Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

E-Patient Update:  Changing The Patient Data Sharing Culture

Posted on May 19, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’ve been fighting for what I believe in for most of my life, and that includes getting access to my digital health information. I’ve pleaded with medical practice front-desk staff, gently threatened hospital HIT departments and gotten in the faces of doctors, none of whom ever seem to get why I need all of my data.

I guess you could say that I’m no shrinking violet, and that I don’t give up easily. But lately I’ve gotten a bit, let me say, discouraged when it comes to bringing together all of the data I generate. It doesn’t help that I have a few chronic illnesses, but it’s not easy even for patients with no major issues.

Some these health professionals know something about how EMRs work, how accurate, complete health records facilitate care and how big data analysis can improve population health. But when it comes to helping humble patients participate in this process, they seem to draw a blank.

The bias against sharing patient records with the patients seems to run deep. I once called the PR rep at a hospital EMR vendor and complained casually about my situation, in which a hospital told me that it would take three months to send me records printed from their EMR. (If I’d asked them to send me a CCD directly, the lady’s head might have exploded right there on the phone.)

Though I didn’t ask, the vendor rep got on the phone, reached a VP at the hospital and boom, I had my records. It took a week and a half, a vendor and hospital VP just to get one set of records to one patient. And for most of us it isn’t even that easy.

The methods providers have used to discourage my data requests have been varied. They include that I have to pay $X per page, when state law clearly states that (much lower) $Y is all they can charge. I’ve been told I just have to wait as long as it takes for the HIM department to get around to my request, no matter how time-sensitive the issue. I was even told once that Dr. X simply didn’t share patient records, and that’s that. (I didn’t bother to offer her a primer on state and federal medical records laws.) It gets to be kind of amusing over time, though irritating nonetheless.

Some of these skirmishes can be explained by training gaps or ignorance, certainly. What’s more, even if a provider encourages patient record requests there are still security and privacy issues to navigate. But I believe that what truly underlies provider resistance to giving patients their records is a mix of laziness and fear. In the past, few patients pushed the records issue, so hospitals and medical groups got lazy. Now, patients are getting assertive, and they fear what will happen.

Of course, we all have a right to our medical records, and if patients persist they will almost always get them. But if my experience is any guide, getting those records will remain difficult if attitudes don’t change. The default cultural setting among providers seems to be discomfort and even rebellion when they’re asked to give consumers their healthcare data. My protests won’t change a thing if people are tuning me out.

There’s many reasons for their reaction, including the rise of challenging, self-propelled patients who don’t assume the doctor knows best in all cases. Also, as in any other modern industry, data is power, and physicians in particular are already feeling almost powerless.

That being said, the healthcare industry isn’t going to meet its broad outcomes and efficiency goals unless patients are confident and comfortable with managing their health. Collecting, amassing and reviewing our health information greatly helps patients like me to stay on top of issues, so encumbering our efforts is counter-productive.

To counter such resistance, we need to transform the patient data sharing culture from resistant to supportive. Many health leaders seem to pine for the days when patients could have the data when and if they felt like it, but those days are past. Participating happily in a patient’s data collection efforts needs to become the norm.

If providers hope to meet the transformational goals they’ve set for themselves, they’ll have to help patients get their data as quickly, cheaply and easily as possible. Failing to do this will block or at least slow the progress of much-needed industry reforms, and they’re already a big stretch. Just give patients their data without a fuss – it’s the right thing to do!

Direct, Sequoia Interoperability Projects Continue To Grow

Posted on May 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

While its fate may still be uncertain – as with any interoperability approach in this day and age – the Direct exchange network seems to be growing at least. At the same time, it looks like the Sequoia Project’s interoperability efforts, including the Carequality Interoperability Framework and its eHealthExchange Network, are also expanding rapidly.

According to a new announcement from DirectTrust, the number of health information service providers who engaged in Direct exchanges increased 63 percent during the first quarter of 2017, to almost 95,000, over the same period in 2016.  And, to put this growth in perspective, there were just 5,627 providers involved in Q1 of 2014.

Meanwhile, the number of trusted Direct addresses which could share PHI grew 21 percent, to 1.4 million, as compared with the same quarter of 2016. Again, for perspective, consider that there were only 182,279 such addresses available three years ago.

In addition, the Trust noted, there were 35.6 million Direct exchange transactions during the quarter, up 76 percent over the same period last year. It expects to see transaction levels hit 140 million by the end of this year.

