Module 10 · Part 3 · Data Collection
Patient-Reported Data & the 21st Century Cures Act
Understand how the 21st Century Cures Act creates participant rights to access their EHR data via APIs, and how your registry can leverage this.
Patient Registries 101 · Dr. Danielle Boyce · EpilepsyLive
The 21st Century Cures Act
- The 21st Century Cures Act (passed 2016, final rules 2020 to 2021) transformed participant data access.
Information Blocking Prohibition
- EHR vendors and health systems are prohibited from blocking patient access to their electronic health information.
- Participants have the right to access their complete EHR data in electronic form
- Health systems cannot charge unreasonable fees for this access
- EHR vendors must provide standardized API access
Mandatory FHIR APIs
- All EHR vendors certified under ONC's 2015 Edition must now implement FHIR R4 APIs allowing patient access via SMART on FHIR.
- This is transformative for patient registries.
How it works
- OAuth 2.0 is the authorization protocol that makes patient-directed data access secure.
- Authorization Request: Your registry redirects the participant to their EHR's authorization server
- Participant Authentication: The participant logs in to their patient portal (e.g., MyChart)
- Consent: The participant reviews and approves the specific data types your registry is requesting
- Authorization Code: The EHR returns a short-lived authorization code to your registry
- Token Exchange: Your registry exchanges the code for an access token
How it works (cont.)
- Data Access: Your registry uses the access token to call FHIR APIs and retrieve the participant's data
- The participant can revoke this authorization at any time.
Scopes, What you can request
- SMART on FHIR uses OAuth 2.0 scopes to define what data an app can access
- Request only what you need.
Direct from Participant: The Registry Opportunity
- The Cures Act creates a direct path from participant to registry that bypasses institutional barriers
- Participant enrolls in your registry
- Participant clicks "Connect my health records"
- Participant logs in to their EHR portal and authorizes specific data sharing
- Registry receives structured FHIR data directly, diagnoses, labs, medications
- Data updates automatically as new information appears in the EHR
Direct from Participant: The Registry Opportunity (cont.)
- No health system agreement required.
- Important caveat. While no health system agreement is needed for patient-directed access, your registry still needs IRB approval covering the collection and use of EHR data obtained through patient…
Health Apps and the Patient Portal Ecosystem
- Major patient portal apps now support patient-directed FHIR access
- Apple Health Records , iOS users can aggregate records from thousands of institutions; data can be exported in FHIR format
- CommonHealth (Android) , a nonprofit, Apple-Health-style aggregator from The Commons Project. Its consumer app has effectively wound down, so treat it as historical rather than a current integratio…
- Particle Health , Aggregates participant records from 270M+ participant records nationally via CareQuality and CommonWell networks
- Some registries integrate with these aggregators rather than building direct EHR connections, significantly reducing development complexity.
Using Bulk FHIR for site level data
- For clinical sites that agree to participate in your registry as data contributors, FHIR Bulk Data allows the site to export FHIR data for all consented participants at once, rather than participan…
- This requires
- Site participation agreement
- BAA with the health system
- IRB approval covering the health system
Testing your FHIR implementation
- Before going live, test against public FHIR sandboxes
- SMART on FHIR App Launcher
- Inferno , ONC's official FHIR testing tool
- Epic, Cerner, and Athena all provide developer sandboxes
Key resources
- ONC 21st Century Cures Act Final Rule
- SMART App Launch Framework
- Apple Health Records
- CommonHealth
- ONC Cures Act Developer Resources
- ← Module 9 | Module 11: Designing Questionnaires →
Network exchange: TEFCA and Individual Access Services (IAS)
- ASTP/ONC. The federal health-IT office formerly called ONC was renamed ASTP/ONC (Assistant Secretary for Technology Policy / Office of the National Coordinator) in July 2024. It administers the fra…
- TEFCA , the Trusted Exchange Framework and Common Agreement sets a nationwide floor for health-data exchange. It runs through Qualified Health Information Networks (QHINs) that connect participatin…
- Individual Access Services (IAS) , the TEFCA pathway that lets a person use an app or service of their choice to request their own records across participating providers, after identity verificatio…
- In practice, portal login (SMART on FHIR), C-CDA download, HIPAA authorization, and TEFCA/IAS usually run through a vendor or platform rather than being wired directly into a registry.