If you’ve been to doctors in the US, you may have encountered the problem: how does a healthcare provider get access to your up-to-date medical history to treat you properly? Reliance on archaic methods is still the norm: typically you, or your provider, need to call the facilities where you’ve previously received treatment (assuming you remember them all), just to have them send your records via fax (yep, fax). This can take weeks, only then to have a provider sift through hundreds of pages of unstructured docs, just to figure out basic things like your active medication list, what conditions you may have, latest lab results, etc. This not only delays treatment, it can cause improper treatment, since the medical history is critical for treatment decisions.
For example, here’s a crazy story from a customer of ours: recently a patient came to them asking for a specific medication. When the provider pulled their medical history through Metriport, they saw that the patient had had a heart attack in the last 6 months. (The patient had omitted to mention this.) In such a case, the medication they were asking for could cause death! Needless to say, the provider did not fulfill that request—but they did begin to look for medications that could actually work for that patient.
Many providers use Electronic Health Record (EHR) software to manage their patients’ data, but many EHRs don’t talk to each other, which means a patient’s data is more often than not siloed across disparate systems with incompatible data formats. More recently, Health Information Exchanges (HIEs) emerged to make the exchange of patient medical data possible between different providers. HIEs are essentially a peer-to-peer network for clinical data exchange. These networks helped push interoperability in the right direction, but their underlying technology is still based on older tech from the 90s, requiring SOAP-based protocols for transactions, using mostly C-CDAs (XML files), PDFs, and images to exchange medical data. A patient with a chronic condition may have thousands of such files across dozens of providers, and they all contain messy, likely unstructured, and duplicate information. Even if you spend lots of dev time, and money, connecting to all of these exchanges (like we did), you’re still left with the tough problem of making this medical data actually usable for providers.
We did YC in S22, starting with a quantified self personal health app (this was our Show HN: https://news.ycombinator.com/item?id=29800932 - it didn’t get very far!). Working on clinical use cases for the app ran us straight into this insane rats’ nest of 30-year-old technologies, all incompatible with each other, just to integrate medical data into our product. Vendors attempting to solve this problem wanted to lock us into $100k+ yearly contracts without even letting us try their closed-source product! Integration time would have been months, and developer docs were a whole new order of jank. It took us a while to realize there really was no good solution to this—it was hard to believe—but then we started talking to other healthcare companies and found they had the same problem. At that point it was a no-brainer to pivot to this instead. We kept the name Metriport though :).
Metriport connects to all 3 major HIE networks (CommonWell, Carequality, and eHealth Exchange), and provides an API and dashboard. Here’s how it works: (1) You input basic patient demographics (name, DOB, gender at birth, address); (2) we search through hundreds of thousands of providers across multiple HIEs for the patient’s records; (3) Once the records are found, we fetch all of them and convert them into usable JSON data - standardized to FHIR; (4) The data, and raw files, are made available on the API and dashboard.
You can render the data in a way that’s immediately useful for providers, like deduplicated PDF medical record summaries. From there, you can also use Metriport to contribute new clinical patient information back to the providers in the network, regardless of what EHR they use—eliminating the need for many painful one-off EHR integrations. It’s a little known fact that you can do this using HIEs without needing to write individual integrations to EHRs like Epic, Athena, and Cerner, for example.
The value of this approach is that healthtech companies and providers don’t have to go build dozens of EHR integrations themselves, or have to know where patient data is located, and can instead tap into a single “internet of healthcare data”. Going from entering inputs to getting a comprehensive medical record summary is done in 3 minutes on average. Compare that to weeks using fax machines just to get messy data!
