US Healthcare Interoperability — Accountability Matrix
Current as of May 2026. Organized by lane: Provider/EHR, Payer, Patient-mediated, Cross-cutting.
·
14 min read
Scope: Current as of May 2026. Organized by lane: Provider/EHR, Payer, Patient-mediated, Cross-cutting.
Introduction
Spend a week in US healthcare interop and you'll start hearing sentences like "Da Vinci requires PDex," "FHIR mandates US Core," or "ASTP is the new ONC." Each one is wrong in a slightly different way, and the reason is the same: people talk about every acronym in the space — CMS, ONC, OCR, FTC, HL7, X12, NCPDP, Da Vinci, CARIN, Sequoia, QHIN, TEFCA — as if they sit on the same plane of authority. They don't. The landscape is actually four distinct layers stacked on top of each other: statutory regulators who can compel through rulemaking; standards bodies who can only publish specs; FHIR accelerators who write implementation guides that have no legal force until a regulator adopts them by reference; and exchange governance bodies who run networks under contract. Once you see those four layers, the regulatory picture becomes navigable — and most of the confident-sounding claims in vendor decks turn out to be category errors. The chain of accountability is almost always the same shape: statute → regulator → final rule → IG (often from an accelerator, published under HL7) → certified product or contracted entity → covered org. What follows lays this out by lane (provider/EHR, payer, patient-mediated, plus the cross-cutting privacy floor), names the actual org behind each major mandate, and flags what's shifted just in 2024–2026: HTI-2 was largely withdrawn, ONC reverted from its short-lived ASTP rename, CMS-0053-F was finally finalized for claims attachments only, and the non-HIPAA wellness layer is now increasingly governed by the FTC and state attorneys general rather than HHS.
How to read this
Four kinds of entities appear. Don't conflate them.
| Type | Power | Examples |
|---|---|---|
| Statutory regulator | Compels via rulemaking; enforces via penalties or funding | CMS, ONC, OCR, FTC, FDA, SAMHSA |
| SDO | Publishes standards. No enforcement of its own. | HL7, X12, NCPDP, SNOMED Int'l, Regenstrief |
| FHIR Accelerator / IG author | Publishes implementation guides. Enforcement only if a regulator adopts the IG by reference. | Da Vinci, CARIN, Gravity, FAST |
| Exchange governance | Operates a network. Power flows from contract + regulatory recognition. | Sequoia/RCE, QHINs, Carequality, CommonWell |
Real chain of accountability: statute → regulator → final rule → IG (often from an accelerator, published under HL7) → certified product or contracted entity → covered org. When someone says "Da Vinci requires X," they're wrong. CMS or ONC requires X via a Da Vinci IG.
Quick orientation — who does each lane touch?
| Lane | Primary obligated party | Primary regulator(s) | Primary enforcement lever |
|---|---|---|---|
| Provider / EHR | EHR vendors + providers using certified IT | ONC (certification), CMS (Promoting Interop), OIG (info blocking) | Decertification; Medicare reimbursement disincentives; CMPs |
| Payer | MA, Medicaid FFS/MC, CHIP MC, QHP issuers on FFEs | CMS | Contract sanctions; CMPs; MA STAR rating exposure |
| Patient-mediated | Both EHR vendors and payers (must expose APIs); + non-HIPAA apps that consume them | ONC (EHR), CMS (payer), FTC (non-HIPAA apps) | Decertification; CMS contract sanctions; FTC §5 penalties |
| Cross-cutting | Everyone touching PHI/EHI | OCR, OIG, SAMHSA, state AGs | OCR penalties; criminal referral; state AG actions |
Lane 1 — Provider / EHR side
Mandates that target EHR vendors and the providers using them
| Mandate | Rulemaker | Enforcer | Required of | Key dates | Penalty |
|---|---|---|---|---|---|
