The Information Exchange: The TEFCA Report Card

We are back, but we’re trying something a bit different this time. Given a little Memorial Day lead-up lull afflicting the industry, we decided to give a primer and run-down on the successes and failures of America’s only statutorily blessed nationwide health data exchange: TEFCA two years in, with what's actually working, what isn't, and what the rails really do at this point. Lot of fun this not-a-pod:* The first iteration of our new “Pryce Transparency” segment* Brad as a Trusted Exchange Guinea Pig* Five generations of patient access policy and technology in five minutes* Where Epic stands alone on a FHIR flow that's now an exhibit in active antitrust litigation.* The authentication vs. authorization debate that's becoming the most consequential architectural question in patient access.* Diagnostic imaging’s role in all this (and interop broadly)And of course, what we’re putting on our Memorial Day burgers. Hiring NoticeHTD is hiring! We are looking to bring on Associates to our Interoperability Practice.If you have experience with EHRs, interoperability, and/or consulting and want to:* Work on the deepest, darkest arts of integration and health information exchange* Help the full range from startups to the largest tech companies in the country understand and play in the interoperability landscape* Help EHRs become their better selves (both via collaboration and pressure)* Learn and use regulation deeply as a strategic lever to enable the businesses we work with* Collaborate with a scaled development team across multiple geographies (US, Poland, Argentina)Then respond to this email with your resume and the one big interoperability problem in America you’d solve if you were a policy maker.Relevant Articles* HTI-5: When the Scorpion Learns to Swim: We briefly discuss how HTI-5 is proposing to remove the main “incentive” to join TEFCA, the TEFCA Manner Exception.* Individual Access Services Open Forum: An oldie but goodie primer on how Individual Access Services works and the history behind it.* The Rise of Consumer Health On-Ramps: Detail about the “Big 4” consumer health and patient access on-ramps* Epic’s IAS Implementation: A rant from a year ago about frustrations with Epic’s Individual Access Services implementation* JG Wentworth: Pryce’s mention was like a sleeper activation codeword for me. Real nostalgia rush.* Authorization Tradeoffs: A chart I made when discussing the tradeoffs of different authorization architectures* SMART Imaging Access: Josh Mandel’s reference implementation for patient access to diagnostic images that we talk about* Much Ado about Diagnostic Images: Discussion of the ONC’s RFI on Diagnostic Imaging and a detailed overview of the space* AADJ v. Epic: The Motion to Dismiss: The antitrust case against Epic related to TEFCA IASChapters* Intro and HTD Hiring PSA (0:00 – 0:44): Brendan, Pryce, and Brad pitch HTD’s interoperability associate roles across EHR integration, HIE, payers, clearinghouses, and information blocking strategy.* Pryce Transparency (0:44 – 3:19): A foundational walkthrough of the Trusted Exchange Framework, QHINs as the Verizon and AT&T of federated clinical data, and the difference between treatment queries and Individual Access Services.* Measuring TEFCA Against Itself (3:19 – 8:06): Adoption looks lukewarm next to Carequality on document volume, but two years ago IAS was zero. Pryce’s broken query to his Athena PCP illustrates the fingerprinting problem when something fails and no one can tell whose fault it is.* Five Generations of Patient Access (8:06 – 15:35): From HIPAA right of access through View Download Transmit, scrapers, Cures Act G10 APIs, and now IAS. Each generation solved the prior bottleneck and surfaced the next. Portalitis, Kristen Valdez’s term, and why IAS still falls back to G10 like Apple Pay falls back to cash.* Diagnostic Imaging and the Limits of TEFCA (15:35 – 21:31): Brad’s CD-to-NYU story opens the question of whether new data types ride TEFCA or get their own networks. PACS unregulated, files enormous, 30 competing standards, proprietary vendor incentives. The Dutch precedent with XDS-I and TWIIN shows it can be done, and there are real reasons clinicians want pixels not just reports.* Authentication vs. Authorization (21:31 – 27:39): Pryce walks through how IAS jams identity proofing and data-release consent on rails not designed for the distinction. Epic alone runs the FHIR redirect flow, every other QHIN hands back the treatment CDA with an IAS header, and the antitrust litigation against Epic now treats that architectural choice as an exhibit.* The HIPAA Liability Math (27:39 – 30:37): Why Cleveland Clinic’s general counsel sees only downside without OIG safe harbor. The CMS Health Tech Ecosystem is pushing authentication out anyway, leaving authorization as the more interesting question, including what hospital-side authorization could have unlocked for proxy and caretaker scenarios.* The GDPR Cookie Banner Problem (30:37 – 33:44): Brad’s prediction that patients will accept all and dump the whole record into whatever app asked. Trade-offs of authorization on the app, the credential service provider, or the health system, and what gets replaced with legalese and CARIN-style certification when the technological barrier comes down.