The Trusted Exchange Framework and Common Agreement directory have made it possible for consumers to overcome the hurdle of merging data from multiple electronic health record (EHR) sources. And now Epic is delivering new features that address that.
“We’ve opened an API so our customers can connect patients to apps outside of the Epic system, like health coaches, fitness apps, and more,” said Matt Doyle, Epic’s head of software development for interoperability.
One patient, multiple data sources
Some consumers have had success connecting EHR data to apps like Apple Health and others, but enabling data sharing with multiple providers at scale has long been a challenge for healthcare.
“It’s a good idea, and we’ve been supporting that for a long time through MyChart,” Doyle said. “The new thing that’s happening is that individual access is being connected at that large scale through TEFCA.”
In the past, an app developer had to know every healthcare provider and hospital and “have a directory and relationship with all of them,” he explains.
Now that the directory of exchange-ready organizations is available under TEFCA, Epic has spent the past six months developing a way for consumers to use it and collect their patient data into the app of their choice.
Epic announced on CNBC on Thursday that it has opened a way for more health apps to access medical recordsPlanning began about a year ago, Doyle said, and included collaboration with the Office of the National Coordinator of Health IT, federal partners, the Sequoia Project, the ONC’s designated coordinating entity and others.
This effort also involved the companies building these apps and the providers as a community to “figure out what is the right approach – the right privacy, the right patient education, the right workflow,” to check all the boxes.
When a patient uses a health app that is part of TEFCA (which went live in December), they must log in to MyChart to access their medical records through the TEFCA directory.
Patients found it difficult to remember which healthcare provider they went to for their care. TEFCA solved this problem.
“When you join TEFCA, you agree to exchange information with everyone in the TEFCA community,” Doyle said.
Authorized by the CARES Act, TEFCA was designed to create a universal governance, policy, and technical foundation for nationwide interoperability that would be simple for patients, providers, payers, and public health agencies to use.
When you access your medical information through a third-party app that is part of TEFCA, Location Services uses that directory to find all sources of information for the healthcare consumer.
“It’s a huge benefit for me as a consumer because it takes a lot of work off my hands. And it’s a huge benefit for app developers because they don’t have to maintain a relationship with every site.”
App developers no longer have to negotiate agreements. For providers, however, liability for releasing data to apps that may share PHI is a different story.
Consumer Privacy Warnings
Using a third-party app, the consumer authenticates through Epic’s patient portal and is presented with information – on a red, blue or green screen – that clearly shows how he or she will share his or her health information.
“One of the challenges we heard from healthcare providers was the importance of patients understanding that they are getting their data out of the HIPAA ecosystem, that they have the proper authentication to ensure that the right person is giving consent before healthcare providers can release that data, and that they know they are meeting their HIPAA obligations,” Doyle explained to Healthcare IT News while he was collecting the colorful screenshots.
If an app the consumer chooses is HIPAA-approved, Epic’s green data privacy note will say so. If it’s not a HIPAA-compliant app, but Epic has information about third-party data policies, the blue result will provide the details.
“We can tell you directly and educate you about how they may use your data,” Doyle said.
But when the consumer gets the red screen, they’re asked to confirm that they want to export and share their protected data with the third-party app, whose privacy practices Epic can’t verify.
Because we don’t know whether the consumer’s app partners have access to the PHI stream, “this is an opportunity for you as a consumer to pause and make sure you understand the choices you are making about moving your data to this third-party app.”
After that step, “the data flows,” Doyle said.
It is an important step toward giving healthcare consumers the ability to create a unified medical record.
In 2016, Duke Medicine claimed to be the first Epic-based health system to use Fast Health Information Resources API with Apple Health’s developer kit in a live, HIPAA Secure environment as a connected care initiative. The healthcare system wanted to use the data from the app to better monitor and support chronic care patients.
Epic was able to work with HIPAA-approved apps before TEFCA, but by opening up the API, health apps can now tap into the vendor directory. “That provides better scalability and a better experience for you as a consumer,” Doyle said.
While interoperability in healthcare is a national guideline, keeping PHI secure is always a concern.
“One point that I find really powerful here is that the TEFCA agreement requires app developers to voluntarily comply with the HIPAA privacy and security rules, even if they are not HIPAA-covered entities,” he said. “That’s much easier to explain to a consumer than to dive into the (Federal Trade Commission) and HIPAA nuances.”
Doyle said the functionality should be available to more Epic customers within two weeks, with a rollout scheduled for the fall.
Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.