| ONC Health IT Certification §170.315(g)(10) "Standardized API for Patient and Population Services" | ONC | ONC-ACBs (Drummond, ICSA Labs, SLI) | Health IT developers seeking certification | In force | Decertification |
| HTI-1 Final Rule | ONC | ONC-ACBs | Certified developers | Final Jan 2024; rolling through Jan 2028 | Decertification |
| HTI-2 (finalized portions) | ONC | ONC-ACBs + RCE | Certified developers; Info Blocking actors | Effective Jan 2025 | Decertification + Info Blocking CMPs |
| HTI-4 | ONC | ONC-ACBs | Certified developers | Final Jul 2025 | Decertification |
| HTI-5 (proposed, deregulatory) | ONC | TBD | Certified developers | Comment closed Feb 27 2026; not final | Removes 34/60 EHR cert criteria; FHIR-Forward pivot |
| Information Blocking — provider disincentives | ONC (definitions); CMS (disincentives) | CMS | Hospitals, MIPS clinicians using certified EHR | Effective Jul 2024 | Loss of Medicare Promoting Interoperability credit |
| CMS Promoting Interoperability Program | CMS | CMS | Hospitals + MIPS-eligible clinicians | Annual reporting cycles | Reduced Medicare reimbursement |
| CMS-0057-F Provider Access API receipt | CMS | CMS | Providers receiving payer-pushed data (operationally) | Jan 1 2027 | Indirect — affects PA workflows |
Standards/IGs in the EHR lane
| Artifact | Author | What it does | Required by |
|---|---|---|---|
| FHIR R4 | HL7 | Base spec | Foundation for everything below |
| US Core | HL7 | National FHIR profile baseline | ONC g10; v6.1.0 baseline as of Jan 2026 |
| USCDI v3 | ONC | What data classes must be exchangeable | ONC certification (current baseline) |
| USCDI v4 | ONC | +20 data elements (SDOH, BH) | Voluntary only (HTI-2 mandate withdrawn Dec 2025) |
| SMART App Launch | HL7 | OAuth2 + scopes for FHIR app auth | ONC g10 |
| Bulk Data Access (Flat FHIR) v2 | HL7 | $export for population-level FHIR | ONC g10; CMS Provider Access; TEFCA |
| C-CDA R2.1 | HL7 | XML clinical doc format | ONC certification; CMS-0053-F attachments |
| HL7 v2 | HL7 | Legacy ADT/ORU/ORM messaging | Workhorse of clinical messaging; not required by Cures rules |
| Da Vinci CDex | Da Vinci | Clinical data exchange (provider→provider/payer) | Optional; supports PA workflows |
| Da Vinci CRD | Da Vinci | CDS Hooks at point-of-order to surface PA need | Recommended by CMS-0057-F (provider-facing) |
| Da Vinci DTR | Da Vinci | SMART app to gather PA documentation | Recommended by CMS-0057-F (provider-facing) |
| NCPDP SCRIPT | NCPDP | E-prescribing | Medicare Part D; Promoting Interop |
Lane 2 — Payer side
Mandates that target health plans
| Mandate | Rulemaker | Enforcer | Required of | Key dates | Penalty |
|---|---|---|---|---|---|
| CMS-9115-F (Interop & Patient Access) | CMS | CMS plan oversight | MA, Medicaid FFS/MC, CHIP, QHP issuers on FFEs | Patient Access API live since Jul 2021 | Plan compliance actions; contract sanctions |
| CMS-0057-F — operational requirements | CMS | CMS | MA, Medicaid FFS/MC, CHIP MC, QHP issuers on FFEs | Jan 1 2026: PA decision timeframes (72hr urgent / 7d standard); denial reason transparency; Patient Access API metrics reporting | Contract sanctions; CMPs; MA STAR rating |
| CMS-0057-F — API requirements | CMS | CMS | Same as above | Jan 1 2027: Patient Access API expansion (PA info); Provider Access API; Payer-to-Payer FHIR API; Prior Auth API; public PA metrics reporting | Contract sanctions; CMPs |
| CMS-0053-F (Claims Attachments) | CMS NSG | CMS | All HIPAA-covered plans + providers | Final Mar 24 2026; compliance ~Mar 2028 | HIPAA Admin Simplification penalties |
| HIPAA Admin Simplification — transactions | OCR + CMS NSG | OCR + CMS | All covered plans | In force | CMPs |
Standards/IGs in the payer lane
| Artifact | Author | What it does | Required/cited by |
|---|---|---|---|
| X12 837 | X12 | Claim submission | HIPAA mandatory |
| X12 835 | X12 | Remittance | HIPAA mandatory |
| X12 270/271 | X12 | Eligibility inquiry/response | HIPAA mandatory |
