The Pre-Holiday Policy Dump

We had fun with our “Not-a-Podcast” last week, so Pryce, Brad Thorson, and I hopped back on a video chat to try to make sense of what felt like an entire month of health IT news compressed into a single pre-holiday week. We discussed:* ASTP’s secret new beta website that Pryce found* Steve Posnack’s post on TEFCA and CMS Aligned Networks, and what “floor vs. ceiling” means for nationwide exchange* Why appointment and encounter data are harder than they look, especially as exchange shifts from historical records to forward-looking signals* Pull-based exchange vs. event-driven workflows, and where today’s networks still fall short* Information blocking guidance from ASTP, including RPA, the manner exception, and enforcement signals* TEFCA Operations and reciprocity, and why incremental adoption may beat premature mandates* AT Protocol’s parallels to healthcare data exchange* Epic’s Community Registries, and the broader implications for registry vendors and network effects* Where HTI-5 might land, and what it signals about API-first regulation and reduced switching costsUnscripted? Yes. A little nerdy? Also yes. Unexpected tangents and rabbit holes? Okay, yes, yet again. But we do think and hope you’ll enjoy.Health API Guy is a reader-supported publication. To receive new posts and support this work, consider becoming a paid subscriber.Chapters* 00:00 - Introduction to Health Information Exchange (HIE) Dynamics* 01:00 - TEFCA and CMS Aligned Networks: A Deep Dive* 03:15 - Encounter Data and Its Implications* 06:03 - The Role of Appointment Data in Healthcare* 09:04 - Provider Steering: Opportunities and Challenges* 11:52 - Tensions Between TEFCA and CMS-Aligned Networks* 15:06 - Information Blocking and Regulatory Updates* 18:01 - Recent Developments in TEFCA and ASDP* 24:48 - Data Harvesting and Governance in Health Tech* 26:14 - The Future of Health IT Standards* 30:50 - Understanding HDI 5 and Its Implications* 34:40 - The Role of Data Portability and Switching Costs* 39:57 - The AT Protocol and Its Impact on Data Sharing* 44:02 - Epic’s Community Registries and Privacy InitiativesTranscriptWe ran the transcript through Gemini to smooth it out. So it’s a rough approximation of the conversation (and in many cases significantly clearer than our rambling), but notably diverges from the word-by-word blows in some places.Pryce Ancona All right, we are back to “Not-a-Podcast.” We’re back just talking over video, and we have Brad with us this time. All three of us are with HTD Health. I’m very excited to be chatting today because it’s been a busy week in DC. Just this morning, I was preparing for a little talk on how disparate HIEs and Health Information Exchange look nowadays, and I accidentally stumbled upon a beta website—a new website facade for the ASTP. With how much I’ve been anticipating HTI-5, it’s just nice that we keep getting little Christmas gifts before Christmas is actually here.So there’s a lot to cover. We’ve got two blogs from Steve Posnack in the last few weeks. One of them is a little more directed at how TEFCA and CMS Aligned Networks are engaging with each other. I’m curious to hear from Brendan, if I may. What was your take? I know you wrote a little bit about that. Let’s dive right into it.Brendan Keeler You may have found the beta website, but there was a whole lot of alpha in Steve’s post, if I have to go there. Steve has three posts, actually. Two weeks ago, he kicked it off saying, “I’m going to start writing again.” Then he had the TEFCA post, “The Tide and the Speedboats,” earlier this week. And then even today, another mini post saying, “Hey, check out this cool stuff we’re doing.”Like you said, we all thought from Dr. Keane’s comments in DC last week that HTI-5 is coming. ASTP is doing something. Maybe we still get HTI-5, but we get these posts first. Earlier this week, we had “The Tide and the Speedboats,” which was a statement about TEFCA, the future of TEFCA, and the intersection and overlap of CMS Aligned Networks (another government network initiative) as part of the CMS Health Tech Ecosystem.Steve’s statement was pretty clear. He said, “Look, these are complementary. TEFCA is the floor. CMS Aligned Networks is the ceiling, exploring the far edges, the outer reach, the really cool advanced stuff.”The piece that I thought was interesting? He said, “Hey, scheduling data? Not something TEFCA really does right now. Encounter? Not really something TEFCA does right now.” And that’s kind of true, kind of not. Encounters are in USCDI. You can pull them. But then you can say it’s about push notifications, which is true—TEFCA doesn’t facilitate that today. I don’t know if you guys have any thoughts sparked by that or other pieces.Pryce Ancona Brad, you go first.Brad Thorson Well, I haven’t read Steve’s post today, so it sounds like I have some reading to do right after this. Regarding the CMS Aligned Networks: staying on the Herculean task of getting co-opetition without the regulatory framework that TEFCA has is tough. If CMS Aligned Networks starts to pull in more types of care delivery information that isn’t traditional EHI, that feels like it complicates the end goals. Pryce, I don’t know if you read it and want to say anything there.Pryce Ancona The one thing I was going to say is, Brendan, when you called out that TEFCA does already support the exchange of encounter information, the way I read Steve’s post was actually, “Oh, we don’t have a concept for this proactive FHIR notification, FHIR subscription, or event-triggered