An Interview with Brendan Keeler, AKA 'Health API Guy'

Over the next few years, we all need to be tracking a new and highly active front in Health IT innovation and change: The emergence of an “individual access layer” that lets patients control how their data moves across tools and apps—and all the related healthcare industry ecosystem opportunities and risks that come that new infrastructure. I’m talking about a new class of players, known as Individual Access Services (IAS) companies. These companies, backed by fresh capital and reinforced Trusted Exchange Framework and Common Agreement (TEFCA)—an interoperability effort that we'll dive into later—stepped up information‑blocking enforcement. We're also seeing rising demand for patient‑authorized data that flows into AI tools and consumer apps, all of which is working to turn patient‑directed exchange into a real market. If/as this real market solidifies, it will have strategic and operational consequences for everyone in the healthcare ecosystem.

To help make sense of what this “individual access layer” actually is, who the key players are, and what all of this means for health systems, I sat down with Brendan Keeler—better known as Health API Guy—for a quick tour of the landscape​.

Brendan’s background and 'Health API Guy'

Amanda: Can you start by sharing a bit about your background—what do you do?

Brendan: I’m a consultant, a practice lead within the consultancy HTD Health. We build and develop products in the interoperability and EHR space. I’ve been doing this about ten years and came in to formalize our knowledge base and focus specifically on interoperability and the broader EHR ecosystem.

​I started out at Epic, then Redox—the company that helps apps get connected to EHRs—then Zus Health, and finally Flexpa, where I was head of product focused on claims data.

​

Amanda: From where I’m sitting, you are also a very accomplished writer and analyst on the topic of health tech as Health API Guy. How did you get into publishing?

Brendan: At Redox, I began writing internally to educate our team, and our CEO, Luke Bonney, said, “Hey, you should work with marketing and put this out into the world.” There was appetite for it, but when a new CMO came in, the editing cycle stretched to eight weeks—too long for topical work. Luke said, “Why don’t you start a Substack?” That ended up being really productive for my career. It’s self‑selecting: the people who find it are the ones who want to go deep on this stuff.

​

Amanda: As a non-technologist, I love reading your articles as a way to make sure I’m tracking with important developments in health IT. Which brings me to today’s question…

​

What the individual access layer actually is

Amanda: Can you explain, for an audience who may be deeply experienced in healthcare generally but not in tech, what the individual access layer is?

Brendan: Inside an enterprise, between the point solutions and the EHR, there are all these other kinds of data exchange—like networks that connect provider organizations to each other. We’ve built massive networks to make that possible.

So for example, if you go to a health system like Mass General Brigham, and then you move and switch to another health system, say Novant Health, your record can move over to those new providers. Seventy‑five to eighty percent of providers are connected to Health Information Exchanges (HIEs) for the “treatment” purpose of use. That was last decade’s interoperability problem—it’s not entirely solved, but mostly.

[Term check for non‑technologists: Under HIPAA, “purpose of use” refers to the legal reason a ‘covered entity' (i.e., an entity covered by HIPAA, in this case, a provider) can share protected health information. The “treatment” purpose allows providers to exchange patient data with other providers for coordinating or delivering care.]

Now the question is: why is it so seamless for providers but not for patients?

If you want to use Google Fit or Apple Health to pull your data, you technically can, but you need to log into every portal—MyChart, etc.—and that’s not practical.

The next iteration is Individual Access. These services do identity proofing—like CLEAR at the airport, or self-verification, and then pull all your records automatically through the HIE infrastructure. Under TEFCA, Individual Access Services are now explicitly recognized as a national “exchange purpose,” which means this is baked into the way the federal government expects networks to operate.

[Term check for non‑technologists: TEFCA stands for the Trusted Exchange Framework and Common Agreement. It’s a national policy and technical framework—created by the Office of the National Coordinator for Health IT (ONC). It sets out the rules and standards for how health‑information networks connect with one another. The goal is to make health‑data sharing work more like a single, trusted network of networks, so that providers, payers, and now patients (through Individual Access Services) can exchange information securely across systems.]

The current administration is hyper‑focused on this. It actually started under the previous one—consumerism and individualism are bipartisan ideas. So all the plumbing that was built for provider exchange is now being used to give patients the same frictionless access, with TEFCA governance and CMS’ updated interoperability rules pushing networks and payers to support patient‑facing APIs as part of a broader “Digital Health Ecosystem.”