| X12 276/277 | X12 | Claim status | HIPAA mandatory |
| X12 278 | X12 | Prior authorization | HIPAA mandatory; FHIR-PAS wraps it |
| X12 275 / 277 v6020 | X12 | Claims attachments + RFAI | CMS-0053-F (mandatory ~Mar 2028) |
| Da Vinci PDex | Da Vinci | Patient/Provider/Payer-to-Payer FHIR data | Recommended by CMS-0057-F |
| Da Vinci PAS | Da Vinci | FHIR-wrapped X12 278 PA submission | Recommended by CMS-0057-F (PA API) |
| Da Vinci CRD | Da Vinci | Coverage requirements at point of order | Recommended by CMS-0057-F (payer authors the rules) |
| Da Vinci DTR | Da Vinci | Documentation gathering for PA | Recommended by CMS-0057-F (payer authors templates) |
| Da Vinci HRex | Da Vinci | Foundational profiles for Da Vinci IGs | Building block |
| Da Vinci Plan-Net / Provider Directory IG | Da Vinci | FHIR provider directory | CMS-9115-F Provider Directory API |
| Da Vinci ATR | Da Vinci | Member attribution for VBC | Voluntary; VBC programs |
| Da Vinci RA / DEQM | Da Vinci | Risk adjustment / quality measures | Voluntary; HEDIS digital |
| CARIN BB (Blue Button) | CARIN | Consumer-facing claims/EOB FHIR | CMS-9115-F Patient Access API |
| NCPDP Telecom | NCPDP | Pharmacy claims | HIPAA mandatory |
Lane 3 — Patient-mediated
Mandates that govern data flow to patient-controlled apps
| Mandate | Rulemaker | Enforcer | Obligated party | Key dates | Penalty |
|---|---|---|---|---|---|
| CMS-9115-F Patient Access API | CMS | CMS | Payers (MA, Medicaid, CHIP, QHP) | Live since Jul 2021 | Contract sanctions |
| CMS-0057-F Patient Access API expansion | CMS | CMS | Same payers; adds prior auth info | Jan 1 2027 | Contract sanctions |
| ONC §170.315(g)(10) Patient-facing API | ONC | ONC-ACBs | EHR vendors → flows to providers via Promoting Interop | In force | Decertification |
| TEFCA Individual Access Services (IAS) | ONC + RCE | RCE | QHINs and Participants offering IAS | In force; voluntary participation | Termination from TEFCA |
| FTC Health Breach Notification Rule (HBNR) | FTC | FTC | Vendors of PHRs + PHR-related entities not covered by HIPAA (health apps, wearables, connected devices, fitness trackers) | Original 2009; major amendments effective Jul 29 2024 | FTC §5 civil penalties (~$51,744/violation, 2024) |
| FTC Act §5 (UDAP) | FTC | FTC | Any non-exempt entity, including digital health regardless of HIPAA status | In force | Civil penalties + injunctive relief |
| State consumer health privacy laws | State legislature | State AG (+ private right of action in WA) | Non-HIPAA digital health entities collecting state residents' health data | Rolling 2024–2026 | Civil penalties; treble damages (WA) |
Standards/IGs in the patient-mediated lane
| Artifact | Author | What it does | Required/cited by |
|---|---|---|---|
| SMART App Launch (Standalone Patient Launch) | HL7 | OAuth2 flow for patient-authorized apps | ONC g10; CMS Patient Access API |
| CARIN BB | CARIN | Patient-facing claims/EOB FHIR profiles | CMS-9115-F Patient Access API |
| CARIN CDPCDE | CARIN | Consumer-Directed Payer Data Exchange | Building block for CMS-0057-F P2P |
| Da Vinci PDex (Patient Access slice) | Da Vinci | Clinical FHIR profiles for member-facing data | Recommended by CMS-0057-F Patient Access |
| HL7 IPS (Int'l Patient Summary) | HL7 | Cross-border summary | Not US-mandated; relevant for global ops |
| Apple HealthKit / Google Health Connect | Apple/Google | Mobile SDKs that consume FHIR + ingest device data | Voluntary; de facto patient-side rails |
| TEFCA QTF v2.0 / FHIR Roadmap | RCE | Network-layer rules for IAS via QHINs | TEFCA participation |
The non-HIPAA gap
This is where your diagram's "HIPAA covered? → no" branch lives. The orgs and rules:
- FTC HBNR picks up health apps, wearables, connected devices, period trackers, and any "vendor of personal health records" not covered by HIPAA.
