The EHR Gatekeeping Problem: Why Your Data Is Trapped and What to Do About It

How EHR Vendors Monetise Data Access

The business model behind EHR vendor data access fees is straightforward: the base EHR contract covers clinical documentation, order entry, and basic reporting. Anything more sophisticated — population health queries, custom analytics, cohort identification, longitudinal data export — is a separately priced module or service. The vendor controls the data schema, the API, and the reporting tooling. The customer controls nothing except the decision to pay.

Epic: Crystal Reports, Cogito, and the Analytics Upsell

Epic's analytics architecture has four layers, priced separately and with escalating access to underlying data:

Cerner: HealtheAnalytics and the Per-Query Economy

Oracle Health (formerly Cerner) operates a similar tiered access model. The standard Cerner Millennium deployment includes a set of operational reports accessible through the ClinView and HealtheRegistries modules. Deeper analytics access is channelled through:

• HealtheAnalytics: Cerner's population health analytics module. Billed as a subscription add-on; pricing varies by bed count and active patient population but typically runs $80,000–$350,000 annually for a mid-size health system. Includes cohort identification tools, quality measure dashboards, and risk stratification — all of which operate within the Cerner environment and produce outputs that do not export cleanly to external systems without additional work.
• CCL (Cerner Command Language) access: CCL is Cerner's proprietary scripting language for custom database queries. Organisations with in-house Cerner programmers can write CCL scripts to extract data, but the outputs are typically formatted for Cerner's own reporting engine and require transformation for use elsewhere.
• DiscernVisual Developer (DVD): A report-building interface for Cerner that allows custom report creation within defined parameters. Not a substitute for direct database access.

The consequence of this architecture is that a Cerner customer who wants to run a population-level query — "show me all patients over 65 with HbA1c over 8.0 who have not had an ophthalmology referral in 24 months" — must either purchase HealtheAnalytics, commission a CCL script from a contracted Cerner developer, or build the extract manually from individual patient records. None of these options is fast or cheap.

The ONC Information Blocking Rule: What Changed in 2021

The 21st Century Cures Act, passed in 2016, directed the Office of the National Coordinator for Health IT (ONC) to establish a prohibition on "information blocking" — practices by healthcare actors that interfere with, prevent, or discourage access, exchange, or use of electronic health information (EHI).

The ONC Information Blocking Final Rule became effective April 5, 2021. Under 45 CFR §171.103, information blocking is defined as any practice that is unreasonably likely to interfere with access to, exchange, or use of EHI. The rule covers three categories of actors: healthcare providers, health IT developers (including EHR vendors), and health information networks/exchanges.

Enforcement:

• EHR vendors (Health IT developers): Civil monetary penalties of up to $1,000,000 per violation, enforced by the ONC and referred to the FTC for additional action. This penalty structure applies directly to Epic, Oracle Health, athenahealth, and every other certified EHR developer.
• Healthcare providers: Not subject to the $1M civil penalty directly, but information blocking by a provider is an "appropriate disincentive" as determined by HHS — including potential reduction in Medicare payment adjustments.
• Health information networks: Subject to the same $1M per violation structure as health IT developers.

The rule defines eight exceptions under which a practice does not constitute information blocking, including the Privacy Exception (HIPAA-compliant restrictions), the Security Exception (legitimate security protections), and the Fees Exception (reasonable cost-based fees). The Fees Exception is where vendor legal teams focus: a fee is permissible if it is "reasonable" and "cost-based." The ONC has stated explicitly that fees set to "extract value from the use of EHI or to impose conditions that are not directly related to the costs of enabling access" are not permissible. Fees designed to discourage switching to a competing analytics vendor are information blocking.

