used by third-party applications to let patients access their health data.
This means you will soon have consumer apps that will plug into your clinic’s health records and make them viewable to you on your smartphone.
Critics of the new rulings have voiced privacy concerns over patient health data leaving internal electronic health record (EHR) systems and being surfaced to the front lines of smartphone apps. Vendors such as Epic and many health providers have publicly opposed the HHS rulings, while others, such as Cerner, have been supportive.
While that debate has been heated, the new HHS rulings represent a final decision that follows initial rules proposed a year ago. It’s a multi-year win for advocates of greater data access and control by patients.
The scope of what this could lead to — more control over your health records, and apps on top of it — is immense. Apple has been making progress with its Health Records app for some time now, and other technology companies, including Microsoft and Amazon, have undertaken healthcare initiatives with both new apps and cloud services.
It’s not just big tech that is getting in on the action: startups are emerging as well, such as Commure and Particle Health, which help developers work with patient health data. The unlocking of patient health data could be as influential as the unlocking of banking data by Plaid, which powered the growth of multiple fintech startups, including Robinhood, Venmo and Betterment.
What’s clear is that the HHS rulings are here to stay. In fact, many of the provisions require providers and payers to provide partial data access within the next 6-12 months. With this new market opening up, though, it’s time for more health entrepreneurs to take a deeper look at what patient data may offer in terms of clinical and consumer innovation.
The incredible complexity of today’s patient data systems
Storing and sharing patient health data are important processes for health systems for many reasons: doctors need these charts for providing informed care, providers need them for keeping patient records and for compliance and patients need them for managing their personal health, to name a few.
Over the past decade, the introduction of EHRs helped digitize much of this, with more than 94% of all hospitals storing data in an EHR system, according to a recent government survey. In turn, the emergence of EHR systems led to a range of issues around both data operability and patients’ ability to access their medical records, which the latest rulings are addressing.
On the data operability front, the EHR market has been highly fragmented, leading to siloed patient data records and inconsistencies in data formats.
The $30 billion EHR market is served by more than 500 vendors, with the biggest ones — including Epic, Cerner, MEDITECH and Allscripts — comprising only 55-65% of the market. The remainder of the market is distributed across many other vendors, including many specialty EHRs that hold more than 1% of market share each.
Worse, most health systems store medical data across multiple EHR vendors — only 2% of health systems reporting use a single EHR vendor. A single hospital reportedly uses more than 16 separate EHR vendors, all of which means that patient data can often be siloed across multiple EHR systems, depending on affiliated practices, specialty of care and inpatient/outpatient services.
Adding even more complexity, patients often receive care across multiple health systems. This leads to data fragmentation and can also create issues around data formatting and reconciliation of patient accounts.
Wellframe, a company that provides a digital health management solution and recently raised a $20 million Series C round, dealt with this problem firsthand while building its care-management product in the early 2010s.
“A single patient often had data residing across several EHR systems or health system divisions, which carried different identifier tags, making account matching an issue in many cases,” says Trishan Panch, co-founder and chief medical officer of Wellframe. “Though this has improved in recent years, cleaner APIs are likely to result in much more consistent data formats and better holistic patient medical records.”
While EHR vendors provide internal APIs, these are typically constrained to their own data platforms, which makes inter-EHR data sharing difficult. Not unlike databases in other verticals, EHR vendors are incentivized to serve as the system of record to lock in their position within a clinic. The new HHS rulings are aiming to shift power more toward the patients’ side.
Diving into this intricate web of data silos, startups have developed platforms providing integrations with EHRs of health systems across the U.S., including Redox, Sansoro, Human API and several others, to help institutions synchronize with each other.
Human API serves somewhat as a Plaid for health data and is used by companies like Omada Health, 23andMe and Guardian. “Our clinical API connects to 28,000+ EHR patient portals, pharmacies and labs in the U.S., making it possible for consumers to control and share their health data with companies they trust,” says Andrei Pop, co-founder and CEO of Human API.
PatientPing, which has raised more than $40 million from Andreessen Horowitz and other top-tier investors, helps connect a patient’s health providers across all care settings to enable health-data sharing. It works with more than 1,000 U.S. hospitals and has supported more than 43 million patients to date.
Startups like these two have been building much of the missing plumbing in the healthcare ecosystem. As health institutions build more consistent APIs and make them more readily available, it’s likely startups that have been busy building these integrations will be well-positioned to serve as efficient data connectors.
