Blue Button + Makes Health Data More Structured and Usable for Developers

The Office of the National Coordinator for Health Information Technology (ONC) is collaborating with health technology companies to make patient data more accessible and interoperable with a variety of mobile and web applications.  Blue Button + is the evolution of Blue Button — and makes health data more structured and usable for developers.  Mark Olschesky, a software developer and member of Rock Health’s current portfolio class, caught up with Rock Health alum and current Presidential Innovation Fellow, Ryan Panchadsaram and Pierce Graham-Jones to answer your burning questions.

What is HL7? I see a bunch of documents and Implementation Guides and even one thing that I can buy on their website. Is this free or do I need to pay for this?
HL7 (Health Level Seven) is a global standards organization that focuses on health information technology. Their organization developed the Consolidated Clinical Document Architecture, an XML-based standard that represents the patient health record. Last September, the HL7 Board of Directors announced its intention to allow free access and implementation of the standard. The date for availability has not been shared yet.

What is the bare minimum that I need to get started sending Blue Button + records? Can I create an XSD from the blue button examples or do I need to buy it or create it from scratch from things given to me from HL7?
At the moment, you can use the sample documents as a source if you require an XSD for your implementation. There are also plenty of other resources to help you ensure you are structuring files properly. A great resource is the ONC’s Companion Guide to Consolidated CDA for MU 2. It includes a detailed breakdown of each section and CCD XML examples. You can use the NIST testing tool and the C-CDA Scorecard.

I’ve been reading a lot about HIPAA lately with the updates to the HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules. What do I need to do to protect myself legally and to protect my users if I start sending and receiving Blue Button+ records?
HIPAA does not generally cover Personal Health Records and other patient-facing technology (you can learn more about it from resources at OCR and HRSA), but companies should have security measures that are reasonable and appropriate to protect personal information, such as personal health data, in any form, from unauthorized access, disclosure, or use. There is a section in the implementation guide for frequently-asked privacy and security questions. Please let us know if you have other specific questions pertaining to our use case, and we can work with HHS on providing clear answers. Blue Button+ requires Third Party Developers to be transparent and clear with their consumers on privacy and security matters. To aid in transparency, ONC has created a Personal Health Record (PHR) Model Privacy Notice that helps Third Party Developers disclose their privacy and security practices before users sign up for service.

What is the difference between Blue Button+ and some of the APIs to get patient data that I’ve been reading about like this one or this one? Should I plan to support one or the other or both?
It depends on the type of application or product you are trying to build. The APIs that you refer to allow you to create deeply integrated applications with the respective EHRs. This is ideal for enterprise applications that are used by clinicians and medical professionals.  Blue Button+ is a simple way to have structured patient information shared with your application on behalf of the patient. This is ideal for consumer and caregiver applications.

Who else is already on board pledging to send Blue Button+ records? When should I plan to start receiving information from patients through vendors and hospitals?
All Meaningful Use certified EHR vendors will implement C-CDA and Direct Protocol for sharing clinical information with patients and providers. These vendors will be getting certified over the next several months.  The Blue Button+ implementation guide (IG) leverages these standards and adds several other elements that ease implementation, including exchanging trust anchor bundles and automating transmission to data receivers. Allscripts, Greenway, Beth Israel Deaconess Medical Center, and Dr. Chrono are all currently implementing using the IG this and will be demo-ing their progress at HIMSS. Healthvault and Nomoreclipboard will be set up by HIMSS to be data receivers.

Where can I get help if I’m better trying to understand the Blue Button+? Are there experts in the field already can I reach out to?
We’ve assembled a number of resources at The content for the site was generated by a community of 68 health and technology organizations. There are a range of experts who understand C-CDAs and Direct very well. If you have any questions, you can go to the site above, and click on the “Questions & Feedback” link on the left.

I’ve heard about the Direct Protocol before, but I’m not sure of its progress so far. I know that previously that it was in beta at a few sites across the country. Is this announcement the news that it is ready to go live everywhere?
The Direct Project released its 1.0 specification in early 2011.  Pilot implementations began graduating to production use later that year, and this past summer, a minor revision (1.1) of the specification was released.  At this point, the majority of the 50+ states and territories that are working on directed exchange as part of their statewide HIE strategies are now live with their Direct implementations, and with the inclusion of Direct into MU2 and HIPAA requirements for patients’ electronic access to their health information modifications , adoption of Direct only continues to accelerate.

How hard or easy is it going to be to implement this technology?
Implementing Blue Button+ should be an easy and straightforward task thanks to the community and the Blue Button+ Implementation Guide.  The guide includes tools to help create proper C-CDAs, reference implementations for Direct in C# and Java, and sample storyboards. There’s also a free webinar happening on February 19 from 3-4p ET on Blue Button Plus. You can register at:

How do I know if a provider can send to my application?
Providers and data holders who support Blue Button+ will be retrieving a collection of anchor certificates for all third party applications regularly. This “bundle” is currently being piloted and managed by the Automate Blue Button S&I workgroup. If your certificate is in this bundle, then you should be assured that data will flow to your application. Getting your certificate into the bundle is easy. You can learn more at:

Do I have to receive Blue Button+ records from all Blue Button+ providers?
As a receiver, yes, you should. The community has also begun to assemble a collection of anchor certificates that map to Providers and Data Holders. This “bundle” will include the anchor certificates for provider-serving HISPs that are participating in trust communities like Direct Trust, the recommended approach. This bundle also includes the anchors for EV certificates, an alternative for HISPs that are not participating in trust communities.

Mark Olschesky builds tools to improve access to care as CTO of Moxe Health, a Rock Health company. Moxe’s first product,, was showcased by HHS at Healthdatapalooza, Microsoft and Twilio. Mark previously worked for Epic, where he installed and optimized outpatient clinical and patient portal software. Mark learned about healthcare data integration “the hard way” and looks forward to a day where patient data exchange is simple and secure.

Pierce Graham-Jones and Ryan Panchadsaram led the Automate Blue Button Initiative which collaborated with 68 health technology companies and organizations to develop Blue Button+. Pierce is the West Health Innovator-in-Residence at the Department of Health and Human Services. Ryan is the Presidential Innovation Fellow at the Office of the National Coordinator for Health Information Technology (ONC).