understand

Why your records don't follow you (and what changed in law)

Updated 2026-07-18 · Level 1

Change dentists and somehow your X-rays start over from zero. Move states and your new doctor asks you to recite your own surgical history from memory. Your records exist — they're just stranded wherever they were created, in whatever format that system happened to use.

For decades this was legal-by-default. Your doctor's system had no obligation to speak the same language as the next doctor's system, and nobody was required to hand data over in a form computers could actually use. HIPAA — the privacy law everyone signs forms about — always gave you a right of access to your own records, but "access" often meant a paper printout or a CD, weeks later, sometimes with a copying fee.

Three legal changes rewired this:

The 21st Century Cures Act (2016, rules landing 2020–2023) made "information blocking" illegal — a provider, health IT vendor, or exchange can no longer sit on your electronic records without a legitimate reason. It also required systems to expose a standard programming interface (an API — the same mechanism your weather app uses to fetch the forecast), and that interface speaks FHIR.

The CMS Interoperability and Patient Access rule (CMS-9115-F, 2020) applied the same idea to insurers in federal programs: they must offer a Patient Access API so an app you choose can pull your claims and coverage data.

The CMS prior-authorization rule (CMS-0057-F) extends that plumbing to the most paperwork-heavy corner of healthcare — prior authorization — with payer APIs due January 1, 2027 for Medicare Advantage and Medicaid/CHIP plans.

None of this teleports your records automatically. What changed is that the walls are now legally required to have standard doors, and blocking the doorway carries penalties. The plumbing behind those doors — the standard building blocks and the way systems ask each other for data — is FHIR, which is what this site helps people build and test.

The honest caveat: laws set deadlines, not quality. A payer can stand up a technically compliant API that is slow, incomplete, or awkward. That gap between "compliant" and "actually useful" is exactly where testing tools matter.

Go to the source