* Memorial Day Burger Toppings (33:44 – End): San Antonio sausage wraps, Dutch mayonnaise jokes, and a closing reminder that HTD is hiring.TranscriptWe ran the transcript through an LLM to smooth it out. So it’s a rough approximation of the conversation (and in many cases significantly clearer than our rambling), but notably diverges from the word-by-word blows quite a bit.Brendan Keeler (00:00): All right, we’re back. The Information Exchange. Ryan is unable to make it today. So we got Pryce and Brad and Brendan. and we have a PSA to kick things off. HTD is hiring. So we are looking to hire interoperability associates. if you are interested in EHR integration, health information exchange, data migration, referrals. If like working with point solutions, like working with payers, like working with clearing houses, big tech, small tech, non-tech, law firms, PE. We got it all. If you want to work on data exchange, if you want to use information blocking practically, not use information blocking, but wield the powers of regulation strategy with these fine gentlemen and the broader HTD team, then reach out to us. And with that, with that, we’re going to kick things off and it’s Memorial Day. It’s the government’s day. We all have off, butBrad (00:45): Come hang.Brendan Keeler (00:55): Let’s talk about what the government’s been doing with TEFCA, the Trusted Exchange Framework and Common Agreement. Pryce, where are we at? What’s going on? What are you excited about? About where are you less excited?Pryce (01:03): Yeah. Well, so real quickly, sometimes I feel like we dive into topics and I think we should have just spent 30 seconds explaining what that is for folks who aren’t hearing about the Trusted Exchange Framework and Common Agreement all the time. So this is a segment, maybe we can call it Pryce Transparency. Shout out to Nathan Von Colditz that’s for naming that. So TEFCA, the Trusted Exchange Framework and Common Agreement. So it was written into the Cures Act that the ONC would find a coordinating entity to manage this nationwide federated exchange framework for clinical data. The way that it was built and sort of the framework itself is that there are various QHINs, Qualified Health Information Networks, like Kno2 and SureScripts, and then Epic built their own called Nexus, and then Oracle’s got one now, and MedAllies has one, and KONZA has one, apologies for any that I’m leaving out. But these Qualified Health Information Networks have sort of very... like bold obligations to the network. And they’re almost like the Verizon and the AT&T and the Sprint of this nationwide network. And when I say it’s federated, what I mean is the data is everywhere, right? So data is in electronic health records, data is in payer systems. And we’re not pumping it all into one big server that sits in a mountain in Colorado or something like that. These are federated databases and TEFCA and the QHINs, these, you know, maybe eight now health information networks allow us to onboard to them to query for Brendan Keeler’s data. Maybe Brendan has an appointment tomorrow and an EHR can say, I want to know more about Brendan before he comes in. Or maybe Brendan himself is saying, it’s my data and I want it now like JG Wentworth. And he goes to do what’s called an IAS, Individual Access Services query to the network. tons and tons of nodes that are helping you on ramp into this network of QHins. So think of it more like a phone book or a spider web than a big database. But TEFCA has been around for years now. It’s been live for years now. Adoption is, I would say lukewarm. It’s like not, it’s not mandatory for any reason, right, Brendan? There’s no, it’s completely voluntary to join. There’s no. incentive structure that’s bringing entities except for added usability for their users, right?Brendan Keeler (03:19): Well, there was the TEFCA exception within information blocking, is an interesting route for the last administration to push it forward. With HTI-5 proposed rules it looks like that will be ripped out. I want to push on what you’re saying. What is your measure for lukewarm?Pryce (03:36): That’s a good question. Good question.Brad (03:38): More than 500 million records.Pryce (03:41): I would say... If you’re familiar with Carequality or Commonwell or eHealth Exchange, which have been the nationwide networks that are around longer, those are still being used to exchange CDA documents, clinical document architecture standard documents, which were generally patient summaries or discharge summaries, things like that. Those networks are being used to exchange a much higher volume of documents for the purpose of generally transitions of care. All of these networks. pretty much only allow treatment use cases. Like you have to be a provider querying other providers to get data. TEFCA has recently introduced that individual access service use case that I talked about and they all have trouble introducing other use cases because it’s hard to trust, know, thousands of nodes on a network that you don’t actually have agreements with, business agreements with. And so I guess TEFCA has seen a lot of adoption in that Athena’s on TEFCA Epic sites are on TEFCA, if not completely, they’re trying to roll out to make sure their endpoints are available. Who else is already on