By Jason Warrelmann, vice president global services and process industries, UiPath.
FHIR, or Fast Healthcare Interoperability Resources, are quickly being adopted on a massive scale. While only 24% of healthcare companies currently utilize application programming interfaces (APIs) at scale, according to recent data, FHIR APIs will become widespread by 2024.
The data also shows that more than 50% of providers (out of 400 surveyed stakeholders) said they are consuming and producing a large number of APIs. However, some players lag behind, with 43% and 37% saying they consume and build APIs, respectively. That being said, however, 67% of providers and 61% of players expect their respective organizations to utilize APIs at scale as soon as 2023.
But what exactly does FHIR do?
Developed by Health Level 7, or HL7, FHIR has quickly become the standard for representing and exchanging health information. FHIR enables how healthcare information can be exchanged between different computer systems regardless of how it is stored. It allows this information, including clinical and administrative data, to be available securely to those who need access to it and who have the right to do so for the benefit of a patient receiving care. However, FHIR APIs are not easy for businesses to adopt, as it is mostly driven by the need for compliance with interoperability rules today. For healthcare providers, this means several steps of preparation before they can be fully FHIR-ready.
FHIR-enabled automation can help make this adoption easier, leaving the preparation to software robots. Automation software makes sharing data and information between teams more seamless, ensuring everyone is on the same page when it comes to FHIR APIs. FHIR-enabled automation also ensures compliance and streamlines important processes, reducing the cost of FHIR adoption and making it faster and more efficient.
Here are the three ways FHIR-enabled automation can simplify the FHIR adoption process:
Changes in healthcare privacy laws will have significant consequences for medical practices. This summer, the National Institute of Standards and Technology (NIST) released a draft of its HIPAA Security Rule guidance, the first update since the guidance’s original landmark issuance in 2008.
It’s sorely needed.
According to a ClearDATA report on the state of cloud security in healthcare providers in 2022, there is a significant disparity in how healthcare leaders assess their organizations’ cloud-based cybersecurity health. Many healthcare providers mistakenly believe their cloud infrastructure is safe and secure when they actually fall well short of the minimum threshold for proper protection against an increasingly risky landscape.
So it’s unsurprising that 2021 saw healthcare organizations weathering the most data breaches since 2009. But with clear instructions and accountability from technology providers, healthcare organizations can protect themselves against cyberattacks.
The Responsibility of Each Healthcare Organization
Guidelines from the federal government are meaningless without careful compliance from each healthcare organization. It’s critical that you review how noncompliance can negatively affect an organization.
Because healthcare organizations may not be fined or directly punished, the potential fallout of noncompliance is easy to underestimate. But threats are everywhere and the chance of a cyberattack is likely. If you are not proactive, you will eventually leave yourself open to a breach — and that attack can come with dire financial consequences.
Organizations that remain vigilant, proactive, and in line with NIST’s updated HIPAA guidelines can lessen their vulnerability to cyberattacks. It requires an expenditure of resources, sure, but that cost should be seen as a critical investment in your organization’s viability and the privacy of your patient data.
By Deborah Hsieh, chief policy and strategy officer, Ciox Health.
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In the 25 years since, healthcare and technology have advanced beyond what any of the original writers of HIPAA could have imagined, creating innovative new tools and mechanisms to share information and to better engage individuals in their healthcare.
Recognizing the challenges in ensuring HIPAA remains relevant for technology, business practices, and patient needs of today, the U.S. Department of Health and Human Services (HHS) released proposed updates to HIPAA’s regulations. The proposed changes include needed flexibilities to promote information sharing, but fail to ensure patient privacy protections remain relevant for the changed context, and, in fact, encourage actions that could expose patients’ healthcare data. Rather than strengthening healthcare privacy protections, the proposal creates a new pathway for non-HIPAA-covered entities to freely access and exploit patients’ healthcare data.
In the proposed rule, HHS seeks to go beyond the existing statute and regulations that ensure patients have a right to direct a covered entity to transmit an electronic copy of their protected health information (PHI) in an electronic health record (EHR) to a designated person or entity of the patient’s choice (also called “patient directive”). HHS now proposes to create a wholly new, unprotected and unauthorized pathway enabling so-called personal health applications — third parties that meet a minimal set of criteria – to gain free access to electronic and paper-based data.
While HHS creates and encourages use of this new pathway for personal health applications, HHS is not able to regulate what these applications do. Because a personal health application “is not acting on behalf of, or at the direction of a covered entity,” it is not subject to HIPAA rules and obligations. Health data that a patient directs to a personal health application is no longer protected by HIPAA and patients are left to fend for themselves.