You may be wondering how the search for records is done, using only patient demographics. Essentially, these networks consist of a bunch of nodes talking to each other asking “hey, do you have records for John Doe?”. So, this boils down to sending HTTP requests containing the patient’s demographics to a bunch of endpoints, and the endpoints returning the ID representing the patient in their system if there’s a match. You’ll be surprised (or at least dismayed) to hear that there is no standardization for how patient matching is determined across systems in the networks, which is problematic with something as highly variable as a person’s demographics. This means if one system wants to consider a single typo in the patient’s first name a mismatch, they can go ahead and do so—making it difficult for others to find records in their system. This problem is so pervasive that one of the national HIEs started an initiative to get other network participants to share their patient matching algorithm to help improve response rates for all systems in the network. Sadly, only one vendor agreed to share their matching algorithm. To combat this status quo, we’ve open-sourced our patient matching algorithm, which uses a variant of the Fellegi-Sunter model, and we hope other vendors will follow suit in the future: https://github.com/metriport/metriport/blob/3e82111bc081a39a...
Another big part of this is the data mapping from one format to another. If you’re not familiar with healthcare data, FHIR is the latest and greatest standard that’s ubiquitous in modern systems. In Metriport, FHIR is represented with JSON. The older standard is HL7v3 (C-CDA), which is what all healthcare information exchanges still use today, and what EHRs typically export - C-CDAs are messy XML documents that have structure, but also contain a lot of unstructured data in HTML format, or free text. So you can imagine, the ability to convert C-CDA medical records to something actually usable like FHIR, is pretty important. Given that it’s important, you’d also think it’s a fairly solved problem, with plenty of resources/tools to wrangle the data… nope. Again, there are little to no standards here, and you have different vendors building proprietary systems in-house, attempting to solve the same problem, with mediocre black-box results that you can’t trust. We see making healthcare data usable more like a public body of knowledge that can be improved upon, and don’t think this work should be closed off to the world, so we also open-sourced our FHIR converter (https://github.com/metriport/metriport/tree/develop/packages...), and you can give it a spin here: https://docs.metriport.com/converter-api/getting-started/qui.... In the future, we will also leverage things like OCR on PDFs to do clinical data extraction, and use LLMs to make even more concise medical record summaries.
Making Metriport open-source was a decision we made from day one, based on our philosophy that transparency leads to innovation, especially in healthcare.
From a security and compliance standpoint, we’re fully SOC 2 Type 2 and HIPAA compliant (https://security.metriport.com/). Additionally, using Metriport for patient data exchange today requires a Treatment purpose of use under HIPAA - which means that only Covered Entities, or Business Associates who work with Covered Entities, can use Metriport. This means that companies doing things such as clinical trials recruitment, for example, can’t use Metriport, but a primary care provider, or a clinical decision support vendor, can. This is due to current requirements set forth by HIEs, which may open up to support alternative use cases in the future, such as Individual Access Services (IAS).
We charge per full medical record retrieval for a patient (which we call a query). This starts at $1 per query (with a monthly minimum), and scales down from there based on volume. We only charge for queries that return at least one record (and even if a query returns 1000 documents for a single patient, we still count that as a single query) - no charge is incurred for sharing data back to the networks, or making API calls to generate medical record summaries, for example.
You can see all the code for Metriport in our public GitHub repo: https://github.com/metriport/metriport. For anyone wanting to give us a whirl, you can do so by getting started with our free sandbox environment (https://docs.metriport.com/medical-api/getting-started/quick...).
We’re looking forward to hearing what you think, and happy to answer any questions you may have, as the health information exchange space is pretty niche - thanks for taking the time to read this, we hope it was interesting!
I congratulate you on your launch and I'm interested in your converter. I'm surprised you didn't mention the TEFCA effort and wondering if you're planning on becoming your own QHIN (Qualified Health Information Network) or if you just plan on interfacing with all of the major QHIN's?
How are you handling interstate data exchange privacy requirements. Some states have restrictions on what data can be shared across state (thinking about this in terms of things like PDMP queries). I'm also wondering how you are handling the patient data access audit trail as well as information blocking filtering requirements. Perusing your documentation, it looks like you pass along the AuditEvent, does your system create additional audit trails for those who access the patient data? Or is that all being handled upstream w/ your QHINs?