there?Brendan Keeler (04:41): So MEDITECH, Athena, ECW, Epic are all on there. Oracle has a few sites, right? Because they gave them a QHIN later of the 11 QHINs that are participating. so, yeah, think Lukewarm, the measure metric, there’s always like, what’s our bar for success is the way I think about it. And...Brendan Keeler (05:01): Relative to Carequality, it’s like, look, the numbers, just doesn’t match up. But exchange in a decentralized network is exponential in terms of growth, because then the number of connections goes up exponentially with each new participant in terms of linking between them all. And so I think it’s like, okay, is that successful? Well, by treatment, if you’re measuring against Carequality it’s like, well,Brendan Keeler (05:26): It’s not even close, but should we be or should we be looking at it as a net new network because it’s facilitating Individual Access Services, which was zero before. And so by that measure, you might say, wow, what a stunning success because it’s doing something at scale with some problems that we can talk about. So the measure and metric, think I’m putting it relative to where it was two years ago, which was zero.Pryce (05:41): Yeah. Right. Right. Well, and you know, it’s funny, we had the same conversation just on the last podcast towards the end. said something about the CMS Health Tech Ecosystem and is it going to be successful and how much, how much work are they getting done? And Brendan was like, they’ve gotten so much work done considering it’s only been nine months. So that’s a good point, Brendan. You know, if I was building something, building an electronic health record and I wanted to connect to a nationwide network to pull charts. TEFCA might not be my first, might not be the first entity that I connect to, but even the fact that it’s going to exist and hopefully supersede Carequality and in use cases is a great success. I guess I’m just saying it’s not quite like the king of electronic health data exchange. And particularly, guess something that sours how I feel about it is that I have a terrible Individual Access Services experience every time I use a little bit per implementer. know, there’s from an IAS provider perspective, there are these different companies that have built mechanisms for you to authenticate that you are yourself, usually using like a CLEAR or an ID.me, which is IAL2 level authentication, saying I’m looking at your face and I’m looking at a government issued ID and I say, this must be Pryce. And then you can send a query to your QHIN that says, go look for Pryce’s charts. But man, get, mean, I’ve got a Athena based doctor down the road that doesn’t respond to my IAS queries. You know, when I go to the network and say, I need my charts for, you know, for my Oura app. Like I want it to be tied to my sleep score and things like that. I never see the North San Antonio Healthcare Associates. And I don’t know if that’s Flexpa’s fault. Just that’s an example of an IAS implementer. I don’t know if it’s their QHIN’s fault. I don’t know if it’s Athena’s fault. I don’t know if it’s my site on Athena’s fault. Like if it’s my particular provider who just, who’s like, ⁓ our council doesn’t like the idea of that. Don’t turn it on for us. And so. Yeah, it’s hard. Again, like as far as success goes, I’ve never built a trusted exchange framework and common agreement. So props to the folks who’ve done it. But, ⁓ you know, it’s, it’s been disappointing so far for me. And I’m like wanting to know how to push the ball forward.Brendan Keeler (08:06): Yeah, Brad, what about you? You tried it out?Brad (08:07): Well, as I think all the listeners should know, whenever there is a new opportunity to test one of these, I think I’m one of Brendan’s trusted exchange dummies. ⁓ You got guinea pigs? Most, I mean, the weird part about this for me is my healthcare for the past, let’s call it nearly a decade, has been at two health systems, the random third one in there that weBrendan Keeler (08:18): Guinea pigs if you will. You’re my guinea pig.Brad (08:31): Don’t need to talk about. So the request pattern for me is like pretty straightforward. And if I use somebody, you know, if I test somebody who’s also using G 10 APIs, then I can just log and like I get everything. Honestly, this isn’t really a critique of the network, but if I had to critique. One part about my experience is my problem list or my conditions just never gets cleaned up. And so for somebody, I’m not living with any, aside from being morbidly obese and every sort of after visit summary, I’m not, yeah, it says I have a torn calf that happened six years ago and why has nobody taken that off? I don’t need to access, I don’t need IAS to really change anything about my life, but it is frustrating as a patient. to suddenly be able to see everything and feel like, it almost makes me feel like I have less agency, which I know is, that’s like a tangent that we don’t necessarily need to go down. I have lived in the same city, I have gotten the same care from the same set of providers for a really long time. I hear stats about people not moving more than two zip codes away from where they were born or like not a super mobile population. I sometimes come back to like, how big is the problem that we’re solving or can we define specific use cases