Also, six organizations joined DirectTrust during the first quarter of 2017, including Sutter Health, the Health Record Banking Alliance, Timmaron Group, Moxe Health, Uticorp and Anne Arundel Medical Center. This brings the total number of members to 124.

Of course, DirectTrust isn’t the only interoperability group throwing numbers around. In fact, Seqouia recently issued a statement touting its growth numbers as well (on the same day as the Direct announcement, natch).

On that day, the Project announced that the Carequality Interoperability Framework had been implemented by more than 19,000 clinics, 800 hospitals and 250,000 providers.

It also noted that its eHealth Exchange Network, a healthcare data sharing network, had grown 35 percent over the past year, connecting participants in 65 percent of all US hospitals, 46 regional and state HIEs, 50,000 medical groups, more than 3,400 dialysis centers and 8,300 pharmacies. This links together more than 109, million patients, Sequoia reported.

So what does all of this mean? At the moment, it’s still hard to tell:

  • While Direct and Sequoia are expanding pretty quickly, there’s few phenomena to which we can compare their growth.
  • Carequality and CommonWell agreed late last year to share data across each others’ networks, so comparing their transaction levels to other entities would probably be deceiving.
  • Though the groups’ lists of participating providers may be accurate, many of those providers could be participating in other efforts and therefore be counted multiple times.
  • We still aren’t sure what metrics really matter when it comes to measuring interoperability success. Is it the number of transactions initiated by a provider? The number of data flows received? The number of docs and facilities who do both and/or incorporate the data into their EMR?

As I see it, the real work going forward will be for industry leaders to decide what kind of performance stats actually equate to interoperability success. Otherwise, we may not just be missing health sharing bullseyes, we may be firing at different targets.

More Vendors, Providers Integrating Telemedicine Data With EHRs

Posted on April 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

One of the biggest problems providers face in rolling out telemedicine is how to integrate the data it generates. Must doctors make some kind of alternate set of notes appropriate to the medium, or do they belong in the EHR? Should healthcare organizations import the video and notate the general contents? And how should they connect the data with their EHR?

While we may not have definitive answers to such questions yet, it appears that the telehealth industry is moving in the right direction. According to a new survey by the American Telemedicine Association, respondents said that they’re seeing growth in interoperability with EHRs, progress which has increased their confidence in telemedicine’s future.

Before going any further, I should note that the surveyed population is a bit odd. The ATA reached out not only to leaders in hospital systems and medical practices, but also “telehealth service providers,” which sounds like merely an opportunity for self-promotion. But leaving aside this issue, it’s still worth thinking a bit about the data, such as it is.

First, not surprisingly, the results are a ringing endorsement of telemedicine technology. The group reports that 83 percent of respondents said they’ll probably invest in telehealth this year, and 88 percent will invest in telehealth-related technology.

When asked why they’re interested in delivering these services, 98 percent said that they believe telehealth services offer a competitive advantage over those that don’t offer it. And 84 percent of respondents expect that offering telehealth services will have a big impact on their organization’s coverage and reach.

(According to another survey, by Avizia and Modern Healthcare, other reasons providers are engaging with telehealth is because they believe it can improve clinical outcomes and support their transition to value-based care.)

When it comes to documenting its key thesis – that the integration of EHR and telehealth data is proceeding apace – the ATA research doesn’t go the distance. But I know from other studies that telemedicine vendors are indeed working on this issue – and why wouldn’t they? Any sophisticated telemedicine vendor has to know this is a big deal.

For example, telemedicine vendor American Well has been working with a long list of health plans and health systems for a while, in an effort to integrate the telehealth process with provider workflows. To support these efforts, American Well has created an enterprise telehealth platform designed to connect with providers’ clinical information systems. I’ve also observed that DoctorOnDemand has made some steps in that direction.

Ultimately, everyone in telehealth will have to get on board. Regardless of where they’re at now, those engaging in telehealth will need to push the interoperability puck forward.

In fact, integrating telehealth documentation with EMRs has to be a priority for everyone in the business. Even if integrating clinical data from virtual consults wasn’t important for analytics purposes, it is important to collecting insurance reimbursement. Now that private health plans (and Medicare) are reimbursing for telemedical care, you can rest assured that they’ll demand documentation if they don’t like your claim. And when it comes to Medicare, arguing that you haven’t figured out how to document these details won’t cut it.

In other words, while there’s some overarching reasons why integrating this data is a good long-term strategy, we need to keep immediate concerns in mind too. Telemedicine data has to be seen as documentation first, before we add any other bells and whistles. Otherwise, providers will get off on the wrong foot with insurers, and they’ll have trouble getting back on track.