HIPAA §164.524: Your Right of Access to Patient Data

The HIPAA Privacy Rule at 45 CFR §164.524 establishes the right of individuals to access their own protected health information. For healthcare providers and their operations, this provision is relevant in two ways:

First, patients have a right to receive electronic copies of their health information in the electronic format they request, if the information is maintained electronically. EHR vendors cannot prevent providers from providing patients with their data. Providers who cite vendor restrictions as a reason for not producing electronic records within the 30-day HIPAA access timeframe (15 days if expedited) are in violation of HIPAA, not in compliance with it.

Second, the OCR has clarified — in guidance most recently updated in 2023 — that providers can use HIPAA-compliant third-party apps and services to produce patient access requests. A practice cannot cite its EHR vendor's data policies as a basis for denying a patient access to data that HIPAA requires the provider to produce.

Standard Data Pathways That Bypass Vendor Gatekeeping

There are four standard data pathways that allow providers to access their own data without purchasing vendor analytics modules or commissioning bespoke extracts:

Bulk FHIR: The Most Important Development in Healthcare Data Access

The ONC Cures Act Final Rule required all EHR developers certified under ONC's Health IT Certification Program to support HL7 FHIR R4 APIs as of December 31, 2022. The requirement covers FHIR patient-access APIs (individual records) and, importantly, system-level APIs that support bulk data export — the SMART on FHIR and Bulk Data Access IG specifications developed by the HL7 community.

Bulk FHIR (also called the FHIR Bulk Data Export specification) allows authorised third-party applications to request an export of all records for a defined patient population in newline-delimited JSON (ndjson) format. This is the pathway that makes population-scale analytics viable from FHIR data — rather than pulling individual records one at a time.

Epic deployed its Bulk FHIR endpoint as part of its 2021 Summer release, with full support available to health system customers with appropriate access agreements. Oracle Health has deployed Bulk FHIR support with variability across customer instances depending on version. The practical status as of early 2026: Bulk FHIR is available at most major health systems running Epic or Oracle Health on current versions, but activating it requires an access agreement with the health system's IT security team — not a vendor fee.

Vendor Lock-In Strategies: What They Look Like in Practice

Despite the information blocking rule, EHR vendors have adapted their lock-in strategies to operate within — or at the legal edge of — the regulatory framework:

• Contract clauses restricting data use: Some EHR contracts include restrictions on using exported data in competing analytical products, framed as intellectual property protections on the vendor's data model. ONC has indicated these clauses may constitute information blocking; enforcement actions are pending as of 2025.
• Technical friction in Bulk FHIR implementation: Vendors that technically comply with Bulk FHIR requirements but implement the endpoint with performance throttling, unpredictable authentication requirements, or undocumented rate limits create practical access barriers even where no legal barrier exists.
• Ecosystem incentives: Epic's App Orchard marketplace and Oracle's CloudMarketplace both feature preferred analytics vendors who have paid for marketplace listing and certified integration. Health systems using these marketplace vendors benefit from streamlined data access — a structural incentive that disadvantages independent analytics providers who have not paid for preferred status.
• Training and workflow entrenchment: Clinical staff trained on Epic's native analytics tools are less likely to advocate for third-party alternatives, even if the third-party alternative would provide better analytics. This is not illegal — but it is a deliberate network effect that vendors cultivate through substantial investment in training programmes.

What Vizier Does With Your Data Once You Have It

Vizier connects to your existing data — claims files (837P/837I, ERA/835), EHR exports via Bulk FHIR or CCD, CSV extracts from practice management systems — and normalises them into a unified patient-level data model. No custom database access agreements with Epic or Oracle are required for the core analytics use cases. For practices that do have Bulk FHIR access enabled, Vizier can maintain a live-updating data pipeline that refreshes daily without manual extract work.

The core claim is simple: the data you are already entitled to — claims, standard EHR exports, FHIR data — is sufficient to answer most of the clinical and financial questions that drive practice revenue and quality performance. You do not need to buy your EHR vendor's analytics module to run a coding audit, build a care gap registry, model your MIPS performance, or identify your highest-risk patients. You need the data you already own, and a tool that can work with standard formats.