that house an actual documentation or transparency problem instead of saying, can we get 7 billion records exchanged across TEFCA?Brendan Keeler (09:57): If you look at other network based problem sets like payments, there are ubiquitous networks like cash, right? Cash is a ubiquitous network in terms of being able to go and bring it to most places historically and use it. And even with the advent of check and credit card and other technologies, cash still prevail because of ubiquity, flexibility, et cetera. And so as we think about Carequality, Like will it be sunset or something? Well, there’s ubiquity to it. So maybe it persists. As we think about prior patient access networks, you hinted at one Brad that I think we should illustrate further is that Individual Access Services is the fifth generation of us attempting to give patients access to their data. And so it started with HIPAA in terms of the patient right of access, a very manual but ubiquitous process that I can go. satutorily with a statutory right and request my information from any hospital. That is ubiquitous, It applies to all covered entities.Pryce (10:57): But that was like a right, not a process. It was ubiquitous.Brendan Keeler (11:00): but it establishes a ubiquitous, sans HIPAA in that right, you go to your hospital, they’re like, hey, get the hell out of here. And so it’s not ubiquitous. So it built a ubiquitous, albeit manual network like cash. And so it’s persistent. It’s still the fallback. We then had View Download Transmit, which for all certified EHRs, they needed to give a capability in the patient portal to download a CDA document. And so, not as ubiquitous, but pretty far along the pattern in terms of certified EHRs are a lot of, are many, many different providers. And as a result, scrapers built, know, HumanAPI and other scrapers built the capabilities to reach in there and built a network, right? A network to allow for programmatic access to those CDA documents. Pryce, your hand was up. So you got a thought, I think.Pryce (11:45): I just gonna say, I just wanted to clarify, I think View Download Transmit was like Meaningful Use or something. So what era are we talking about? Like 2015-ish or something? Okay. And then the output, just to be clear to the layperson, I mean even myself, because I’m not an engineer, a CDA is like an XML formatted blurb of.Brendan Keeler (11:53): 2012, yeah, 2010.Pryce (12:10): confusing information to the layperson. And so it was available programmatically, but maybe not immediately usable unless you were using one of these aggregators like ⁓ OneRecord who could figure out how to make it usable for you.Brendan Keeler (12:23): The hypothetical benefit was that CDAs also were both computable formats and also with a renderer, you know, could be rendered visually. Like that was one of their benefits and like why people liked that format. so hypothetically, was beneficial in that way. The bigger barriers were typing in your username and password to individual patient portals. And so...Pryce (12:43): which is authentication. That’s proving that you are who you’re saying you are. If I say I’m Pryce and I know Pryce’s username and I know Pryce’s password, then the system just has to assume that I am Pryce.Brendan Keeler (12:55): Yep. And so that persisted, we assumed that the problem with that generation, the CDA and View Download Transmit generation of patient access was the format that it wasn’t programmatic enough, that it wasn’t an API. And so with Meaningful Use 3, but really the Cures Act, we said, okay, certified EHRs need to make available APIs with core clinical data that can be surfaced to third-party applications. So we assumed from a regulatory and policy perspective,Brendan Keeler (13:22): that would fix it. That was the big problem. And then people aggregated those APIs, notably 1up Health, notably b.well notably OneRecord were some of the big push people to push that. Yep. And we encountered another problem. What’s that problem? Username and password is, for Brad, is not challenging. But for some populations, if you have chronic illnesses, if you’ve moved around a lot, you might have a lot of portals. You may not have activated those portals with username and password.Brad (13:49): Yeah, the activation. I know you did. There’s a great piece, if you want to know how psychotic Brendan is, of him signing up for every MyChart. And the one health system that is not in New York City that I have records at has this like insane, you have to get a PIN code. And they mailed me a postcard and I didn’t get that postcard fast enough for the... I was like, why am I going through a three month process to create a username and password for a health chart that like I don’t care about? And I will say I can now get access to those records. So that’s positive. Thank you, TEFCA.Brendan Keeler (14:20): What is security if not a three month friction-filled process? The bad guys can’t get in either.Brad (14:26): No? You better have the key to my mailbox. You better have... It was wild. Yeah.Brendan Keeler (14:32): But that was the barrier perceived by our regulators, ⁓ Kristen Valdez of b.well has termed it portalitis, right? For these frequent flyer chronic illness or sickos like myself that go and sign up for all the portals. by whatever means, whatever it