Patients Message Providers More When Providers Reach Out

Posted on April 26, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study has concluded that patients use secure electronic messaging more when their primary care providers initiate and respond to secure messages.

To conduct the study, the research team worked a large database stocked with information on health care transactions and secure messaging records on 81,645 US Army soldiers. The data also included information from almost 3,000 clinicians with access to a patient portal system. The dataset encompassed the 4-year period between January 2011 and November 2014.

The data, which appears in a paper published in the Journal of Medical Internet Research, suggests that current provider-patient exchanges via secure messaging aren’t that common. For example, during the study period just 7 percent of patients initiated a secure message during a given month. Meanwhile, Providers initiated an average of 0.007 messages per patient each month, while responding to 0.09 messages per patient during a month.

That being said, when physicians got more engaged with the messaging process, patients responded dramatically.

Patients who knew their providers were responsive initiated a whopping 334 percent more secure messages than their baseline. Even among patients whose providers responded infrequently to their messages, the level at which they initiated messages to their clinicians was 254 percent higher than with PCPs who weren’t responding. (Oddly, when PCP response rates were at the “medium” level, patients increased messaging by 167 percent.)

In fact, when clinicians communicated more, there seemed to be spillover effects. Specifically, the researchers found that patients messaged PCPs more if that provider was very responsive to other patients, suggesting that there’s a network effect in play here.

Meanwhile, when PCPs were the ones prone to initiating messages, patients were 60 percent more likely to send a secure message. In other words, patients were more energized by PCP responses than clinician-initiated messages.

Of course, for secure messaging to have any real impact on care quality and outcomes, a critical mass of patients need to use messaging tools. Historically, though, providers have struggled to get patients to use their portal, with usage levels hovering between 10 percent and 32 percent.

Usage rates for portals have stayed stubbornly low even when doctors work hard to get their patients interested. Even patients who have signed up to use the portal often don’t follow through, research suggests. And of course, patients who don’t touch the portal aren’t exchanging care-enhancing messages with their provider.

If we’re going to get patients to participate in messaging with their doctor, we’re going to have to admit that the features offered by basic portals simply aren’t that valuable. While most offer patients access to some details of their medical records and test results, and sometimes allow them to schedule appointments, many don’t provide much more.

Meanwhile, a surprising number of providers haven’t even enabled a secure messaging function on their portal, which confines it to being a sterile data receptacle. I’d argue that without offering this feature, portals do almost nothing to engage their typical patient.

Of course, physicians fear being overwhelmed by patient messages, and reasonably fear that they won’t have time to respond adequately. Even though many organizations including the research of Dr. CT Lin has shown this just isn’t the case. That being said, if they want to increase patient engagement – and improve their overall health – secure messaging is one of the simplest tools for making that happen. So even if it means redesigning their workflow or tasking advanced practice nurse with responding to routine queries, it’s worth doing.

AMIA Shares Recommendations On Health IT-Friendly Policymaking

Posted on April 17, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The American Medical Informatics Association has released the findings from a new paper addressing health IT policy, including recommendation on how policymakers can support patient access to health data, interoperability for clinicians and patient care-related research and innovation.

As the group accurately notes, the US healthcare system has transformed itself into a digital industry at astonishing speed, largely during the past five years. Nonetheless, many healthcare organizations haven’t unlocked the value of these new tools, in part because their technical infrastructure is largely a collection of disparate systems which don’t work together well.

The paper, which is published in the Journal of the American Medical Informatics Association, offers several policy recommendations intended to help health IT better support value-based health, care and research. The paper argues that governments should implement specific policy to:

  • Enable patients to have better access to clinical data by standardizing data flow
  • Improve access to patient-generated data compiled by mHealth apps and related technologies
  • Engage patients in research by improving ways to alert clinicians and patients about research opportunities, while seeing to it that researchers manage consent effectively
  • Enable patient participation in and contribution to care delivery and health management by harmonizing standards for various classes of patient-generated data
  • Improve interoperability using APIs, which may demand that policymakers require adherence to chosen data standards
  • Develop and implement a documentation-simplification framework to fuel an overhaul of quality measurement, ensure availability of coded EHRs clinical data and support reimbursement requirements redesign
  • Develop and implement an app-vetting process emphasizing safety and effectiveness, to include creating a knowledgebase of trusted sources, possibly as part of clinical practice improvement under MIPS
  • Create a policy framework for research and innovation, to include policies to aid data access for research conducted by HIPAA-covered entities and increase needed data standardization
  • Foster an ecosystem connecting safe, effective and secure health applications