push of encounter or appointment information.” That’s the way I read it because that’s item 15 in the CMS Aligned Network framework.But then upon reading your thoughts, I wondered: Is he talking about clinical information from encounters, or is he talking about appointment information that you’d be receiving before an encounter takes place?You mentioned that TEFCA is trying to create a floor and the CMS Aligned Networks are trying to create a ceiling. But I keep wondering, doesn’t TEFCA have a ceiling too, already set with the SOPs? What happens when two CMS Aligned Networks or two CMS-engaged parties in this ecosystem try to use TEFCA rails for something that TEFCA has not yet permitted or proposed? Will those things start to come to a confluence? Are they not really complementary, or will they just fall right into how people start using TEFCA? These are things that I haven’t really mulled through yet, but I have a feeling you have.Brendan Keeler I’ve got the tea, I’ve got the holiday wine—whatever kind of mulled drink you’re looking for.To the first point about encounter data: Yeah, if you read it as notifications, TEFCA doesn’t do that, right? There have been attempts to do notifications—Carequality, Commonwell, and TEFCA are all query-based networks. In the Carequality world, there was an implementation guide for notifications. They put it out there, said, “Here’s how we’ll do it,” and nobody used it. So, TEFCA doesn’t have that SOP or definitions in place. Fair.But the way he wrote it implies this other criteria. It gets to a very interesting topic. As we think about the USCDI core clinical data, we have historic data—the things that have happened: procedures, medications, notes, labs. That’s “easy mode.” “Hard mode” is when we’re thinking ahead about the care plan and what needs to be done.Unfulfilled needs are market signals. As you put a market signal onto a network, one, they’ll use it for care, understanding the care plan, and collaborating. That’s the cool part. The part that’s going to bring more tension is that it is also market opportunity. That is unrealized revenue. If I can see it, I can say, “Let me steer that towards me.”We’ve seen that tension boil over before. SureScripts has fill data and understands there are refills outstanding. If you’re a pharmacy and you know that, you can say, “Hey Brendan, come fill it over here for cheaper or faster.” For years, SureScripts prevented pharmacies from accessing med history. They caught PillPack pulling that data through an intermediary to say, “Hey, come and use PillPack,” and they cut them off.So, when you have forward-facing activities—via orders, appointments, or prescriptions—you can start to say, “Let me steer towards the things I want.” This might be good for the patient (better care plan, no cracks), or it could be more nefarious (poaching orders). I think that’s going to come to a head as we get to this world via TEFCA, CMS Aligned Networks, and USCDI iteration.Pryce Ancona Man, provider steering. It’s good and bad.Brendan Keeler It’s good and bad. Back in the day in the Carequality/Care Everywhere world, this was the main fear. Before providers were hooked up for “Treatment” purpose of use, the big discussion was, “Oh, Dr. Smith down the street is going to steal my patients.” That proved not to be true. By and large, the use case was just: “Pryce just got hit by a bus, he’s in the ER, we need to get his records.” And they realized how transformative that was.Pryce Ancona Right. Something I’ve been thinking about—as a former Cadence implementer with Epic, appointments have a special place in my heart. As far as CMS work groups go regarding notifications of appointments and the “Kill the Clipboard” initiative (where you show a QR code with all your clinical and administrative data), I keep thinking about how appointments and SIU notifications don’t have insurance information on them. You really shouldn’t be asking a patient about their insurance until they’re standing right in front of you to verify eligibility day-of.So I’m starting to think: Appointment data is not always accurate because it hasn’t happened yet. What happens when the patient doesn’t show up? How much noise is out there? Or if a patient brings their own PHR to onboard into a clinical system—are they actually going to keep that PHR up to date?We keep thinking about how to solve for this, or do we just abandon certain parts of the framework? That’s what I’ve been thinking about this week.Brad Thorson I think we should definitely talk about the clear tension between TEFCA (rails for all care providers) and CMS Aligned Networks. Potentially there’ll be some Payment & Operations (P&O) activity there.CMS Aligned Networks has a lot of participants that are PHRs or digital applications. We could talk for an hour about the tension between these two initiatives—speedboats versus raising all tides. I think what I’m most in doubt of is that we can drive co-opetition around a singular vision of what the check-in process is.I think something that CMS Aligned Networks should be doing is requiring that care delivery platforms expose what their process is. It should be less about agreeing on what the check-in process must be for everybody, and more about discoverability. It shouldn’t take a deep discovery process to understand what check-in at cardiology looks like at NYU versus Mount Sinai. Instead of trying to get competitors to define shared standards, what we really need is better discoverability of how the process actually happens.Pryce Ancona Totally. I