- FTC Act §5 is the catch-all — applies to any company that misleads consumers about health data practices, even if HBNR doesn't.
- State health privacy laws are the fastest-growing layer and now apply broader than HIPAA in WA, NV, CA, NY, CT.
Lane 4 — Cross-cutting (hits all three lanes)
| Mandate | Statutory basis | Rulemaker | Enforcer | Who must comply | Key dates | Penalty |
|---|---|---|---|---|---|---|
| HIPAA Privacy/Security/Breach Notification | HIPAA 1996 + HITECH 2009 | OCR | OCR + State AGs | Covered entities (providers, payers, clearinghouses) + Business Associates | In force | Tiered CMPs up to $2M/yr per category; criminal referral |
| 42 CFR Part 2 | PHSA §543 | SAMHSA + OCR | OCR | Federally assisted SUD treatment programs | Final Apr 2024; full compliance Feb 16 2026 | OCR penalties + criminal |
| Information Blocking | 21st Century Cures §4004 | ONC (definitions); OIG (penalties) | OIG (developers, HINs); CMS (provider disincentives) | Health IT developers, HINs/HIEs, healthcare providers | Effective Apr 2021; OIG penalties Sep 2023; provider disincentives Jul 2024 | Up to $1M/violation (devs/HINs); Medicare Promoting Interop disincentive (providers) |
| TEFCA Common Agreement v2.0 | Cures Act §4003 | ONC + RCE | RCE; ONC | QHINs (8 designated), Participants, Subparticipants — voluntary | Stage 1 live; Stage 2 rolling 2024–2026; Stage 3 piloting from 2025 | Termination from TEFCA; loss of "Manner Exception" safe harbor under Info Blocking |
| FDA SaMD / PCCP / GMLP | FD&C Act §513, §201(h); Cures §3060 | FDA CDRH | FDA | Software-as-a-Medical-Device manufacturers; AI/ML-enabled device makers | PCCP final guidance 2024 | Recall; warning letters; criminal referral |
Org glossary (terse, A–Z within group)
Federal regulators
| Org | Role |
|---|---|
| HHS | Cabinet department. Parent of CMS, ONC, OCR, FDA, SAMHSA, CDC, NLM, AHRQ. |
| CMS | Runs Medicare/Medicaid/CHIP/Marketplace. Owns CMS-9115-F, CMS-0057-F, CMS-0053-F. Has rulemaking power over plans and participating providers. |
| ONC | Runs the Health IT Certification Program; defines USCDI; co-administers Information Blocking; oversees TEFCA. (Renamed ASTP/ONC Jul 2024 → reverted to ONC Mar 2026.) |
| OCR | HHS Office for Civil Rights. Enforces HIPAA Privacy/Security/Breach + 42 CFR Part 2. |
| OIG (HHS) | Enforces Information Blocking penalties against developers and HINs. |
| FTC | Enforces Health Breach Notification Rule + Section 5 against non-HIPAA digital health (apps, wearables). |
| FDA (CDRH) | Regulates Software-as-a-Medical-Device, AI/ML devices, Predetermined Change Control Plans. |
| SAMHSA | Owns 42 CFR Part 2 (substance use disorder records). |
| CDC | Public health data; eCR; defines public health reporting standards. |
| NLM | Hosts UMLS, RxNorm, US SNOMED CT license, VSAC. |
| AHRQ | USPSTF, CDS Connect, quality measure science. Not a rulemaker. |
| ONC-ACBs | Drummond, ICSA Labs, SLI Compliance. Issue ONC certifications under §170.315. |
Standards Development Organizations
| Org | Role |
|---|---|
| HL7 International | Publishes FHIR, C-CDA, V2. Hosts the FHIR Accelerator program. No enforcement. |
| X12 | Publishes HIPAA admin transactions (837, 835, 270/271, 276/277, 278, 275). |
| NCPDP | Pharmacy standards (SCRIPT for e-prescribing, Telecom for claims). |
| IHE USA | Profiles (XDS, XCA, etc.) used by HIEs and TEFCA legacy paths. |
| Regenstrief | Publishes LOINC. |
| SNOMED International | Publishes SNOMED CT (US license via NLM). |
FHIR Accelerators (HL7-hosted)
| Org | Role |
|---|---|
| Da Vinci Project | Payer–provider IGs. Outputs: PDex, PAS, CRD, DTR, HRex, CDex, Plan-Net/Provider Directory, PCT, DEQM, ATR, RA. |
