Application Programming Interfaces in Health IT

Avinash Shanbhag and John Bender | June 11, 2020

Application programming interfaces (APIs) are powerful tools that help support interoperability in healthcare. Simply put, APIs allow a software “Application A” to interact with a software “Application B” without Application A needing to know how Application B’s software is designed internally. APIs can be used for several things, including the ability to for software applications to share information. From the example above, Application A could request information from Application B or ask Application B to place a pushpin on a map at a specific longitude and latitude. In other words, think of an API like a “data concierge.” API-based exchanges have become commonplace in our everyday life, from mobile banking to booking a plane ticket, from downloading media to shopping online. Naturally, as adoption of electronic health records (EHRs) continues to expand, it is essential for APIs to play an increasing role with respect to healthcare interoperability.

There are a multitude of ways that APIs can help redesign how healthcare providers and patients interact with health information through health information technology (health IT). The adoption and use of standards for APIs (like HL7® Fast Healthcare Interoperability Resources (FHIR®), OAuth 2.0, and OpenID Connect 1.0) can facilitate interoperability and serve as a catalyst for innovation and support the development of new technologies and use cases. ONC included a requirement in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (21st Century Cures Act Final Rule) that health IT certified through the ONC Certification Program must have standardized APIs for patient and population services. We will cover the details of the standardized API for patient and population services certification criterion finalized in § 170.315(g)(10) in another blog post, but for now, we’ll focus on the Conditions and Maintenance of Certification requirements finalized in the 21st Century Cures Act Final Rule that apply to health IT developers certified to any of the API criteria in 42 C.F.R. §§ 170.315(g)(7), (g)(9), (g)(10) of the ONC Certification Program.

API Conditions and Maintenance of Certification

These conditions address certain transparency and business requirements for health IT developers participating in the ONC Health IT Certification Program. Per the 21st Century Cures Act and through the Final Rule’s API Conditions and Maintenance of Certification requirements, ONC seeks to minimize the “special effort” necessary for healthcare providers, patients, and their authorized representatives to access, exchange, and use electronic health information via certified API technology. It is important to note that these API Conditions and Maintenance of Certification requirements only apply to developers  of certified API technology and do not generally apply to other software interfaces.

The API Conditions of Certification requirements established in the 21st Century Cures Act Final Rule specifically address:

  • Transparency – This condition sets specific requirements on certified API developers for transparency about the business and technical documentation necessary to interact with their certified API technology.
  • Fees – This condition sets criteria for allowable fees and boundaries for the fees certified API developers are permitted to charge for the use of the certified API technology and to whom those fees could be charged.
  • Openness and Pro-Competitiveness – These conditions set business requirements that certified API developers have to comply with for their certified API technology to promote an open and competitive marketplace.

Further, the 21st Century Cures Act Final Rule establishes API Maintenance of Certification requirements that address ongoing requirements that must be met by certified API developers and their secure, standards-based certified API. These include:

  • Authenticity Verification – A Certified API Developer is permitted to institute a process to verify the authenticity of application developers so long as such process is objective and the same for all application developers and completed within ten business days.
  • Application Registration – A Certified API Developer must register and enable all applications for production use within fivebusiness days of completing the authenticity verification.
  • Service Base URL Publication – Certified API developers are required to publish service base URLs for all its customers that can be used by patients to access their electronic health information. These are often called “FHIR endpoints” – meaning the location at which a FHIR server can be accessed. An app a patient would use to download their electronic health information would need to know what their healthcare provider’s FHIR endpoint is in order to connect to it.

Additionally, there are a couple API Maintenance of Certification requirements in the 21st Century Cures Act Final Rule that apply to health IT developers with health IT currently certified to API criteria:

  • Rollout of 170.315(g)(10)-certified APIs – Certified API Developers with certified API technology previously certified to § 170.315(g)(8) must provide all API Information Sources with such certified API technology deployed with certified API technology certified to the certification criterion in § 170.315(g)(10) by no later than May 2, 2022.
  • Compliance for existing certified API technology – Developers that are currently certified to API-focused criteria specified in the 2015 Edition Health IT Certification Criteria are also required to comply with the API Conditions of Certification requirements finalized in  170.404(a)

Access Without Special Effort

Implementing these rules of the road, similar to other industries, will help ensure that these APIs are made available in a way that is safe and secure, affordable for providers, accessible for patients and financially viable for both current EHR developers and app entrepreneurs who meet market needs. Most importantly, these API Conditions and Maintenance of Certification will help make electronic health information (specifically the United States Core Data for Interoperability (USCDI)) available for healthcare providers and patients without “special effort.” Standardized APIs will help patients understand their care, possible treatments options, and will enable them to make more informed decisions when shopping for healthcare – putting patients at the center.

ONC recently held a recorded question-and-answer webinar on APIs. For this and more information on APIs, the 21st Century Cures Act Final Rule, and other resources, please visit