New health care data-sharing rule, coming in 2022, has its roots at Boston Children’s Hospital

EHR data sharing rules concept
"Information is more powerful when shared," says Ken Mandl, MD, MPH, principal author of the new rules. (Image: Adobe Stock; Illustration: Sebastian Stankiewicz, Boston Children's)

Are you sick of health care systems not communicating with each other? Do you wish you could access more of your medical information — or your patients’ information — online? Do you ever wonder whether a health pattern you see is part of a larger trend? Two key developments have advanced the vision of seamless, secure exchange of electronic health records (EHRs) among health care institutions and patients.

That vision includes being able to learn from our data at a population scale. Through federal regulations issued this year, it will finally become reality in 2022. And the vision began at Boston Children’s Hospital more than a decade ago.

“Information is more powerful when it’s shared,” says Kenneth Mandl, MD, MPH, director of Boston Children’s Computational Health Informatics Program (CHIP). “These developments will be transformative, because right now data are very hard to get from EHRs.”

Liberating health care data

In March 2020, the U.S. Department of Health and Human Services (HHS) finalized a rule on health care data exchange, per the 21st Century Cures Act. The new rule will make it possible for patients to access their records digitally from any provider, organize the information in smartphone apps, and share their health data with other providers — thanks to an application programming interface, or API, originally developed by Mandl’s team.

A second API in the HHS rule takes data exchange population-wide. Duly authorized users at any health system will be able to aggregate EHR data in bulk to measure care and costs, investigate disease patterns, monitor population health trends.

Data for the people

Early on, Mandl and CHIP founder Isaac Kohane, MD, PhD, who now chairs Harvard Medical School’s Department of Biomedical Informatics, were frustrated with EHRs. Patients’ health information was largely trapped inside proprietary health IT systems. Families had to jump through hoops to access and share their data. Patients with complex medical conditions, who often see specialists at multiple institutions, were lugging printouts of their health records from appointment to appointment.

In 2009, writing in The New England Journal of Medicine, Mandl and Kohane called on the Federal government to adopt a common, open-source digital information platform that would be compatible with software apps from multiple developers. In 2010, they received federal funds to develop the “SMART on FHIR” API to enable digital data exchange. FHIR, or “Fast Health Interoperability Resources,” is a standard, modern approach to storing and accessing health care data.

Ken Mandl and Isaac Kohane call for a common health care data sharing platform
Mandl and Kohane called for a common health care data sharing platform in 2009.

As the project began to take off, Mandl worked with U.S. legislators to get language into the 21st Century Cures Act requiring that health systems use a standardized API for their EHRs. When the Act became law at the end of 2016, it called for “all electronically accessible health information” to be accessed, exchanged, and used “without special effort on the part of the user.”

“Push-button” population health

The new HHS rule enforces people’s right to access a “computable” version of their medical record, and makes FHIR the language of sharing. Starting in 2022, an app for a patient or provider, written once, will be able to run anywhere in the health care system and access all elements of a patient’s electronic data. The SMART App Gallery features a growing number of apps being developed to meet this challenge.

But Mandl has a broader vision: a “learning health care system” that could gather and analyze EHR data at scale and enable new scientific discoveries, a concept known as push-button population health.

“If we’re going to have a learning health system, we need to be able to understand the outcomes of our patients and how those outcomes relate to the care we delivered, their genes, and their environment,” Mandl says.

President Obama signs the 21st Century Cares Act into law
President Obama signs the 21st Century Cares Act into law, as shown on CSPAN.

Work on the second API started just three years ago. The SMART/HL7 Bulk Data Export API, created by Mandl’s team, was made into an international standard by the nonprofit Health Level Seven International. It provides an open specification for extracting health data from any EHR, and exports data in the same format every time as a single file called “Flat FHIR.” Support for the API is universally required for any EHR, and an ecosystem across government, industry and academia has already sprung up offering add-on services.

Pitfalls of health care data sharing?

Mandl and Kohane acknowledge that unleashing patient data entails risks, including privacy and insurability risks. Predatory app companies could lure patients to share health data to serve their business ends. Commercial interests could form private data monopolies and charge fees for patient data. A digital divide could emerge in which some patients can more readily access their digital records than others. And security breaches could undermine public trust.


A look back at CHIP’s storied history and how its ideas have influenced the health care system. 

Writing last May in The New England Journal of Medicine, Mandl and Kohane called for more consumer protections beyond what the current, outdated HIPAA law provides. “The diversity of uses for these data has resulted in a market that may not always advance patients’ and society’s priorities,” they write.

Related: Privacy protections to encourage use of health-relevant digital data in a learning health system (Nature Digital Medicine)

Power to the patients

The roots of health care data-sharing at Boston Children’s actually go back more than 25 years — to 1994, when CHIP and collaborators in the MIT Lab for Computer Science proposed health information systems controlled by patients themselves, supported by a “Guardian Angel.” That patient-centric vision underpins today’s personally controlled health record systems.

For now, patient-controlled EHRs aren’t yet universal. But since 2018, Apple’s iPhone Health app, which uses SMART on FHIR to connect to over 600 health systems, sets a prime example. With the new data-sharing rule, patient-centric systems could become much more widespread.

“Standardization enabled the creation of the World Wide Web,” says Mandl. “In health care, the new SMART/FHIR APIs are simple and powerful standardized tools that enable the interoperability of IT systems and data, so that innovation can bloom across the health and public health systems.”

Learn more about CHIP and its research.

Share this: