The 21st Century Cures Act
The 21st Century Cures Act (passed 2016, final rules 2020 to 2021) transformed participant data access. Its key provisions for registries:
Information Blocking Prohibition
EHR vendors and health systems are prohibited from blocking patient access to their electronic health information. This means:
- Participants have the right to access their complete EHR data in electronic form
- Health systems cannot charge unreasonable fees for this access
- EHR vendors must provide standardized API access
Mandatory FHIR APIs
All EHR vendors certified under ONC's 2015 Edition must now implement FHIR R4 APIs allowing patient access via SMART on FHIR. This means that as of 2022, essentially every major EHR system, Epic, Cerner/Oracle, Meditech, Athenahealth, must support patient-directed FHIR data access.
This is transformative for patient registries. Participants can now legally direct their EHR data to any app or registry they choose, with their treating institution required to comply.
OAuth 2.0 and Patient Authorization
How it works
OAuth 2.0 is the authorization protocol that makes patient-directed data access secure. When a participant authorizes your registry to access their EHR:
- Authorization Request: Your registry redirects the participant to their EHR's authorization server
- Participant Authentication: The participant logs in to their patient portal (e.g., MyChart)
- Consent: The participant reviews and approves the specific data types your registry is requesting
- Authorization Code: The EHR returns a short-lived authorization code to your registry
- Token Exchange: Your registry exchanges the code for an access token
- Data Access: Your registry uses the access token to call FHIR APIs and retrieve the participant's data
The participant can revoke this authorization at any time.
Scopes, What you can request
SMART on FHIR uses OAuth 2.0 scopes to define what data an app can access:
patient/Condition.read - Patient's diagnoses
patient/Observation.read - Lab results, vital signs
patient/MedicationRequest.read - Prescriptions
patient/Procedure.read - Procedures
patient/DocumentReference.read - Clinical notes, C-CDA documents
Request only what you need. Requesting broad scopes reduces participant trust and authorization rates.
Direct from Participant: The Registry Opportunity
The Cures Act creates a direct path from participant to registry that bypasses institutional barriers:
- Participant enrolls in your registry
- Participant clicks "Connect my health records"
- Participant logs in to their EHR portal and authorizes specific data sharing
- Registry receives structured FHIR data directly, diagnoses, labs, medications
- Data updates automatically as new information appears in the EHR
No health system agreement required. No IRB coverage of the health system. The participant is exercising their own data rights.
Important caveat. While no health system agreement is needed for patient-directed access, your registry still needs IRB approval covering the collection and use of EHR data obtained through patient authorization.
Health Apps and the Patient Portal Ecosystem
Major patient portal apps now support patient-directed FHIR access:
- Apple Health Records, iOS users can aggregate records from thousands of institutions; data can be exported in FHIR format
- CommonHealth (Android), a nonprofit, Apple-Health-style aggregator from The Commons Project. Its consumer app has effectively wound down, so treat it as historical rather than a current integration target; verify any specific aggregator is still operating before relying on it.
- Particle Health, Aggregates participant records from 270M+ participant records nationally via CareQuality and CommonWell networks
Some registries integrate with these aggregators rather than building direct EHR connections, significantly reducing development complexity.
Practical implementation
Using Bulk FHIR for site level data
For clinical sites that agree to participate in your registry as data contributors, FHIR Bulk Data allows the site to export FHIR data for all consented participants at once, rather than participant-by-participant.
This requires:
- Site participation agreement
- BAA with the health system
- IRB approval covering the health system
Testing your FHIR implementation
Before going live, test against public FHIR sandboxes:
- SMART on FHIR App Launcher
- Inferno, ONC's official FHIR testing tool
- Epic, Cerner, and Athena all provide developer sandboxes