While connecting institutions with each other has improved, patients lack similar data connectors to access their own health records. The silver lining has been that more than 90% of health systems according to a government survey provide an online patient portal, intended to provide data to patients from internal EHR systems.
Patient adoption has been sparse though, with fewer than 25% of patients actively using the portals, and only 0.7% viewing their EHR data on their smartphones. These portals typically require patients to create a separate login and understand the nuances of the internal UI, and patients can often be tasked with using multiple such systems across different points of care, all of which limit usage. The smaller screen space on smartphones likely makes this process even more difficult, and not all patient portals offer native mobile apps or websites.
Patient portals also don’t provide APIs for patients to submit patient-generated health data (PGHD), which can be helpful in understanding a patient’s health between clinical visits. Even if they were to add such capabilities, the clunkiness of patient portals would still make it a cumbersome process for a patient to upload PGHD.
Third-party applications have a unique opportunity here to provide a fuller picture of patient health by combining medical data with PGHD. Moreover, this might result in innovation back within health systems as data is better consolidated, enabling physicians to get a fuller picture of a patient’s medical record.
Two rules open up patient data
The HHS rulings finalized last month have laid a verdict on a debate that’s been ongoing for several years in the healthcare ecosystem.
The two rulings were issued by the Office of the National Coordinator for Health Information & Technology (ONC) and the Centers for Medicaid & Medicare Services (CMS), implementing provisions in the 21st Century Cures Act and supporting the Trump administration’s MyHealthEData Initiative.
The ONC rule mandates the use of APIs — specifically, Fast Healthcare Interoperability Resources (FHIR) — and outlines information-blocking rules, among other provisions:
- APIs: The rule requires providers to make available API-based access to EHR data for patients, enabling them to access medical data via third-party applications on their smartphones. Importantly, it also limits the fees API builders can charge.
- FHIR: The rule requires the use of FHIR, which outlines a standard set of data formats for exchange of EHR data. This enables consistent data sharing across the healthcare ecosystem and reduces any additional costs to providers.
- Data interoperability: The rule promotes the U.S. Core Data for Interoperability (USCDI) format, a standardized set of classes for health data. Vendors in this space are expected to provide clinical data in consistent formats with appropriate classifications.
- Information blocking: The rule prohibits health providers from denying access to health data to patients, with minimal exceptions along feasibility fronts for some medical data.
Meanwhile, the CMS rule builds on the ONS rule, adding provisions for claims data and other health agencies:
- Claims data: The rule requires Medicare Advantage, CHIP and Medicaid organizations to provide API access to claims data, provider directories and more.
- Information blocking: The rule gives CMS authority to publish an online list of providers that have partaken in information blocking activity.
Many of the provisions in the rules require health institutions to comply within a 6-12 month time frame. Health providers and payers are currently faced with working with EHRs to put in place the technical infrastructure necessary to make data available within a short time frame. Given the rolling basis of many provisions and the situation with COVID-19, it’ll likely take at least one to two years for health institutions at large to make substantial progress on these changes.
Debating patient privacy in an health API world
These new rules have sparked a growing debate in the healthcare community around how best to protect patient privacy, with EHR vendors, providers, payers and technology companies taking varied stances on the issue. The privacy of health data is paramount to many patients and there is often a tough trade-off between opening data up for more applications and restricting access to ensure maximum privacy.
Epic has been one of the organizations that’s taken a strong stance against the HHS rulings. Epic’s argument has largely centered around the privacy liabilities the increased data sharing could bring about. Its positioning is also likely influenced by the power shift the change would bring about in giving patients and third-party applications more control over internal health data.
Epic CEO Judy Faulkner called upon many of Epic’s U.S. customer health system CEOs earlier this January and asked them to sign a letter alongside Epic in opposition of the new HHS rulings prior to their finalization in March. Her note cited concerns “that healthcare costs will rise, that care will suffer, and that patients and their family members will lose control of their confidential health information.”
Nearly 60 health systems signed the letter, including large ones such as the University Health System in Texas and NYU Langone Health in NYC, although many of Epic’s other large customers also did not respond.
Cerner has taken a different stance to Epic’s, supporting the new HHS rules. Cerner’s CEO Brent Shafer tweeted back in January that Cerner “embraces interoperability and the flow of information across disparate systems and health care entities” and “we fully support the proposed rule and the rulemaking process.”
