Epic moves forward on health app interoperability
Image: Courtesy of Epic
The Trusted Exchange Framework and Common Agreement directory has made it possible for consumers to clear the hurdle of joining data from multiple electronic health record (EHR) sources. And now Epic is offering new functionalities that capitalize on that fact.
"We've opened up an API so that our customers can allow patients to connect with apps outside of the Epic system – like health coaches, exercise apps and more," said Matt Doyle, Epic's interoperability software development lead.
One patient, multiple data sources
Some consumers have been able to connect EHR data with apps like Apple Health and others, but enabling data exchange with multiple providers at scale has been a long-time challenge for healthcare.
"It's a good idea, and we've supported that through MyChart for quite a long time," said Doyle. "The new thing that's happening is connecting that individual access that large scale through TEFCA."
Previously, an app developer needed to know every provider and hospital "and have a directory and a relationship with them all," he explained.
Now that the directory of exchange-ready organizations is available under TEFCA, Epic has been developing a way for consumers to leverage it and gather their patient data in the app of their choosing for the last six months.
Epic announced Thursday on CNBC that it has opened up a way for more health apps to access health records. The planning started about one year ago, Doyle said, and it included working with the Office of the National Coordinator of Health IT, federal partners, the Sequoia Project, the ONC's recognized coordinating entity and others.
The effort also engaged the companies that build these apps and providers as a community to "figure out what is the right approach – the right privacy, the right patient education, the right workflow," to check all the boxes.
When a patient uses a health app that is part of TEFCA, which went live in December, they authenticate in MyChart to find access to their health records available through the TEFCA directory.
Remembering each provider that they have gone to for healthcare has been a burden for patients, one that TEFCA has solved.
"When you join TEFCA, you agree to exchange with everyone in the TEFCA community," Doyle noted.
Authorized by the Cures Act, TEFCA aimed to establish a universal governance, policy and technical foundation for nationwide interoperability, and one that had to be made simple for patients, providers, payers and public health agencies.
When requesting their medical records through a third-party app that is part of TEFCA, location services will use that directory to find all the sources of information for the healthcare consumer.
"It's a big win for me as a consumer because it takes a lot of the burden off of me, and it's a big win for app developers because they don't have to maintain relationships with every site."
App developers no longer have to negotiate agreements. However, for providers, culpability for releasing data to apps that might share protected health information is another story.
Consumer-facing privacy warnings
Using a third-party app, the consumer authenticates through Epic's patient portal and will be offered information – on a red, blue or green screen – that makes it clear how they are about to share their health information.
"One of the challenges that we heard from provider organizations was the importance that patients understand they're taking their data out of the HIPAA ecosystem, that they have appropriate authentication to make sure it's the right person who's giving that permission before providers can release this data and know that they're complying with their HIPAA obligations," Doyle explained to Healthcare IT News as he pulled up the colorful screenshots.
If a consumer-chosen app is approved by HIPAA, Epic's green data privacy note will say so. If it's not a HIPAA-covered app but Epic has information on the third-party data policies, the blue result will provide the details.
"We can tell you and educate you directly about how they might use your data," said Doyle.
But if the consumer gets the red screen, they are asked to be sure they want to export their protected data and share it with the third-party app whose data privacy practices Epic cannot verify.
Not knowing if the consumer's app partners will have access to the PHI flowing, "this is an opportunity for you as a consumer to pause and make sure you understand the choices that you're making to move your data into this third-party app."
After that step, "the data flows," Doyle said.
It's a significant leap toward giving healthcare consumers the power to compile a unified health record.
Back in 2016, Duke Medicine claimed to be the first Epic-based health system to use Fast Health Information Resources API with Apple Health's developers kit within a live, HIPAA-safe environment as a connected care initiative. The health system wanted to leverage the app's data to better monitor and support chronic care patients.
While Epic was able to engage with HIPAA-approved apps before TEFCA, opening up the API opens the door to health apps to take advantage of the provider directory, "which is a better scalability and better experience for you as the consumer," Doyle said.
While healthcare interoperability is a national directive, keeping PHI safe is always a concern.
"One point that I think is really powerful here is that the TEFCA agreement requires app developers to voluntarily comply with HIPAA privacy and security rules, even if they're not HIPAA-covered entities," he said. "That's much easier to explain to a consumer than to get into the [Federal Trade Commission] and HIPAA nuances."
Doyle said that within two weeks, the functionality should begin to roll out to more Epic customers, with deployment through the fall.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.