To meet these goals, AMIA issued a set of “Policy Action Items” which address immediate, near-term and future policy initiatives. They include:

  • Clarifying a patient’s HIPAA “right to access” to include a right to all data maintained by a covered entity’s designated record set;
  • Encourage continued adoption of 2015 Edition Certified Health IT, which will allow standards-based APIs published in the public domain to be composed of standard features which can continue to be deployed by providers; and
  • Make effective Common Rule revisions as finalized in the January 19, 2017 issue of the Federal Register

In looking at this material, I noted with interest AMIA’s thinking on the appropriate premises for current health IT policy. The group offered some worthwhile suggestions on how health IT leaders can leverage health data effectively, such as giving patients easy access to their mHealth data and engaging them in the research process.

Given that they overlap with suggestions I’ve seen elsewhere, we may be getting somewhere as an industry. In fact, it seems to me that we’re approaching industry consensus on some issues which, despite seeming relatively straightforward have been the subject of professional disputes.

As I see it, AMIA stands as good a chance as any other healthcare entity at getting these policies implemented. I look forward to seeing how much progress it makes in drawing attention to these issues.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

Will Data Aggregation For Precision Medicine Compromise Patient Privacy?

Posted on April 10, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Like anyone else who follows medical research, I’m fascinated by the progress of precision medicine initiatives. I often find myself explaining to relatives that in the (perhaps far distant) future, their doctor may be able to offer treatments customized specifically for them. The prospect is awe-inspiring even for me, someone who’s been researching and writing about health data for decades.

That being the case, there are problems in bringing so much personal information together into a giant database, suggests Jennifer Kulynych in an article for OUPblog, which is published by Oxford University Press. In particular, bringing together a massive trove of individual medical histories and genomes may have serious privacy implications, she says.

In arguing her point, she makes a sobering observation that rings true for me:

“A growing number of experts, particularly re-identification scientists, believe it simply isn’t possible to de-identify the genomic data and medical information needed for precision medicine. To be useful, such information can’t be modified or stripped of identifiers to the point where there’s no real risk that the data could be linked back to a patient.”

As she points out, norms in the research community make it even more likely that patients could be individually identified. For example, while a doctor might need your permission to test your blood for care, in some states it’s quite legal for a researcher to take possession of blood not needed for that care, she says. Those researchers can then sequence your genome and place that data in a research database, and the patient may never have consented to this, or even know that it happened.

And there are other, perhaps even more troubling ways in which existing laws fail to protect the privacy of patients in researchers’ data stores. For example, current research and medical regs let review boards waive patient consent or even allow researchers to call DNA sequences “de-identified” data. This flies in the face of conventional wisdom that there’s no re-identification risk, she writes.

On top of all of this, the technology already exists to leverage this information for personal identification. For example, genome sequences can potentially be re-identified through comparison to a database of identified genomes. Law enforcement organizations have already used such data to predict key aspects of an individual’s face (such as eye color and race) from genomic data.

Then there’s the issue of what happens with EMR data storage. As the author notes, healthcare organizations are increasingly adding genomic data to their stores, and sharing it widely with individuals on their network. While such practices are largely confined to academic research institutions today, this type of data use is growing, and could also expose patients to involuntary identification.

Not everyone is as concerned as Kulynych about these issues. For example, a group of researchers recently concluded that a single patient anonymization algorithm could offer a “standard” level of privacy protection to patient, even when the organizations involved are sharing clinical data. They argue that larger clinical datasets that use this approach could protect patient privacy without generalizing or suppressing data in a manner that would undermine its usefulness.

But if nothing else, it’s hard to argue Kulynych’s central concern, that too few rules have been updated to reflect the realities of big genomic and medical data stories. Clearly, state and federal rules  need to address the emerging problems associated with big data and privacy. Otherwise, by the time a major privacy breach occurs, neither patients nor researchers will have any recourse.

Study: “Information Blocking” By Vendors And Providers Persists

Posted on April 6, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A newly-released study suggests that both EHR vendors and providers may still be interfering with the free exchange of patient healthcare data. The researchers concluded that despite the hearty disapproval of both Congress and healthcare providers, the two still consider “information blocking” to be in their financial interest.

