Health care system to provide Programming interface level access to official patient applications. Most healthcare systems and merchants choose FHIR as a means to program this interface, but many healthcare systems that increase their EMR are unaware of this capability. Of those familiar with the feature, some are concerned about what this means for the security of their data while others accept this change as an opportunity to create patient-focused apps.
Most of the health systems that will go live with MU3 are in EPIC, though Cerner and others will soon follow. 1upHealth is working with providers to test their EPIC upgrades against our patient applications spanning multiple perspectives-- from those wary of data security to those upgrading just to enable this Programming interface. In all cases, we believe the best technology tests before launch. So we will test your epic install on stage and our patient app Complimentary.
How 1upHealth works with EPIC systems
Currently, about 25 health systems are active in EPIC with FHIR Programming interface capabilities. Some of these health systems have contacted us for testing. However, we are integrated with all of them and can get patient-authorized data. That's what became possible through MU3. For patient apps, the trigger to gain access to data is through the patient's choice and therefore does not legally require HIPAA (although 1upHealth is HIPAA compliant and uses all precautions to store data securely). Security is equally important, there is no way for us to gain access to patient data without their consent which is protected by an individualized organization password.
Steps on how the patient will access the data in the 1uphealth Patient App (other apps will be similar)
1) the patient creates a 1upHealth account 2) the patient clicks on "connect health system" 3) the patient finds your Health System in the list of systems we support
4) patient is redirected to your Health System my chart login page
5) EPIC displays a TOS on the page indicating that data will be shared with 1upHealth
6) patients receive shares and give access to 1upHealth
7) patient is directed to 1upHealth with epic access code provided
8) 1uphealth uses an access code to get a token which can be used to access patient information for the next hour
What does this mean for the security of my information?
Sailor information is usually in your health system. There is now one additional avenue through which patients can share their data with the app. That's the only change. The health system may be confused about the lack of a BAA in this case, because, traditionally, data from the health system to applications is supported through the BAA. But in this case, the patient allows access.
Patient agrees to share never required BAA. For example, 1upHealth supports all EPIC systems without BAA among the systems we support. The document on this HHS site does a good job of detailing our use case as a non-covered entity PHR that obtained disclosure to PHI through individual authorization (Read after page 7 section PHRS NOT OFFERED BY HIPAA COVERED ENTITIES). The sections below contain some of the laws surrounding patient-approved applications.
"Some PHRs fall outside the scope of the Privacy Rules because they are not offered by covered entities... While some of these PHRs may advertise that they are "HIPAA compliant", the Privacy Rules do not apply to or protect health information in these PHRs.
These PHRs are governed by the privacy policies and practices of the entity offering or administering PHR, as well as by other applicable laws ...Privacy Rules allow protected entities to disclose individual PHI to third parties with the written authorization of the individual See 45 CFR 164,508. So, in cases where the entity offering the PHR can or has agreed to enter information directly into the PHR for an individual, the protected entity is permitted to disclose the PHI about the individual directly to the entity administering the PHR if the covered entity has written authorization from that individual. for disclosure.
How does testing with 1upHealth help?
We are here to help. Testing your MU3-compliant EMR before going live can help ease concerns about the flow of health information directed to patients.