| CARIN Alliance | Consumer-directed exchange IGs. Outputs: CARIN BB, CDPCDE. |
| Gravity Project | SDOH IGs. Output: SDOH Clinical Care IG. |
| HL7 FAST | Security/identity/scaling foundations (UDAP). Largely absorbed into other IGs. |
| CodeX | Oncology, cardiology IGs (mCODE). |
Exchange governance
| Org | Role |
|---|---|
| Sequoia Project | The Recognized Coordinating Entity (RCE) for TEFCA. Designates QHINs, manages Common Agreement. |
| QHINs | 8 designated as of 2025: CommonWell, eHealth Exchange, Epic Nexus, Health Gorilla, Kno2, KONZA, MedAllies, eClinicalWorks. |
| Carequality | Pre-TEFCA framework run by Sequoia. Many participants now also QHIN-affiliated. |
| CommonWell Health Alliance | Provider-network alliance; now a designated QHIN. |
| eHealth Exchange | Federal/VA/SSA-anchored network; now a designated QHIN. |
| State HIEs | State-run or state-designated networks. Highly variable. |
Quality & accreditation
| Org | Role |
|---|---|
| NCQA | Owns HEDIS; accredits health plans. Drives demand for FHIR Bulk + DEQM. |
| The Joint Commission | Hospital/ambulatory accreditation; CoP-adjacent leverage. |
State-level
| Org | Role |
|---|---|
| State AGs | Enforce state consumer health privacy laws + state DPAs. |
| State DOIs | Insurance commissioners; oversee plans below the federal floor. |
| State Medicaid agencies | Often impose FHIR mandates via managed care contracts faster than federal rules. |
State consumer health privacy layer (the post-Dobbs wave)
| Law | State | Effective | Reach (key trigger) | Covers what HIPAA misses | Enforcement | Distinguishing feature |
|---|---|---|---|---|---|---|
| My Health My Data Act (MHMDA) | WA | Mar 31 2024 (small biz: Jun 30 2024) | Any entity doing business in WA or targeting WA consumers; no revenue/volume threshold | Health apps, wearables, retail health adjacencies, location data, inferred health | WA AG + private right of action (treble damages up to $25K) | Broadest scope in US; geofencing ban around healthcare facilities |
| Consumer Health Data Privacy Law (SB 370) | NV | Mar 31 2024 | Similar to MHMDA but narrower | Same gap | NV AG only — no PRA | Mirror of MHMDA without the litigation risk |
| CMIA + AB 254 / AB 352 | CA | Pre-existing; expanded 2024 | Providers + "businesses organized for the purpose of maintaining medical info" | Mental health apps, reproductive data | CA AG + PRA | Expanded definition pulls in many digital health apps |
| CCPA / CPRA | CA | Effective; ongoing rulemaking | Businesses meeting CA thresholds | "Sensitive personal information" includes health; HIPAA carve-out for PHI only | CPPA + CA AG; limited PRA (data breaches) | Largest state DPA-style framework |
| SHIELD Act + reproductive privacy bills | NY | SHIELD: 2020; reproductive: 2024+ | Any entity holding NY resident private info | Broad data security + reproductive shield | NY AG | Reasonable security mandate; reproductive shield against out-of-state subpoenas |
| CTDPA + 2023 health amendment | CT | Health amendment: Oct 1 2023 | Standard CTDPA thresholds | Folds "consumer health data" into sensitive data | CT AG | Geofencing ban + opt-in for sensitive data |
| Comprehensive privacy laws (CO, VA, UT, TX, OR, MT, IA, IN, TN, DE, NJ, MN, MD…) | Various | Rolling 2023–2026 | Threshold-based | "Sensitive data" usually includes health | State AG (mostly) | Most don't single out health data; treat as sensitive subcategory |
What's not on the matrix but should be on your radar
- HIPAA Security Rule NPRM (Dec 2024) — proposed major overhaul (mandatory MFA, encryption at rest, network segmentation, asset inventories). Not finalized; status uncertain under HTI-5 deregulatory direction.