means if you’ve gotten so many portals, it takes a lot of time to log into the 57 portals. Literally it takes me half an hour. And so they,Brad (14:47): That’s a different form of chronic illness.Brendan Keeler (14:59): Stefka Individual Access Services supersedes a fairly ubiquitous capability, the Cures Act G10 APIs with less friction-filled experience where you take the CLEAR, ID.me or Persona, ID proofing, selfie and such, and then can hypothetically pull from the network, the problem being it’s not at the same ubiquity. And so I think of it like Apple Pay or Google Pay where you’re like, sweet, I can use that sometimes, but. I can’t use it all the time. And so we still fall back to check. We still fall back to ACH. We still fall back to cash when we want to get ubiquity.Brad (15:35): Question for you guys. So I get excited about new capabilities and diagnostic imaging. one part about getting my records when I had a weird illness, I had to take a CD into NYU for them to put my imaging and then mail that off to somebody else, which was like,Brad (15:56): I mean, I figured out how to do it, but like, had I not had time to take off work, those images would have never gotten out of NYU. Is the, is ONC, and maybe we don’t know the answer, but when ONC considers new data types to be exchanged, is TEFCA the default network that they’re gonna use or will we establish different networks?Pryce (16:16): I think it remains to be seen, right? mean, like, so the CMS put out an RFI for diagnostic imaging this year. Brendan Keeler (16:21): It was the ONC, actually.Pryce (16:22): It was the ONC. Okay. did they say we should do this on TEFCA? No. And if they, if they were to try to do that, it would probably require a lot of new technology because right now TEFCA is largely CDA and XCPD still, which isPryce (16:37): HL7 version 3, FHIR sort of HL7 version 4.Brendan Keeler (16:40): the history here, there’s a couple commingled factors that make it challenging. So diagnostic images aren’t in the EHR typically, right? They’re in the PACS system, which is unregulated. So that’s challenge one is like, how do you get Sectra and AGFA and all these other PACS to build the capabilities and to play in the ecosystem when they’re not regulated? That’s challenge one. Challenge two is these are big. files, right? Terabytes potentially, depending on the type of diagnostic image that’s produced, let alone video for like endoscopies and such. Three is, you know, like what are we doing matters? Like, because just surfacing in the USCDI data sets as this is a core piece of clinical data. And then it’s like, are we doing patient access to that data? Are we doing B2B networked exchange? Are we just making it available for point solutions? Like there’s different problem sets to be solved. And so the RFI was inclusive. It was sort of like a poking around at all of them. was like, all right, how would we do it for provider to provider? How would we do it for patient access? The nice thing for patient access is that brilliant HL7 geniuses, particularly Josh Mandel have already done like an implementation guide and planned out how you do it for that problem set. Like what are the. ways the EHR would interact with the PACs. For B2B, what’s interesting is there’s like 30 different standards. So like there’s been many different cuts at Wado RS over DICOM or all these different obscure acronyms for like how could you translate it or transmit it rather? And no one, we a consensus. There was even in CareQuality and Commonwell implementation guides for diagnostic image exchange. And they tried to engage different vendors like AGFA and Ambra and Life Image. they were like, well, why would we do this? We want to do our proprietary private networks for diagnostic image exchange. And so it’s challenging. It’s challenging for all those reasons, but precedent, international precedent shows it’s possible. So the Netherlands does diagnostic image exchange. They use what’s called XDS-I. So basically, an extension of the technologies used for Carequality and, um, CDA exchange. And they do it, they do it, uh, not ubiquitously, in read like regional health information exchanges, they, they have what’s called TWIIN, um, which is a national initiative and they’re, they’re making tremendous progress there. So just about picking it, incentivizing it and getting people to play along.Pryce (19:05): You know, it does matter what the use, the use is here. Like, like we think, okay, so why are images not flying across this network as well? And then my first thought is kind of like, well, generally the moment an image is taken, it’s for, it’s diagnostic imaging. Then a radiologist who is affiliated with where the image was taken, interprets the image and writes all about it. And then it’s back in the EHR. So in a lot of ways you could say like, well, the juice, the value of the image has already been extracted and somebody should have access to that information via CDA exchange or, or FHIR APIs things like that. Of course, I guess it makes sense that a lot of physicians or radiologists or whomever would say, well, I would actually like to see the image myself as well and come to my own conclusions. Is that what’s happening here? Is that why people are always like, I want the image instead of just the, diagnostic study, is