took us straight down the rabbit hole. We were talking about CMS Aligned Networks and TEFCA generally, but in the work groups I’ve been in, as you go down any given rabbit hole—Kill the Clipboard, appointment notifications, gaps in care—you realize they’re all so niche and hard to solve because there’s a lack of trust between the parties. You realize that’s why TEFCA hasn’t accomplished these things yet. It’s not because it’s hard to encrypt data; it’s because it’s hard to convince parties to trust each other with a set of policies.Brendan Keeler It’s alignment on goals, right? If you view CMS Aligned Networks as this vehicle to roll things out nationwide, it doesn’t have the right levers. It is a convening function to say, “Hey, we’re gonna put CMS’s weight behind this initiative to convene on the really forward-facing things.” To pilot those, to rapidly iterate through QR code check-in ideas—that sets something that could then be used in TEFCA and rolled out more broadly.That’s the speedboats. The speedboats are zooming ahead. Some will crash on the island, some will find treasure. The tide will follow that, slowly but surely raising all boats.One thing I want to address regarding what Brad brought up about Payment and Operations: We got kind of an answer in another update from ASTP and the RCE this week. There was a February date for the requirement of Operations for quality, care management, and HEDIS—a mandatory response date. Since there’s very little point-to-point optional Operations volume today, everyone doubted it would happen. It would be a big blemish on the authority of the RCE to move things forward if they went to a mandatory date and nobody did it.So, they removed that in some of the proposed SOP updates we saw this week. They said, “We’re going to facilitate better exchange in the short term by allowing point-to-point operations for a couple of sub-use cases.” Some people think that’s a big “L” for them. I think the bigger “L” would have been charging towards a date that wasn’t going to happen.Brad Thorson All right, so much has happened this week. Let’s do a rundown. I feel like I need to put together my reading for the holiday break. Brendan, start us on Monday.Brendan Keeler It was really Tuesday with the TEFCA monthly call where we heard the update: new standard operating procedure iterations for Treatment, IAS, and Operations. The Operations one was the big one. They said payers and plans don’t need to do reciprocity to start. You can just pull unidirectionally with your partners. They’re trying to encourage any change to get anyone doing Operations over the network rails. Removing the requirement to put your claims back on the network is a good interim step.In that call, Steve also announced his post. And then today, we saw the ASTP put out a number of interesting information blocking notices. Pryce, you’re the one who found that—what did you see?Pryce Ancona An FAQ was added that basically says: If you are a business associate of a provider and you have a meaningful reason to access electronic health information, and the EHR says, “We don’t have an API for that, sorry, manner exception,”—now it’s clear.This is obviously a result of litigation like the PCC case. They’re saying, if that’s true, then a viable method to receive this information is to use robotic process automation (RPA), screen scraping, or whatever you want to call it. It’s okay not to support every possible data exchange permutation, but you can’t complain if somebody gets that data through a manner you don’t like (like RPA). That was hidden at the bottom of Steve’s blog post today.Brendan Keeler We also got news that Datavant might be rolled up into some mega corporation? It’s just an onslaught.Regarding the information blocking: Everything in there we kind of already knew, especially if you work with a consultancy that helps mix tech and policy. But if you don’t, the guidance from ASTP was useful to say: RPA is considered EHI unless there’s a manner exception.The crazy thing is that this is going to be challenged. We saw them challenged on this in HTI-2. They don’t have a statutory authority to say what is information blocking; they have statutory authority to say what is not information blocking (the exceptions). That nuance might be challenged here.Pryce Ancona I was going to say we got close to an actual court case where someone asks, “What source are you using?” and they would have said, “Brendan Keeler, the Health API Guy, said it was OK.” Now they’re going to point at the ASTP actual authority.Going back to the TEFCA meeting: I had forgotten that you can join the network right now and use Operations, but it is not mandatory to respond. A state Blues plan told me they specifically will never join TEFCA because of that reciprocal responsibility. Now you’re saying they can join and just harvest that data if they like?Brendan Keeler It’s all point-to-point now. “Harvest” has some connotations, but it would be testing out that pattern over TEFCA rails. In the SOP, it says the RCE will monitor this to see when it’s right to do reciprocity. The idea is: We’ve had the Operations SOP for over a year, nobody’s using it, so let’s encourage use. Getting any use and iterating is better than waiting another year.Brad Thorson There are a couple of other things that happened this week. You touched on HTI-5. Where is it? What do we expect?Brendan Keeler I am excited. I want to parse the supposedly 34 certification criteria being ripped out. Maybe we expect with HTI-6 we’ll see new API-forward