- CMS Promoting Interoperability Program — the actual leverage that turns ONC certification criteria into provider behavior. Hospitals and clinicians lose Medicare reimbursement points if their certified EHR doesn't expose required APIs.
- State Medicaid managed care contracts — increasingly the fastest path to mandate FHIR adoption sub-federally; outpaces federal rulemaking in some states.
- Joint Commission and NCQA — not regulators, but their accreditation requirements push providers and payers toward specific data capabilities (e.g., HEDIS digital → FHIR Bulk).
- CMS Innovation Center models (CMMI) — VBC contracts often impose interoperability requirements ahead of broad rulemaking (e.g., ACO REACH, Making Care Primary).
Software category landscape — mapping vendors to lanes and mandates
Caveat: vendor lists are illustrative as of 2026 and rot fast. Names change (Cerner → Oracle Health, Allscripts → Veradigm/Altera, Change → Optum). Use this for orientation, not procurement.
| Category | What it does | Lane(s) | Mandates that bite hardest | Example vendors (illustrative, 2026) |
|---|---|---|---|---|
| EHR & clinical systems | System of record for clinical encounters, orders, results. Includes acute, ambulatory, specialty EHRs and ancillary clinical (LIS, RIS/PACS, anesthesia info systems). | Provider/EHR (primary); feeds Patient-mediated and Payer (Provider Access) | ONC §170.315(g)(10), HTI-1/2/4/5, Information Blocking, CMS Promoting Interop, HIPAA, 42 CFR Part 2 (if SUD) | Acute/IDN: Epic, Oracle Health, Meditech. Ambulatory: Athenahealth, eClinicalWorks, NextGen, Veradigm, Greenway. Specialty: ModMed, Compulink, NexTech. OSS: OpenEMR, OpenMRS, Bahmni, Medblocks Ignite, Biograph HIS. Ancillary: Sunquest, Orchard, SCC (LIS); Epic Radiant, GE, Sectra (RIS/PACS) |
| FHIR data platforms / Clinical Data Repositories | FHIR-native data store; sits behind or alongside EHRs as middleware; powers apps and analytics. Often not ONC-certified directly. | Cross-cutting; can play any role | HIPAA via BAA; indirectly subject to ONC criteria via the systems they sit behind; CMS-0057-F payer FHIR build-outs | Medplum (OSS), Smile Digital Health, Firely Server, AWS HealthLake, Google Cloud Healthcare API, Azure Health Data Services, 1upHealth, HAPI FHIR (OSS), InterSystems IRIS for Health |
| Health Information Networks & integration middleware | Networks and aggregators that broker data across orgs; integration engines that translate formats (HL7v2 ↔ FHIR ↔ X12 ↔ CDA). | Cross-cutting (the rails) | TEFCA (if QHIN/Participant), Information Blocking (HINs are explicitly covered), HIPAA BAA | Aggregators/networks: Health Gorilla, Particle Health, Redox, Datavant, Bamboo Health. Engines: Mirth Connect / NextGen Connect, Rhapsody (Lyniate), InterSystems HealthShare, Orion Health. State HIEs: Manifest MedEx (CA), CRISP (MD/DC), Healthix (NY) |
| Clearinghouses & RCM | Translate provider claims into payer-acceptable transactions; handle eligibility, claim status, ERA; revenue cycle services. | Payer-side rails | HIPAA Admin Simplification (X12 transactions), CMS-0053-F (attachments, ~Mar 2028), HIPAA BAA | Clearinghouses: Optum (Change Healthcare), Availity, Waystar, Inovalon, Edifecs, Office Ally. RCM: Athena RCM, R1 RCM, Waystar, AdvancedMD, Tebra (formerly Kareo) |
| Payer systems | Core admin (member/provider/claims), benefits config, prior auth platforms, payer FHIR gateways. | Payer (primary); now expanding into Patient-mediated via mandated APIs | CMS-9115-F, CMS-0057-F, CMS-0053-F, HIPAA, state insurance laws | Core admin: HealthEdge HealthRules, TriZetto Facets, Cognizant TriZetto QNXT, HM Health Solutions, Edifecs, Inovalon. Payer FHIR/interop gateway: 1upHealth, Smile Digital Health, Onyx, Edifecs Smart Trading. Prior auth: Cohere Health, MCG (Hearst), InterQual (Optum), Banjo Health |