​

Who’s an IAS company and what do they do?

Amanda: What are the major companies in this layer and what services do they offer?

Brendan: Some of the big companies include Flexpa, Fasten, and Zus. They are basically on‑ramps. They tell app developers, “You’re building a consumer application? We can get you connected to the network.”

​

They help you create a personal health record or an app that lets patients share clinical data for trials, or even mediate data to lawyers or other non‑HIPAA use cases. They provide a secure, identity‑proofed mechanism for that access.

It means you could pull your data into a tool like ChatGPT or share it with a permissioned third party. It opens up a lot of new possibilities. Flexpa, for example, has been selected as a CMS‑aligned network early adopter for patient‑access APIs and has launched tooling with partners like ID.me to combine patient‑authorized aggregation with reusable digital identity, explicitly framed as “killing the clipboard” and fighting AI‑driven fraud. Fasten, meanwhile, is integrating its medical‑record API into platforms such as Tulio Health’s CareCapture app, giving patients a consolidated record spanning tens of thousands of organizations and all major EHRs. Zus Health, which has raised on the order of $70–75M and partnered with companies like Elation Health and Canvas Medical, is positioning itself as the shared patient‑data layer that other digital health tools plug into. Taken together, these firms illustrate that the individual access layer is not just theoretical infrastructure—it is being built out as a real product category that developers and care‑delivery organizations can buy and integrate today.

Obstacles and open questions

Amanda: So there's a growth opportunity for those companies. What are some of the challenges or open questions the industry will have to wrestle with as this kind of activity grows—for companies who want to be in this space?

Brendan: One of the major ones is, it’s really scary to health systems because they have HIPAA obligations. Once data flows to non‑HIPAA entities, it could go to the wrong person by accident. If there’s a breach, the system could still be blamed.

​

From their perspective, there’s no upside. It’s too frictionless. For health systems to feel safe, the HIPAA liability would need to shift to the apps—but that hasn’t happened yet in a clear, comprehensive way. Regulators are starting to signal expectations, though: TEFCA implementation guidance and some state‑level data‑exchange frameworks are beginning to require HIPAA‑level protections from certain non‑covered participants, including IAS actors, which hints at more explicit shared‑liability models in the future.

Separate from that, there’s also the issue of coverage. All the EHRs and providers have to turn these connections on. So far, only Epic, Meditech, Athena, and eClinicalWorks have started supporting these connections across major networks—others have not done so to the same extent. That unevenness in coverage is one reason IAS companies publish “state of the patient access API” reports that grade payers and platforms on how ready they are for consumer‑directed exchange.

Why don’t HIEs hold the liability?

Amanda: Going back to the provider liability issue—can you explain to me why the HIEs wouldn’t hold the legal accountability?

Brendan: The national HIEs are decentralized. The state HIEs are repositories—they actually store data. But the national ones are trust networks.

They’re basically saying, “You’re authorized to be here; you can pull data.” Carequality and CommonWell are examples—private, nonprofit collaborations founded by EHR vendors. Then there’s TEFCA—the newest one. It’s a public‑private collaboration run by The Sequoia Project, a nonprofit.

​

Those trust networks don’t carry HIPAA liability because they don’t store data. They just issue the trust certificate. The data flows directly from the provider to the app. So any breach or misuse would be on the app, not the network. You can understand why health systems have been resisting this. But information‑blocking rules and TEFCA participation incentives are going to drag them in, especially now that HHS has stood up a more coordinated enforcement regime.

​

The politics of IAS: health IT, individual access, and MAHA

Amanda: Can you explain why you think the administration is hyper‑focused on supporting individual access? I mean, from where we are sitting, the major priorities appear to be more populist in nature—for example, MAHA. (By the way, here’s where I explain that Union is strenuously non‑partisan. Every human here has their own opinions, but we view our role as just explaining what’s happening so everyone else can use that information as they see fit.)

​

Brendan: MAHA—Make America Healthy Again—is all about patient empowerment and taking the reins off. Vaccines, food, wellness. There have been high‑profile events and hearings featuring figures like RFK Jr. and administration officials where MAHA has been framed as a mix of skepticism about established institutions and enthusiasm for “citizen‑driven” health choices, including access to data and alternative therapies.