To conduct the study, which appears in this month’s issue of The Milbank Quarterly, researchers conducted a national survey between October 2015 and January 2015. Researchers reached out to leaders driving HIE efforts among provider organizations. The study focused on how often information blocking took place, what forms it took and how effective various policy strategies might be at stopping the practice.

It certainly seems that the practice continues to be a major issue of concern to HIE leaders. Eighty-three percent of respondents said they were very familiar with information blocking, while just 12 percent reported having just some familiarity with the practice and 5 percent said they had minimal familiarity. On average, the respondents offered a good cross-industry view, having worked with 18 EHR vendors and with 31 hospitals or health systems on average.

Forms of Blocking:

If the research is accurate, information blocking is a widespread and persistent problem.

When questioned about specific forms of information by EHR vendors, 29 percent of respondents said that vendors often or routinely roll out products with limited interoperability capabilities. Meanwhile, 47 percent said that vendors routinely or often charge high fees for sharing data across HIEs, and 42 percent said that the vendors routinely or often make third-party access to standardized data harder than it needs to be. (For some reason, the study didn’t mention what types of information blocking providers have instituted.)

Frequency of blocking:

It’s hardly surprising that most of the respondents were familiar with information blocking issues, given how often the issue comes up.

In fact, a full fifty percent said that EHR vendors routinely engaged in information blocking, 33 percent said that the vendors blocked information occasionally, with only 17 percent stating that EHR vendors rarely did so.

Interestingly, the HIE managers said that providers were also engaged in information blocking, though fewer did so than among the vendor community. Twenty-five percent reported that providers routinely engage in information blocking, and 34 percent saying that providers did so occasionally. Meanwhile, 41 percent said information blocking by providers was rare.

Motivations for blocking:

Why do HIE participants block the flow of health data? It seems that at present they get something important out of it, and unless somebody stops them it makes sense to continue.

When it came to EHR vendors, the respondents felt that their motivations included a desire to maximize short-term revenue, with 41 percent reporting that this was a routine motivation and 28 percent that it was an occasional motivation. They also felt EHR vendors blocked information to improve the chances that providers would choose their platform over competing products, with 44 percent of respondents saying this was routine and 11 percent that it was occasional.

Meanwhile, they believed that hospitals and health systems, the most common motivation was to improve revenue by strengthening their competitive advantage, with 47 percent seeing this as routine and 30 percent occasional. Also, respondents said providers wanted to accommodate priorities other than data exchange, with 29 percent seeing this as routine and 31 percent occasional.

Solutions:

So what can be done about vendor and provider information blocking? There are a number of ways policymakers can get involved, but few have done so as of yet.

When given a choice of policy-based strategies, 67 percent said that making this practice illegal would be very effective. Meanwhile, respondents said that three strategies would be very or moderately effective. They included prohibiting gag clauses and encouraging public reporting and comparisons of vendors and their products (93 percent); requiring stronger demonstrations of product interoperability (92 percent) and national policies defining policies and standards for core aspects of information exchange.

Meanwhile, when it came to reducing information blocking by providers, respondents recommended that CMS roll out stronger incentives for care coordination and risk-based contracts (97 percent) and public reporting or other efforts shining a spotlight on provider business practices (93 providers).

HL7 Releases New FHIR Update

Posted on April 3, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

HL7 has announced the release of a new version of FHIR designed to link it with real-world concepts and players in healthcare, marking the third of five planned updates. It’s also issuing the first release of the US Core Implementation Guide.

FHIR release 3 was produced with the cooperation of hundreds of contributors, and the final product incorporates the input of more than 2,400 suggested changes, according to project director Grahame Grieve. The release is known as STU3 (Standard for Trial Use, release 3).

Key changes to the standard include additional support for clinical quality measures and clinical decision support, as well as broader functionality to cover key clinical workflows.

In addition, the new FHIR version includes incremental improvements and increased maturity of the RESTful API, further development of terminology services and new support for financial management. It also defined an RDF format, as well as how FHIR relates to linked data.

HL7 is already gearing up for the release of FHIR’s next version. It plans to publish the first draft of version 4 for comment in December 2017 and review comments on the draft. It will then have a ballot on the version, in April 2018, and publish the new standard by October 2018.

Among those contributing to the development of FHIR is the Argonaut project, which brings together major US EHR vendors to drive industry adoption of FHIR forward. Grieve calls the project a “particularly important” part of the FHIR community, though it’s hard to tell how far along its vendor members have come with the standard so far.

To date, few EHR vendors have offered concrete support for FHIR, but that’s changing gradually. For example, in early 2016 Cerner released an online sandbox for developers designed to help them interact with its platform. And earlier this month, Epic announced the launch of a new program, helping physician practices to build customized apps using FHIR.