| Patient & consumer health apps | Patient-controlled apps for managing health data. Internal split matters. HIPAA-covered PHRs are tethered to a provider/payer. Non-HIPAA wellness/wearables are not — and that's where FTC HBNR and state laws apply. | Patient-mediated (primary) | HIPAA PHRs: HIPAA via the offering provider/payer; CMS Patient Access API consumers. Non-HIPAA wellness: FTC HBNR (Jul 2024 amendments), FTC Act §5, state consumer health privacy laws (WA MHMDA, NV CHDPL, CA CMIA expansion) | HIPAA-covered PHRs (offered by HIPAA entities): Epic MyChart / MyChart Bedside, Oracle Health Patient Portal, Athena Patient Portal, b.well Connected Health, CommonHealth (OSS, Android). Non-HIPAA wellness/wearables: Apple Health/HealthKit, Google Health Connect, Fitbit (Google), Oura, Whoop, Flo, MyFitnessPal, Strava, Headspace, Calm |
| Pharmacy & e-Prescribing | E-Rx software, pharmacy network, pharmacy claims, pharmacy management systems, PBM platforms. Own ecosystem with its own SDOs (NCPDP) and dominant network (Surescripts — effectively a private regulator). | Cross-cutting | HIPAA, NCPDP SCRIPT (Medicare Part D), DEA EPCS for controlled substances, state PDMP requirements, CMS Promoting Interop e-Rx measures | Network: Surescripts. e-Rx software: DrFirst, NewCrop, Veradigm ePrescribe. Pharmacy management: McKesson EnterpriseRx, Epic Willow, Oracle Health Pharmacy, RxBB. Retail pharmacy: CVS, Walgreens. PBMs: Express Scripts, Caremark, OptumRx |
| VBC / population health / quality analytics | Multi-source data aggregation; risk stratification; quality measure calculation; cost-of-care analysis. Consume from EHRs and payers, push insights back. | Cross-cutting | NCQA HEDIS digital, HIPAA BAA, CMS Innovation Center model contract requirements (ACO REACH, Making Care Primary, etc.) | Arcadia, Innovaccer, Health Catalyst, Lightbeam, Cotiviti, Apixio (Cohere), Optum Performance Analytics, Tuva Project (OSS). Risk adjustment specialists: Apixio, Edifecs, Inovalon |
Cross-category trends worth knowing
- Consolidation is collapsing the categories. Optum (UnitedHealth) now owns clearinghouse (Change), PBM (OptumRx), payer admin, prior auth (InterQual), analytics, and care delivery. Epic spans EHR, HIE (Care Everywhere → Nexus QHIN), patient app (MyChart), and is creeping into payer ops. Listing these companies under one category is increasingly inaccurate; they sit in 4–6.
- FHIR-native vs legacy is now the most useful axis for evaluating new builds. A category can be split into "FHIR-native built post-2018" (Medplum, Smile, 1upHealth, HealthEdge new lines) vs "legacy with FHIR facade" (Epic, Cerner, TriZetto, Inovalon). The regulatory mandates land the same way; the cost-to-comply does not.
- OSS is a real category in 2026, not a footnote. OpenEMR, OpenMRS, Bahmni, Medplum, HAPI FHIR, Tuva, CommonHealth represent durable infrastructure. From a regulatory standpoint they're treated identically to commercial; from an economics standpoint they unlock builds that wouldn't otherwise pencil out.
- The "non-HIPAA wellness" category is where the action is. This is the category that grew fastest 2020–2025 and where the regulatory framework (FTC HBNR, state laws) is still catching up. If your strategy involves wearables, period trackers, mental health apps, or AI symptom checkers, this row is doing more regulatory work than HIPAA is.
A
Atul-Kuruvilla
Github: pythonpen
No comments yet. Login to start a new discussion Start a new discussion