sort of the outcome of what we thought of the image.Brendan Keeler (19:57): Brad, you look like you have a thought.Brad (19:58): I would guess that there’s this is a trust issue and like whether or not I think somebody read the diagnostic study correctly. My opinion is slightly tinged by like, has the ability to get those records between systems, the diagnostic studies improved over the last five years when I had to deliver a CD to the hospital or?Pryce (20:20): you’re saying like, would it be more likely nowadays? Yeah, yeah, yeah. Would it be more likely nowadays that the doctor to whom you’re going next is like, well, I already get the gist of what the image, what that MRI said or, yeah.Brad (20:22): Like has it changed? Yeah.Brendan Keeler (20:32): There’s just a lot of workflows where it’s valuable. A second opinion is just an obvious one where it’s like, think this radiologist is s**t, let me go down the street and suddenly you gotta go get another MRI or something, that stinks. It could be like you get injured again, right, you break your leg again, and they’re like, okay, well, let’s go see what the break originally was last time. looking at the...Brendan Keeler (20:55): the radiologist report might not give the information to the new radiologist of like, okay, what happened here? How did he all like there? And then there’s value to these diagnostic images, right? If you could build a big data set, you could start to do nifty things about, you know, with radio AI radiologists and things like that. So there’s a variety of reasons that yes, the, the diagnostic reports that are produced from the, these images. are transmitted or should be transmitted at least, but still there’s voracious demand to understand and see the actual raw images for reinterpretation or different reasons.Pryce (21:31): So to build on this, we’re saying we have is live. Trust Exchange framework has tens of thousands of hospitals on it, and you can send a query up to a QHIN that says I’m looking for Pryce. He has an appointment with me tomorrow. then queries go out to all the other QHINs that try to locate me based on my demographics and my identity, not based on some sort of universal identifier. and then notify, not yet, not until I get my imperial chain code, Star Wars reference. ⁓ great weekend, just saw the Mandalorian and Grogu last night. at first, really tough code was like, okay, covered entities are going to exchange data with covered entities and they will authenticate against each other.Brad (21:55): Not yet.Brendan Keeler (22:01): It’s a good weekend for that. It’s a good weekend for that.Pryce (22:15): you will know that it is Hopkins making the query when Hopkins makes the query. And then the authorization, the next step authentication is, I know the server making the query authentication or authorization? The second Z there is like, do they have permission to access this data? I believe they are who they say they are. And now what data do they have access to permission or permission to access? And by and large, you know, providers should have access to clinical data when they’re treating someone and and the whole chart except for maybe behavioral health information would be exchanged so long as patients opted in and things like that. But we’re talking about how using the same framework for multiple use cases can be challenging. How do you implement this if it’s a slightly different use case? And so with Individual Access Services, we see an interesting debate happening. I guess I’m not sure the history of this debate in TEFCA, but I can tell you it’s certainly happening. or people are thinking about it lot with regards to the CMS HealthTech ecosystem and CMS Aligned Networks. When we do Individual Access Services, like I said, I might take an app that’s gonna help me query TEFCA for my records and it will use CLEAR to verify that I am who I say that I am. And it’ll go off and query the networks, the QHINs and say, it’s for sure Pryce looking at his phone. He wants to give his data to Oura. because he is an Oura user and he wants to allow them access to his charts at his Athena PCP. The question then is, okay, I’ve authenticated that I am who I say I am. Typically, I would then need to authorize some sort of release of data from the system that actually has it. So just as an example, when you go to sign in to Instagram and then it says, do you want to sign in using Google? You click yes, then it takes you to Google and Google says, do you want Instagram to have access to your name, your birthday, your email, et cetera? And you say yes. And that is you authorizing. You’ve authenticated that you are, you say you are, and you authorize the exchange of data for a certain time period or for a certain scope of information. And right now, That’s not exactly happening with TEFCA. The author is, or the authentication is saying, okay, this is definitely Pryce return his chart. And only Epic I think is at the moment on TEFCA then redirecting. this is pissing a lot of people off because they think it’s Epic sort of blocking the liquidity of data. But Epic then says,Brendan Keeler (24:36): There’s literally, let’s be clear, there’s literally an antitrust lawsuit by the AADJ against them for alleging that. yeah, I would say some people think it.Pryce (24:42): Well, it’s