Health providers and payers have been divided on the issue. Ones that have sided with Epic have cited privacy concerns, including the American Medical Association (AMA), one of the largest lobbying groups for U.S. physicians, which has opposed the new HHS rulings and sent a letter to HHS Secretary Alex Azar earlier in January.
The privacy concerns come on the heels of an increase in data breaches that has rocked the healthcare industry in recent years. Protenus, a company that built one of the leading healthcare compliance analytics platforms, reported more than 41 million patient records were breached in 2019, up more than 48% from 2018, as cited in research conducted by them on health data breaches.
Some of the largest data breaches in 2019 have included the AMCA data breach, which affected over 7.7 million LabCorp patients and 11.9 million Quest Diagnostics patients; the Dominion National breach, which affected 2.9 million patientsl; and the Immediata Health Group breach, which impacted 1.5 million patients.
Beyond privacy concerns, health providers and payers have also been concerned about issues like the timeline for the changes and details regarding implementation. The CMS rule expects the health plans outlined in the rule to have live APIs for claims data by January 2021, which requires prompt action from payers and has been considered aggressive by many in the industry.
The AMA outlined several key points in response to the new interoperability measures that would need to be considered by health providers, including: better privacy controls to monitor third-party data access, usage-based fee structures to limit EMR vendor fees and more clarity on some of the information-blocking rules, among other points.
On the other side of the aisle, large technology companies, which stand to benefit from data access into the siloed world of EHRs, along with a slew of health providers and payers, have supported the new HHS rules.
The Carin Alliance, which promotes greater digital sharing of health data between patients’ caregivers, held a meeting earlier in January that included representatives from Apple, Microsoft, Salesforce and several providers and payers, including the Mt. Sinai Health System, Humera and BlueShield of California. It provided support for the new HHS rulings.
Despite the debate in the healthcare community today, there is an underlying understanding that these changes are here to stay. The focus has shifted toward what health institutions need to do in order to comply with the rule provisions, and it has created what’s likely a large opportunity for tech companies and startups alike in building consumer apps and other products and services that leverage this soon-to-be readily available data.
Big tech companies are tackling healthcare with renewed urgency
The new HHS rulings signify an end to an era in which health data management was controlled primarily by EHR vendors, and a shift toward a new paradigm in which patients and apps will play a key role in helping patients access and manage their health data.
In recent years, the biggest technology companies have jumped into the healthcare space in a multitude of ways. Amazon, Microsoft and Google have been looking to increase their foothold in managing health data in the cloud for health providers. Meanwhile, Apple has developed a niche in the market with its health apps and associated Apple Watch features.
That’s led to a rush of M&A and partnership activity. Amazon bought PillPack for just under $1 billion and launched Haven in partnership with JPMorgan Chase and Berkshire Hathaway in 2018. Google is in the process of acquiring Fitbit for more than $2 billion, although it has experienced some turbulence during regulatory review. Microsoft has pushed extensively on the enterprise health front, including a recent partnership with GE Healthcare.
In the push toward building consumer apps for patient data specifically, Apple has been at the forefront with its Health Records app.
Launched in 2018 with 39 partners, Apple Health Records enables health systems to make patient data accessible through the Health Records app, without having to log into each provider’s separate patient portal. Apple further integrates this data into their own Apple Health app.
Apple Health Records has made significant in-roads over the past two years since launch. The app opened up self-registration for providers in mid-2019 to expand its partner base. It has further struck partnerships with the major EHR vendors, including Epic, Cerner, Allscripts and others, to enable providers to more easily plug their EHR system data to Health Records for patients to access.
Apple partnered with the Department of Veteran Affairs (VA) last year to provide Health Records functionality to veterans, completing rollout across more than 1,200 facilities and making it accessible to more than nine million veterans. Researchers from UCSD Health released a study analyzing Health Records app usage, which showed that 96% of users found it easy to plug their app to their providers’ records, and 90% of users found the data to be helpful in managing their health.
The emergence of new provider APIs is likely to expedite the progress even further for Apple, pushing providers not listed yet to become digitally mature enough to register with the Health Records app. Along with the data being collected for consumers using the Apple Watch and more broadly the Apple Health app, the Health Records app positions Apple well to help consumers access and manage their health data.
That early success hasn’t been mirrored at Microsoft, which shut down a consumer-facing health records system called HealthVault in late 2019. HealthVault launched in 2007, when both smartphones and EHR systems were in their infancy, and struggled in recent years to build a viable business model.