In addition to the vendors, which include athenahealth, Cerner, Epic, MEDITECH and McKesson, several large providers are participating. Beth Israel Deaconess Medical Center, Intermountain Healthcare, the Mayo Clinic and Partners HealthCare System are on board, as well as the SMART team at the Boston Children’s Hospital Informatics Program.

Meanwhile, the progress of developing and improving FHIR will continue.  For release 4 of FHIR, the participants will focus on record-keeping and data exchange for the healthcare process. This will encompass clinical data such as allergies, problems and care plans; diagnostic data such observations, reports and imaging studies; medication functions such as order, dispense and administration; workflow features like task, appointment schedule and referral; and financial data such as claims, accounts and coverage.

Eventually, when release 5 of FHIR becomes available, developers should be able to help clinicians reason about the healthcare process, the organization says.

E-Patient Update: Reducing Your Patients’ Security Anxiety

Posted on March 31, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Even if you’re not a computer-savvy person, these days you can hardly miss the fact that healthcare data is a desirable target for cyber-criminals. After all, over the past few years, healthcare data breaches have been in the news almost every day, with some affecting millions of consumers.

As a result, many patients have become at least a bit afraid of interacting with health data online. Some are afraid that data stored on their doctor or hospital’s server will be compromised, some are afraid to manage their data on their own, and others don’t even know what they’re worried about – but they’re scared to get involved with health data online.

As an e-patient who’s lived online in one form or another since the 80s (anyone remember GEnie or Compuserve?) I’ve probably grown a bit too blasé about security risks. While I guard my online banking password as carefully as anyone else, I don’t tend to worry too much about abstract threats posed by someone who might someday, somehow find my healthcare data among millions of other files.

But I realize that most patients – and providers – take these issues very seriously, and with good reason. Even if HIPAA weren’t the law of the land, providers couldn’t afford to have patients feel like their privacy wasn’t being respected. After all, patients can’t get the highest-quality treatment available if they aren’t comfortable being candid about their health behaviors.

What’s more, no provider wants to have their non-clinical data hacked either. Protecting Social Security numbers, credit card details and other financial data is a critical responsibility, and failing at it could cost patients more than their privacy.

Still, if we manage to intimidate the people we’re trying to help, that can’t be good either. Surely we can protect health data without alienating too many patients.

Striking a balance

I believe it’s important to strike a balance between being serious about security and making it difficult or frightening for patients to engage with their data. While I’m not a security expert, here’s some thoughts on how to strike that balance, from the standpoint of a computer-friendly patient.

  • Don’t overdo things: Following strong security practices is a good idea, but if they’re upsetting or cumbersome they may defeat your larger purposes. I’m reminded of the policy of one of my parents’ providers, who would only provide a new password for their Epic portal if my folks came to the office in person. Wouldn’t a snail mail letter serve, at least if they used registered mail?
  • Use common-sense procedures: By all means, see to it that your patients access their data securely, but work that into your standard registration process and workflow. By the time a patient leaves your office they should have access to everything they need for portal access.
  • Guide patients through changes: In some cases, providers will want to change their security approach, which may mean that patients have to choose a new ID and password or otherwise change their routine. If that’s necessary, send them an email or text message letting them know that these changes are expected. Otherwise they might be worried that the changes represent a threat.
  • Remember patient fears: While practice administrators and IT staff may understand security basics, and why such protections are necessary, patients may not. Bear in mind that if you take a grim tone when discussing security issues, they may be afraid to visit your portal. Keep security explanations professional but pleasant.

Remember your goals

Speaking as a consumer of patient health data, I have to say that many of the health data sites I’ve accessed are a bit tricky to use. (OK, to be honest, many seem to be designed by a committee of 40-something engineers that never saw a gimmicky interface they didn’t like.)

And that isn’t all. Unfortunately, even a highly usable patient data portal or app can become far more difficult to use if necessary security protections are added to the mix. And of course, sometimes that may be how things have to be.

I guess I’m just encouraging providers who read this to remember their long-term goals. Don’t forget that even security measures should be evaluated as part of a patient’s experience, and at least see that they do as little as possible to undercut that experience.

After all, if a girl-geek and e-patient like myself finds the security management aspect of accessing my data to be a bummer, I can only imagine other consumers will just walk away from the keyboard. With any luck, we can find ways to be security-conscious without imposing major barriers to patient engagement.