criteria inserted. Dr. Keane said last week it was going to be this week, and now we’re past that. Maybe it drops at 6 PM today.We can expect de-certification of criteria that say “You must type down demographics” or “You must do quality measures with older formats.” They’re going to gut a lot of the intrinsic capabilities of the EHR certification. What will be contentious is the proposed cutting of things like DirectTrust support or quality measure support. They aren’t APIs, but they are established data transfer mechanisms. When you throw somebody’s baby out with the bathwater, that causes tension.Brad Thorson Just one quick follow-up. We see CMS programs really leaning into nationwide networks or tools like DirectTrust for ACCESS eligibility. Do you expect HTI-5 to be in line with what we’re seeing in the new CMS programs?Brendan Keeler I would say there’s strong alignment across CMS and ASTP. CMS is stepping into health technology in a leading way that we haven’t seen in prior administrations. Under the current administration, this is a major part of it. The CMS Health Tech Ecosystem has Trump showing up at it—that’s a change of tenor. And ASTP is working with the DOJ and FTC because their number one priority is information blocking.Pryce Ancona I want to make this practical. Looking at HTI-5, thinking about deregulation and the enablement of these networks—what are they trying to practically accomplish? Is the thesis that if we force health tech developers to be available enough to exchange information, we get organic competition that’s better for everyone?Brendan Keeler There are a couple of principles.* Data Portability: Consumer access is a consistent theme since HIPAA.* Co-opetition: A thriving ecosystem of tools for providers to choose from. This administration wants to allow for provider choice. If you don’t have a path to compete equally in terms of integrative capabilities, you must always choose the vertically integrated option (the EHR bundle). They want to change that.* Reduction of Switching Costs: EHI export and bulk export are geared towards reducing switching costs between systems of record (e.g., switching from Epic to Cerner).Pryce Ancona I’ve heard you preach that as data is more mobile, access to that data becomes a commodity. The question becomes: How are you adding value on top of that? We don’t want the fact that one EHR has access to data to be their competitive advantage. It’s interesting to see this commoditization of data exchange. EHRs will have to differentiate on how usable they are or how much insight they provide.Brad Thorson I’m not going to take us fully up the rails, but it sounds a bit like the AT protocol.Brendan Keeler Can you give a brief one-sentence explanation for the crowd?Brad Thorson The AT Protocol (developed at Twitter/X) allows the transportation of social media across different clients without a centralized database. Any organization can launch their own PDS (data storage) and tie up to a protocol layer.I wrote about “lexicons,” which is an AT protocol idea. If Blue Sky wanted to introduce video, they would publish a lexicon explaining how to store and represent that data. Other servers don’t have to adopt it, but if a lot of people want video, market pressure drives adoption.The challenge shifts from “I have proprietary data” to “I have a better user interface or algorithm.” The introduction of information blocking laws is opening us up to say it’s no longer about siloing data; it is about a superior experience.Brendan Keeler Two thoughts: One, Instagram and TikTok in one feed sounds like my hell. Two, it’s not unlike well-known smart configs and capability statements that FHIR Servers expose.Pryce Ancona The parallel I see is that mega-corporations used to colonize land; now they colonize your attention. It’s interesting to see patterns saying, “Let’s make the valuable asset the data exchange.” If everyone has access to the data supply, everyone has to find a different way to make it valuable. I’d love an app that was like Instagram but only showed me plants and my family.Brad Thorson We need quick thoughts. Epic Community Registries—hit us.Brendan Keeler Epic launched Community Registries. It allows registries to architect their data needs, deploy to partner health systems, and remove the pain of clinical data abstraction. It threatens third parties that facilitate registry abstraction. We’ll see if it hits the same headwinds as other Epic “Health Grid” products.Brad Thorson Ron Wyden. What happened?Brendan Keeler My boy Ron Wyden is very privacy-focused. He reached out to Epic, and they implemented controls in MyChart to allow patients to have agency over their data sharing. Now he’s putting pressure on other EHRs. There might be tinfoil hat theories about reproductive healthcare data privacy, but he’s historically a privacy hawk.Brad Thorson Last thing, heading into the holidays—you get one surprise. What is it? I’ll say: I hate defining workflows based on HL7 feeds. I’m keeping my fingers crossed for a FHIR subscriptions surprise. Pryce?Pryce Ancona Low-hanging fruit, but I would love to see HTI-5. Every time something comes out from the ASTP, I just eat it up.Brad Thorson That sounds like you’re trying to avoid your in-laws this holiday.Pryce Ancona Don’t tell them that.Brendan Keeler I’ll take an information blocking enforcement action for 500. With that, thank you everyone. That’s the end of our Not-A-Podcast. We’ll see you after the holidays. Get full access to Health API Guy at healthapiguy.substack.com/subscribe