HHS states personal health applications are managed and controlled by the individual; however, there is no requirement that patients be informed their data is no longer being covered by HIPAA and what that means. Patients will lose their ability to control their access to and the use of their healthcare data and may be fully unaware that third parties may use personal health applications as a backdoor to gain access to millions of patients’ private health information for their own commercial purposes.
By Dipak Prasad, senior product manager, Devbridge.
Communication is one of the most important parts of the healthcare industry, but as it stands it may be the most challenging element as well. To reach the best patient outcomes, it is critical for patients, doctors, hospitals, and facilities to communicate with one another seamlessly, securely, and digitally.
The incredible amount of information that needs to be accurately communicated presents a challenge by itself, but the extensive regulations create an added layer of difficulty. The Health Insurance Portability and Accountability Act (HIPAA) strives to protect the private data of a patient but creates challenges when having to quickly communicate critical information from different parts of the medical team.
Currently, many organizations are decentralized and use multiple digital outlets. There is company-sponsored email, instant message, and portals, plus personal email accounts, mobile and messaging applications—all with the potential to complicate and compromise the quality and security of communication.
Software has the ability to automate certain administrative tasks, enabling medical professionals to focus on patient care and improving patient outcomes. In a notoriously and widely distributed workforce where communication is essential, introducing an effective unified communication tool will increase operational efficiency, decrease infrastructure and maintenance costs.
A unified communication tool needs to connect all personnel across distributed locations, divisions, departments, and functions. A unified system should:
Be flexible and extensible—enabling adaption to future needs
Support multiple communication methods (voice, text, data, video)
Integrate with existing systems. Put the user experience at the forefront rivaling widely-used mobile communication platforms (WhatsApp and Facebook Messenger)
Cater to user requirements by including unique, job-enhancing features based on real scenarios.
Increase operational efficiency while being secure and HIPAA compliant
Tips on how to create an effective communications system:
Diagnose the problem: Run a discovery phase to identify organizational issues and opportunities for improvement through story mapping workshops with stakeholders, interviewing end-users, and conducting surveys. Then, create a service blueprint noting your findings. Ensure all stakeholders are aligned.
Define the minimum viable product (MVP): Prioritize the most significant issues and tackle those first to define the goals for the MVP. Validate your wireframes and prototypes with the original group of individuals who determined the problem space to inform the solution. Allow the test group to try the product early and often, allowing them to guide the solution and feel involved in the process.
Anyone dealing with healthcare IT in the US will come across HIPAA and HITECH and HITRUST — and it’s easy to get them confused. They’re interrelated and they all concern health information and they all impact healthcare IT. But that certainly doesn’t mean they’re all the same.
Briefly, HIPAA is a law and compliance is mandatory. HITECH is another law that was subsequently folded into HIPAA. And HITRUST is a voluntary means to ensure compliance with laws such as HIPAA, including its HITECH provisions and any others that might come along. Here’s how it all breaks down:
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered a lot of healthcare modernization issues, including provisions addressing insurance and taxes. But when we reference HIPAA in the IT world, we’re generally concerned with details in the Act’s Title II.
HIPAA Title II stipulates national standards for digital healthcare information management and movement. Its intent was to establish comprehensive guidance on the way personal health information (PHI) is maintained, exchanged, and protected from unauthorized exposure and theft in healthcare industries. Since the Act was signed into law at the dawn of the dot.com days, it has naturally required amendment over the years.
HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act was part of the American Recovery and Reinvestment Act of 2009. HITECH allocated $28B to fund greater adoption of electronic health records (EHRs) through incentives, resulting in a massive digitization of health information. It also outlined additional sets of stipulations for digital standardization and added more privacy and security protections for healthcare data enforced by penalties for compliance failures.
HITECH was consolidated into HIPAA Title II in 2013 with the Final Omnibus Rule, which also expanded security and breach notification details and, notably, extended HIPAA-compliance requirements to business associate agreements. A business associate is any entity that “creates, receives, maintains, or transmits protected health information” for a HIPAA-covered entity. So pretty much anyone handling PHI has to comply with HIPAA — not just hospitals and insurance companies.
By Courtney Tesvich, vice president of regulatory, Nextech.
Data interoperability is once again poised to take a giant leap forward and there are many factors propelling this evolution. For example, the Office of the National Coordinator’s (ONC) March 2020 introduction of the interoperability rule as part of the 21st Century Cures Act is set to advance interoperability regulations. COVID-19’s spotlight on the need for data transparency and seamless information exchange to enable efficient care delivery across diverse settings is revealing a critical use case.
The rapid onboarding and use of telehealth to virtually deliver safe and secure healthcare underscores the importance of modernizing interoperable solutions. Given all these factors, the time is right for healthcare organizations to evolve their thinking around data sharing.