​

In June of 2025, CMS and HHS held a listening session with RFK Jr., Marty Makary, Dr. Oz, and an NIH representative—all focused on patient empowerment and data access. Then in July, they held “Make Health Tech Great Again” for the CMS health‑tech ecosystem, to get companies to pledge data access. They’re going to start applying pressure, both symbolically through MAHA branding and concretely through interoperability and information‑blocking levers.

Amanda: But again—why IAS? I can see that an individual access initiative COULD fit in with a MAHA rubric, but it’s a big drop in populist appeal and general public awareness to go from vaccine and food‑additive issues to “freedom to access your own data.” Explain to me WHY consumerism of healthcare data is getting so much energy from this administration.

Brendan: In addition to fitting in with traditional Republican principles around healthcare consumerism, part of it is alignment with the administration’s allies—companies like Palantir and a16z. That faction is strongly in favor of data access.

When you unlock the data, you can build a lot of things outside HIPAA and make a lot of money—direct‑to‑consumer products, analytics, you name it. Tech is excited about that. Providers are saying, “Wait a minute.”

But it’s important to remember that patients have technically had the right to their data since 1996. The difference now is that TEFCA, IAS companies, and information‑blocking enforcement are making that right operational at scale.

​

Looking ahead for the IAS world

Amanda: Okay. How do you see the future of the IAS layer playing out across the next 12 months or so?

Brendan: I think we’ll see continued progress. The administration will keep putting muscle behind interoperability efforts with regard to Epic and other EHR vendors. Information‑blocking enforcement will push this whole effort forward.

​

Since late 2024, HHS has finalized additional information‑blocking exceptions and clarified how civil monetary penalties, certification consequences, and CMS program disincentives can all be triggered by blocking behavior, which raises the stakes for organizations that slow down patient‑directed exchange. On the flip side, TEFCA’s 2025 priorities and CMS’ refreshed Interoperability and Patient Access rule explicitly highlight patient‑facing APIs and IAS as core to the national digital‑health strategy, giving IAS vendors and their health‑system partners a stronger policy tailwind than they have ever had.

​

Bonus question: Oracle/Cerner’s AI‑native EHR

Amanda: As long as we’re talking about the future—here’s something even non‑technologists are wondering about healthcare tech. What do you think about Oracle/Cerner and this idea of the AI‑native EHR? Do you think that could amount to something significant, potentially displacing Epic at major health systems? What would it take for that to happen?

Brendan: In order for that to happen, several different pieces would need to fall into place. Each piece alone seems unlikely, but if they all lined up, it could happen.

• First, significant regulatory action against Epic—antitrust or information‑blocking enforcement—could slow Epic down. Epic’s advantage is competence; if you undercut that, others could catch up.

  
  

• Second, an AI‑native EHR that’s truly 10x better. Building a system of record at Epic’s scale usually takes decades and billions. But Oracle has the money—from its cloud and AI business—to take a swing. If they stay focused, maybe they could do it.

  
  

• Third, Larry Ellison’s politics. He’s an ally of Trump, so he’s benefitting from being in that position currently. Also, he is not afraid to use aggressive tactics—lawsuits, funding, opposition research. That happened between Oracle and Microsoft in the 2000s. He could easily fund litigation to slow Epic down. It’s a strategy that the “innovator crowd”—a16z and others—are already using to slow incumbents.

​So it’s not a huge chance; it’s three bull’s‑eye dart throws in a row. But if they all DO hit, that could shift the market.

Closing thoughts on IAS

Amanda: Bringing the conversation back to the individual access layer and IAS companies – thanks for the overview, I appreciate it and it’s clearly an important thing to keep an eye on.

Brendan: You’re welcome and yes. We’ve essentially solved provider‑to‑provider exchange. The next phase is going to be patient‑driven exchange. It’s going to get messy—but this phase is coming.

​

More from Union

• Make sure you're signed up to receive our updates by filling out the "Join our mailing list" form below.

• If you're deep in healthcare IT, definitely check out Brendan's Substack, Health API Guy.

• Recommended additional reading from Union on data/IT topics is collected here in our digital/IT blog section. See especially Eric Fontana’s Examining MAHA’s jump into Real World Data (RWD) and what other industry players can learn from it.