> In your FHIR implementation, what version of USCDI do you support? I'm assuming you're following US Core profile's with your implementation guides?
We will support USCDI v3 (which is the ONC requirement for 2026), and are following US Core as closely as possible with our FHIR converter.
We're working on improving our FHIR documentation across the board, and have the beginnings of a FHIR-specific IG here: https://docs.metriport.com/medical-api/fhir/overview
> I didn't see listed anywhere your capability statement URL that would give insight into what your doing.
Yes good point - raised an issue for this here: https://github.com/metriport/metriport/issues/2142
Please feel free to raise more issues on our repo if you'd like to see other improvements, and it would be great to get in touch about your use case!
> you didn't mention the TEFCA effort and wondering if you're planning on becoming your own QHIN (Qualified Health Information Network) or if you just plan on interfacing with all of the major QHIN's?
Haha this post was already close to exceeding maximum length, so we had to trim it down a bit - we thought no-one would know what TEFCA/QHINs are, but cool to see that you do.
(For anyone reading this, TEFCA is the the document driving changes for different permitted purposes of use, and general governance of the networks, by the ONC. QHINs are one of the outputs of TEFCA, and are a flavor of HIEs that promise to bring more use cases, such as patient access, to the table)
Unfortunately QHINs aren't very meaningful right now, since patient access queries are not mandated to be responded to by TEFCA. One of the HIEs we connect to, CommonWell, is already a QHIN, so we'll look at leveraging that, or becoming one ourselves, as we see fit.
> How are you handling interstate data exchange privacy requirements.
We handle this on a case-by-case basis based on: (1) what state our customers' patients' are located, (2) what kind of data they can/will be sharing, and (3) state requirements as you mention. For example, there is a new bill in California that will require special care of medical info as it pertains to abortion, contraception, and etc: https://trackbill.com/bill/california-assembly-bill-352-heal...
> also wondering how you are handling the patient data access audit trail
All transactions that interface with our system have audit logs attached to them by default (as per HIPAA/SOC2 requirements).
> Or is that all being handled upstream w/ your QHINs?
Nothing is handled upstream with the HIEs we connect to (note that QHINs are a different subject, and just enable future use cases outside of Treatment) - audit logging is up to each member of the network, including us. For example, Carequality only has a directory that implementers connect to, they don't store any data, and their only service is a directory of endpoints (it's more of a framework in that sense).
How does your service differ in practice from existing networks of networks like Health Gorilla and Particle Health?
Honest question, how was your experience with getting funding on an open source product within healthcare? My experience so far is that the field is, as you put it, 30 years back, also in terms of business models.
We get asked the fundraising question a lot, especially since we're open source. Once investors understood that we still have a hosted product we charge for, and that we have a large moat since someone could fork our code but it'd be very difficult to run the business (compliance, getting access to the different networks, understanding the niche space, etc) - open source wasn't a hinderance to raising.
One thing we learned though, is that even though every human interacts with the healthcare system in some capacity - very few people know how things actually work. So, we had to tailor our pitches to make investors understand why our product matters, since generally even people that have healthcare experience, have no idea what the hell an HIE is.
That, and our GTM allowed us to sell quickly, without needing to wait for slow moving hospital contracts, as are typical in healthcare - so some decent traction definitely helped.
This, on its own, is probably not something that folks could just throw onto any server, and expect reputable heath providers to use (at least, I hope not). Auditing and validation ain't cheap.
I applaud the idea, and hope that it works out. Most health providers still require faxes, which is a huge pain in the butt.
I have also heard many complaints about Epic Systems.
"Access comprehensive EHR data for your patients in seconds, with FHIR R4...", I got Vietnam flashbacks from building an app to interface with the NHS Covid Vax certificate, that was my first encounter with FHIR... And honestly, all I wanted by the end of the day was to set myself on FHIR! Such a complex abstraction. Anyway, Godspeed!