for a lot of things. Yeah, I could go on about that for a minute too. so yeah, it’s just like, is Epic right or wrong by saying, well, okay, I believe that it’s Pryce on the line. Now I want him to log in and tell me, here’s your records from Hopkins, you know, which uses Epic. How long do you, you do you want us to give them your allergies, your meds? Do you want to give us all this? How long do you want them to have access to it? And so in a way, Epic thinks that they’re being pragmatic and, and, ⁓ usefully, I guess, limiting the, unlimited exchange of healthcare data without my permission. But in a lot of, in a lot of ways, people are like, no, if Pryce took his picture and he asked to fetch his records, he wants the whole thing. And so authentication and authorization at the moment, they’re hard to implement separately because people wanted them to be jammed together, but we’re doing this on rails, you know, that didn’t account for this kind of very nuanced piece of the workflow. So yeah, where have we landed with that, Brendan? Maybe you could tell us like, is there an official recommendation from TEFCA or from the CMS Health Tech Ecosystem as to how we’re handling that for Individual Access Services?Brendan Keeler (25:53): Yeah, a couple of things I’ll layer in. Epic alone is doing the FHIR-based flow, right? So when data is retrieved for Individual Access Services, it’s going through and doing this, what’s called an XCPD first, right? Which is not FHIR. It’s a patient search to all the QHINs. It says, hey, do you have Pryce? Do you have Brendan? Do you have Brad? Here’s the identity token that they proves that they proofed with CLEAR, proofed with ID.me, proofed with Persona. And then those different QHINs say, yup, here’s where they’ve been seen. So for me, it’s like 50 Epic sites, one ECW site, some random HIE that I’ve never been seen at, which I don’t know why it’s happening. And anyway, and then they go and they can do one of two things. They can either go and do a CDA retrieval, if that’s what’s supported, or they can go and do the FHIR flow. And so for all the other Individual Access Services implementations thus far that we’re aware of, it’s been, they just said, okay, well, if you include Individual Access in the header of your CDA retrieval, we’ll give you back the CDA that we give for treatment. So it’s a very blunt old school approach, but probably more simplistic to implement for than full new FHIR flows.Pryce (27:00): Well, and admittedly, 95, 98, 99 % of the people who are taking a picture of themselves on CLEAR to fetch their patient records probably just want the whole patient record to come back. They’re not looking to then talk to Epic and say, yeah, it was me. Here are the pieces that I want. But go on.Brendan Keeler (27:15): I don’t, does the end user care? Like they care that the job to be done that they’re doing is done is the way I think about it. Does the app care? Well, I think there’s a lot of people out there that would say, well, we need to get to a FHIR, a new FHIR native network. And in that way, the only person pushing on that right now, thus far is Epic. so props to them. We have to give... what was it? S**t sandwich, right? Like the positive, the negative and the positive. So the,Pryce (27:20): Right, that’s what I’m saying.Brendan Keeler (27:39): The s**t part, the middle part is authentication and authorization. With the CDA flow, you’ve already identified proof, great. You got authorization, you got authentication baked in, you pull those documents, have fun. For the Epic flow, from a privacy perspective, from a security perspective, they’re saying on behalf of their health systems, we need to have a layer of authentication and then the authorization to prevent security breaches is the argument that’s been posited. Until they can get government relief from the OIG saying, hey, until if we release this pattern, we’re not gonna be liable for a HIPAA breach, then they have been pushed saying, we don’t wanna do this because there’s no upside. What is the upside to doing this except somebody suing us when a breach happens in this pattern? And make no mistake, people sue about these things all the time, all the time. And HIPAA doesn’t afford the right private action, but they find patterns and ways, right? We see this with the lawsuit where there’s all these class actions that are brewing. And so there’s a reality that people need to at least understand that that is the math for, you know, Cleveland Clinic’s general counsel. The ship is sailing there though, because ⁓ the CMS Health Tech Ecosystem. All these trends are saying we gotta get rid of authentication. Optically, it’s not looking good for Epic. So authentication is at least consolidating down to MyChart Central, right? One login for Epic and probably looking to get rid of it at some point later this year in the future. so authentication goes away, but authorization is interesting because it’s like, well, if I have authorization, and it’s on the health system side, then I can do nifty things like deal with caretakers or deal with other proxy situations so that Pryce, after he’s identity-approved and starts to pull records, could then select and say, okay, I want it for my son or for my mother or somebody, you know, a proxy situation. And so that could be