While larger, multi-setting health systems may have teams of people dedicated to advancing their organization’s interoperability strategy, smaller entities (including specialty physician practices) are often left to figure out the right path forward on their own. This can be overwhelming, and it may be tempting for smaller organizations to delay work on this issue. However, it will only postpone the inevitable.
Over the next two years, the capabilities and requirements to exchange electronic health information will change drastically. The ONC is allowing two years to implement the new interoperability requirements and technology will likely change in that time. So, starting the effort now can make it easier to adapt as solutions evolve. The bottom line? To meet this deadline, practices need to develop their strategies, update compliance efforts, understand upcoming changes and begin to update processes to ensure they are fully prepared for the near future.
But how can an organization get started? Here are a few steps to consider.
Educate yourself on the intent and nuances of the ONC rule. The primary goal of the interoperability rule is to give patients greater access to their health information and allow them to share the data more easily with all providers. As electronic health record (EHR) vendors continue to develop their products to meet the updated requirements, more information than ever before will be available electronically both for patient use and for exchange. Factors that providers should be aware of include:
Future availability of free text notes in the patient portal as well as nearly all lab, radiology and pathology results. As EHR vendors develop and certify to the US Core Data for Interoperability requirements, patients will see additional data beyond the previously available CCDA information in their portal, including visit notes.
Patients will be able to seamlessly select independent apps to aggregate their own health records.
Ensure your practice understands how to handle requests for information in a timely manner. This includes requests by patients for their data as well as data requests by insurance companies, employers and consumer-facing apps. Develop a policy and train staff before the new Information Blocking deadline of April 5, 2021. Ensure you continue to follow HIPAA guidelines as well.
Practices will also need to regularly update clinician information in federal databases.
These suggestions merely scratch the surface of what the new rule requires. Providers should delve deeper and make sure they are moving towards compliance and not inadvertently standing in the way of information exchange.
Since the invention of the stethoscope, technology and innovation have been transforming how the healthcare industry delivers improved standards of care for individuals in every field of medicine. A more recent example of this is the widespread adoption of telehealth capabilities to bring care directly to patients no matter where they are.
This adoption trend has accelerated in response to COVID-19, when the use of telehealth technology skyrocketed with 48% of physicians meeting patients online in April. Since then, telehealth appointments have begun to level off and decline, but over the past year and the foreseeable future, telehealth and the delivery of care through screens and mobile devices will likely play a key role in the future of healthcare.
However, the increased use of telehealth creates additional risks stemming from increased data generation and data sharing such as video recordings, email exchanges between physicians and patients, and broader sharing of protected health information (PHI) between patients, providers and third-party organizations. This level of sharing increases the likelihood that data may become stored in an unsecured location. As for the healthcare providers and all other organizations that handle PHI, the challenge is now to get a better grasp on compliance, protect patient data and mitigate the risk of malicious actors or reputation damaging fines. Here’s how to do it:
Understanding the Rising Risk to Patient Data
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 and has since served to give patients power over their health records and hold healthcare organizations and their partners accountable for safeguarding the PHI data of patients.
HIPAA generally applies to PHI in all forms, but the Security Rule applies specifically to electronic PHI (ePHI). And as telehealth becomes a new normal and the administrative workforce continues to work remotely, ePHI’s presence will proliferate making compliance an even more extensive task. Meaning that while telehealth offers many tangible benefits to patients and providers, it is also a double-edged sword that requires heightened attention not just now but at all times. Here are a few things to keep in mind:
The patient was prepped and ready on the operating table when the surgeon realized he only had a report of a CT scan and would need the actual images that were taken by another health system to successfully perform the procedure. Normally, this would either delay the surgery or tempt the doctors to try the procedure without all the relevant information.
Luckily for everyone involved, the hospital was a participant of a health information exchange (HIE). Within a few minutes, the surgeon had access to the necessary images through our secure portal and began a successful operation.
Interoperability is critical for planned and unplanned procedures. Today, COVID-19 patients often enter a hospital short of breath in desperate need of emergency attention – yet, as many hospitals work now, that patient is expected to produce their extensive medical record of allergies, conditions, medications, and previous operations while gasping for air.
Although medicine continues to greatly advance, most care providers still dwell in the world of dinosaurs: faxing, printing, burning CD-ROMs, and relying on the patient’s ability to produce medical histories.
A recent report by the National Academy of Medicine found that workflow and inadequate technology usability were major factors contributing to America’s alarming medical staff burnout rate. Customers who use modern network technology greatly benefit from seamless access to patient files that used to lie beyond their health system’s servers, easily communicating between other healthcare providers and patients themselves. Patient care is hard enough today without technical and communication failures.
While the federal government is ushering the medical records system into the 21st century through new interoperability and patient access rules going into effect in 2021, providers would do well to stay ahead of mandated changes before it’s too late.