Just because the APIs are published doesn't mean that the data is out there for any unauthenticated client to access. Of course HIPAA is important, but it is not a serious problem for interoperability.
I work on a SOA team for a large healthcare organization, so I'm well aware of the issues. The problem comes down to the usual case of entrenched vendors working to protect and expand their turf. EHR vendors are notorious for being terrible for interop—some are better than others, but they all see integrations as competing with their own offerings. Non-trendy methods of exposing data—SOAP, custom MUMPS code, direct SQL access—are the norm. That's not a problem, except that documentation is often incorrect or nonexistent (while being restricted to direct customers, of course), and the vendors really don't care about APIs. They see interop as a necessary bullet point on a sales sheet, but they'd rather not have those APIs be used in place of their (usually crappy) complementary apps that they're trying to upsell.
Interop is a HUGE win for patients. Without it, we lose one of the main advantages of EHRs—the ability to access our own information when we need it, and allowing the information to be fluidly shared between providers. Of course, privacy is paramount—but in my experience, interop is not the attack vector I'm most concerned about.
Well thank you for those remarks. It really doesn't change my assessment of the piece. He is basically arguing that his competitors aren't graciously handing over the reins so he can make bank. How shocking. Like him, other people want to protect their income stream.
He dismisses the presumed "cheap excuse" of HIPAA compliance given by someone who did not want to work with him. This does not give me confidence he takes HIPAA seriously. I had annual HIPAA training (as well as Gramm-Leach-Bliley) when I worked for a major insurance company for a few years. So I am not unfamiliar with HIPAA.
I work on a SOA team for a large healthcare organization, so I'm well aware of the issues. The problem comes down to the usual case of entrenched vendors working to protect and expand their turf. EHR vendors are notorious for being terrible for interop—some are better than others, but they all see integrations as competing with their own offerings. Non-trendy methods of exposing data—SOAP, custom MUMPS code, direct SQL access—are the norm. That's not a problem, except that documentation is often incorrect or nonexistent (while being restricted to direct customers, of course), and the vendors really don't care about APIs. They see interop as a necessary bullet point on a sales sheet, but they'd rather not have those APIs be used in place of their (usually crappy) complementary apps that they're trying to upsell.
Interop is a HUGE win for patients. Without it, we lose one of the main advantages of EHRs—the ability to access our own information when we need it, and allowing the information to be fluidly shared between providers. Of course, privacy is paramount—but in my experience, interop is not the attack vector I'm most concerned about.