accommodated in a slightly more straightforward fashion with hospital-side authorization. But I also think the ship is sailed there where people are like, well, we want authorization outside of the EHR, outside of the provider, which means that we have to go reinvent something to deal with proxies.Pryce (29:53): Also really quickly, Epic actually does enable health systems to turn on, either respond directly to the IAS query or ask for authorization from the patient by not only requiring the IAL to OIDC token from Clear, but also get them to log in and say which part. Those health systems, those Epic using health systems can allow either path. And to your point, Brendan, all of their, you know, regulatory compliance and legal officers are saying, make it as hard as possible to access this data unless it’s Brendan, unless he knows he remembers his password and his username, things like that. So it’s interesting, like they can develop something, but they’re not implementing it. It’s these providers who are implementing it the way that they want to implement it. Brad, did you have something to say?Brad (30:37): I was gonna say for the lay listener, like we’re talking about whether or not consumers want GDPR cookie banners, like do you want to accept all, do you want to go through and experience wise, I think as long as IAS is an accepted paradigm, most patients, based on other industries, most patients are just gonna take the whole record.Brad (31:00): if they can get it and not be discerning about it. this is a can of worms that I don’t think we should open, but that leads to likely a lot of leakage of that health data. It’s going to entities that are not covered by HIPAA. I mean, Equifax lost all of my information a long time ago, so I’m constantly locked down. But we’re going to see... we’re probably going to start having to go through a CLEAR identity process for like billing purposes because the chance for fraudulent billing with our health records is going to explode dramatically. This is just law of unintended consequences, which is a hard thing to open towards the end of our time that we can talk together. I do think, regardless of what businesses try to do, patients are going to look for the easiest solution. And the easiest solution is dump everything and let let the vendor who’s getting this data figure out what to do with it.Brendan Keeler (31:55): Yeah. And it’s why, look, I think of everything in trade-offs. it’s like all these architectures we’re talking about where author, you know, where all legalized, processized, technologies, technologize it. you know, you think about the trade-offs of like, what does it mean to put authorization on the health system side? What does it mean to put it on the credential service provider, like clear and what would it mean to put it on the app? And there’s just trade-offs that are very clear about those architectures. And we have to consider, okay, what are we, what are we optimizing for?Brad (32:00): Legalize it.Brendan Keeler (32:22): like we would in a product management. It’s like a product management hat of for this national product, this national architecture, what are the trade-offs? And so the trade-off, the biggest trade-off with app-owned authorization is you no longer have separation of church and state, right? There’s, have to control and constrain the behaviors of the app by legal, by legal terms, by saying, you need to, you’ve certified the CARIN code of conduct. You’ve been certified by this group. You’ve signed this thing. Whereas if another entity, CLEAR or ID.me to own authorization or the health system, then suddenly, you know, the vector for abuse is mitigated by separation of who is asserting something and who has certain prerogatives.Brendan Keeler (33:07): It seems like we’re choosing to move it to the app layer and that’s fine. We just need to be really, really honest with there’s going to be apps that want to have a different, there are good apps today, like B.well or like Fasten right? That are good and honest and think, think thoughtfully about how they’re treating patients. There are less scrupulous apps that will come and how do we constrain them from abusing it when their intention. and their goals differ from the patient’s. We can do it with legalese, can do it with certifications, we can do it with all those behavioral things, but it removes the technological barriers towards abuse.Brad (33:44): Well, it’s Memorial Day weekend. We’ve told you a lot about TEFCA, but what’s everybody putting on their burger this weekend?Pryce (33:52): Ooh, I think I still need to buy sausages and tortillas because that’s how we roll down here in San Antonio. A little sausage wrap.Brendan Keeler (33:57): Dang, we gotta get down there for a team trip. That’s what’s up.Brendan Keeler (34:01): I’m gonna go, I’m doing it Dutch style, I’m gonna do mayonnaise on my burger. Just kidding. Brad (34:05): What?Pryce (34:07): Is that Dutch?Brendan Keeler (34:08) But anyway, no just kidding, I’m not a sicko, I’m not a sociopath, at least in that facet of my life. alright, well have a great Memorial Day. If you’re interested in working with this crew on TEFCA, on IAS, on all the good things, please reach out and we’ll talk to y’all later. Get full access to Health API Guy at healthapiguy.substack.com/subscribe