Microsoft is focusing its efforts instead on the enterprise front on functionalities and partnerships that leverage its Azure cloud platform for healthcare, as well as building communication tools for Microsoft Teams. New features added to Microsoft Teams have included the ability for clinicians to access FHIR-enabled patient data, which has resulted from ongoing work with data integration companies such as Redox.
In late 2019, Google announced a partnership with Ascension, the second largest hospital system in the U.S., which will involve Ascension’s medical data being stored and analyzed on Google Cloud, signifying the company’s intent to serve this new market need, as well. Separately, Google has several units, including Google Health and teams within Google Brain, which are working at the intersection of leveraging AI and health data to create smart solutions such as detecting medical conditions.
Finally, Amazon has similarly been leveraging AWS and its ML features in building solutions surrounding patient data. Cerner is leveraging AWS to power its new AI capabilities, which will enable providers to build ML models on top of patient data, including chatbots.
Amazon announced in late 2019 the AWS Data Exchange, which enables health organizations to access data sets, such as clinical trial data, based on partnerships with Deloitte, Change Healthcare and others. Amazon announced earlier in 2018 an ML service that would enable developers to analyze EHR data in a variety of ways.
In short, all the big tech companies have put renewed energy into building out their healthcare products, mostly matching their existing business models and extending them into the health domain.
Unlocking new opportunities in digital health for startups
Technology companies such as Amazon are well-positioned to capture market share on the consumer app side. These changes also will likely benefit startups such as Human API and PatientPing that have been building data plumbing and facilitating sharing of data between health systems and consumers. The changes in the near term are also presenting new opportunities for startups in the long term around data operability.
Commure is a startup that launched earlier this year that is developing a product that enables software developers to quickly create and deploy next-generation healthcare applications for medical professionals. Commure’s platform is FHIR-native, which the new HHS rules demand, and it’s live with several health systems, where it is being used in real-time production environments to build apps internally. Commure was incubated and backed by General Catalyst, which has also invested in several other companies in the health space, including Livongo, Color, Oscar and Mindstrong.
Particle Health recently raised $12 million from Menlo Ventures and other investors to build an API that helps connect digital health solutions to patient health data. It plans to provide an experience to developers that’s similar to using Plaid, Stripe or Twilio, helping them seamlessly access and work with patient health data. Their platform currently has access to data on nearly 300 million people, with a 85% coverage rate, and this is likely to improve greatly with better health APIs.
As patient data is surfaced via consumer apps, new startups will have opportunities to build capabilities that enrich patient data, such as providing medical context on health data and community-wide assessment of a patient’s health. Quantitative health tracking over time, and recommendations on care based on one’s health data, could be potential new use cases as well.
Beyond this, there will likely be opportunities to combine patient data with consumer wearables data, PGHD and other data sources to help measure causal relations between different health factors. Examples include identifying correlations between sleep quality and physical activity or medication adherence, and assessing the impact of diet and exercise on daily glucose levels for diabetes patients.
Those lessons could translate into changing consumer behaviors by increasing the magnitude of health data collection. This can include consumers using health diagnostic tools at home to collect more PGHD, and seeking care for various aspects of their health on a more regular basis. Offline diagnostic tools, such as blood pressure monitors and diabetes sensors, which often don’t relay data with apps seamlessly today, will likely also become better integrated with digital health apps over time.
Beyond the impact on patients, better health data APIs are likely to help health providers, as well. For health systems, the shift to value-based care has resulted in more than 150 startups in the past few years, which are helping hospitals assess patient risk to inform decisions on where care should be prioritized. Better patient health data records will provide more comprehensive data for such systems, helping improve patient outcomes and reduce readmission rates.
There will likely also come about opportunities for new startups to help leverage insights from population-wide health data. Within the cancer field, Flatiron Health has helped cancer research institutions and health providers aggregate their data and draw novel insights from it. There’s likely room for newer players that help unlock insights with data aggregation across a number of other disease specialties.
These new capabilities will all require careful thinking about patient data privacy, particularly given the recent rise in health breaches as discussed earlier. There will likely be increased debate and new policy around patient data privacy, and this will present opportunities for new startups to tackle issues surrounding data tracking, secure data sharing and compliance and auditing.
The liberation of patient health data is likely to create an avalanche of innovation in digital health over the next decade, so long as the privacy aspects of these changes are managed well. It’s likely many of the new capabilities that will come about will help improve patients’ understanding of their health and their ability to seek better care, and help reduce inefficiencies across the healthcare ecosystem.