Integrating with vaccine registries is another unique beast, and we haven't had the pleasure of doing that yet. Each state has actually has its own registry, they don't even use FHIR, and instead use an even older standard than C-CDAs - CAIR2 HL7v2: https://www.cdph.ca.gov/Programs/CID/DCDC/CAIR/CDPH%20Docume...
We don't support this yet - but we'll get there.
https://repository.immregistries.org/resource/hl7-version-2-...
The CDC IZ Gateway can make it somewhat easier to work with multiple state registries.
https://www.cdc.gov/vaccines/programs/iis/iz-gateway/overvie...
In practice the C-CDAs obtained from providers sometimes include immunization section entries so you can pick up some records that way as well
Glad Metriport is addressing this! I hope you will drive a new level of standardization on an open and modern data exchange protocol.
One question: at the product level, would it make sense to go one step further and bet on the future being the cloud - and start supporting existing cloud solution like Google Healthcare (FHIR) API (and others) as storage layers?
> Would it make sense to go one step further and bet on the future being the cloud - and start supporting existing cloud solution like Google Healthcare (FHIR) API (and others) as storage layers?
Oh for sure - to clarify, we're open-source, but we definitely have a managed cloud solution. For our backend, we currently self-host the OSS version of HAPI FHIR on AWS: https://github.com/metriport/fhir-server. It works pretty well for our purposes, and we'd prefer to not use a managed solution like the Google FHIR storage for this. Mainly for customizability, control, and to keep things OSS.
With that being said, people using Metriport can store the FHIR data and raw docs coming from our API in whatever solution they wish - including the Google FHIR storage! Everything is standardized to FHIR R4, so syncing to another backend is straightforward.
In fact, a customer of ours recently used this OSS solution to sync Metriport data to their Google cloud: https://github.com/google/fhir-data-pipes
Great. What I was trying to say is that there may be some value for larger customers if your company were building and managing something like it (basically a Fivetran for FHIR).
Consider someone who is misdiagnosed and switching doctors because they can't get the medical staff to believe them. They would be served by a fresh set of data and if re-diagnosed, so be it.
There actually is a standard for converting C-CDA records to FHIR. It isn't 100% complete but serves as a useful starting point. If you find problems with it you can feed those back into the standards process.
http://hl7.org/fhir/us/ccda/
Microsoft has an open source library which works pretty well and I think implements at least part of that standard, although I haven't used it lately.
https://github.com/microsoft/FHIR-Converter
FHIR also includes unstructured narrative text so it isn't necessarily better than C-CDA in that regard. You'll find that data quality problems come down more to provider systems configuration and charting policies rather than data formats.
The problem is that most providers still work on a fee-for-service basis, billing payers (insurers) and patients for individual line items. There's no line item billing code for improving clinical data quality or sharing patient records with other authorized organizations. So they mostly do the bare minimum necessary to comply with government regulations and payer coverage rules.
For example, every doctor is supposed to have a Direct Secure Messaging address listed in NPPES by now so that they can securely email patient records to each other. Every major EHR supports this standard and it can also be used through HISP online portals. But a lot of doctors still have no clue how to do this and haven't registered their address in NPPES (or misunderstood the instructions and put in their own personal Hotmail email address or something). So, they still end up sending faxes.
The situation may eventually improve with the shift to value-based care but this will be a slow process.
A health platform I helped build was open sourced[0] (the apps built on it are closed source and deployed in NHS trusts). Feel free to dig around for any inspiration :-)
[0] https://github.com/polaris-foundation
The architecture was that that was a backend for apps, and the individual apps would host a stateless BFF service to translate the backend into what they needed, and then the web/mobile apps would talk to that. HAPI FHIR was integrated for testing reasons; it also spoke HL7v2, for our sins.