Setting a course for the 'next frontier' of cloud-based patient access

May 7, 2019 |  Transformative Technology

cloud-based patient access

In part one of this blog, Howard described the capabilities of cloud infrastructure, the potential it holds for health IT developers, health providers, and patients, and the ability it gives doctors to “re-tether” to their patients using this evolving technology. Today, Howard discusses how cloud infrastructure is being used to give patients access to their health information.

The potential of the cloud isn’t a futuristic concept out of Star Trek — it’s happening right now, in hospitals and clinics, oncology centers, and mental health facilities.

In fact, some hospitals already look somewhat like a medical ward aboard the Enterprise, with providers carrying tablets to review a patient’s care plan; scan medications before administering them; order follow-up tests and prescriptions; and show lab results, x-rays, and other diagnostic information to patients and their caregivers.

If modern EHR technology is to take full advantage of the mobility and efficiency offered by the cloud, it must address two further priorities: Providing greater access to patient data, and keeping that health information secure.

Access and openness

Reflecting the government’s intent to enshrine interoperability within the healthcare industry, new rules proposed by the Office of the National Coordinator for Health Information Technology (ONC) aim to give patients more access and control to their health data.

And while CMS already has a system in place to encourage hospitals to give patients electronic access to their health information, the new proposal adds government managed healthcare programs to those that are required to eliminate information blocking by 2020.

Put simply, the new rule says that patients must have direct, immediate access to their electronic health information (EHI), using nearly any device, at no charge.

This is a major shift in how patient records are handled; historically, hospital IT departments were responsible for protecting and securing the patient’s data, since that information was kept on hospital computers, and could set their own procedures (and cost structures) for providing EHI to patients.

For health IT vendors, that means we’re required to share patient data with any authorized applications that access the EHR; the method for providing this access is built upon application programming interfaces (APIs).

MEDITECH has already created an API environment called Greenfield that’s a virtual sandbox for testing new apps to work with our Expanse solution. By offering access to test patient data and all of the application interfaces that mirror what our Expanse customers already have, developers can code their applications to directly integrate with the platform.

Our goal with RESTful APIs is to place a layer of security between our EHR database and the client that allows access to the programming infrastructure and database in a way that conforms to industry standards and promotes interoperability.

In addition, by meeting FHIR (Fast Healthcare Interoperability Resources) standards, the APIs developed within Greenfield also satisfy another part of the new rule that would formally adopt FHIR as the government’s approved criteria for certifying new apps.

I’m proud to say that MEDITECH is already ahead of this government initiative; following the invention of FHIR in the early 2010s, I pushed our developers to start working within that framework, and we were the first EHR vendor to go live with FHIR within the CommonWell Health Alliance® interoperability exchange.

This latest ONC proposal confirms that we made the right call, starting nearly a decade ago and continuing through our current efforts to build on everything that is happening in the FHIR world and work with Argonaut to add content.

Having healthcare data follow the patient wherever they go, regardless of the provider’s EHR system, is within reach — and developments like the formal adoption of FHIR are one step closer to giving patients the same type of seamless interaction with their health records as they have with bank accounts, airline ticket vendors, and ride hailing services.

In comparison with these established app-based transactions, health IT is still unlocking the potential for true digital interaction with health data, and lacking some of the elements — like a common user interface — that other industries already have in place.

Within the next year, a set of new FHIR standards are expected for scheduling and questionnaire APIs, which introduces the challenge of determining how EHRs accept data from external applications; this poses the additional complexity of reading the data into EHRs from these third-party apps.

But these aren’t reasons to slow adoption of the new FHIR standards, just reminders that we must proceed with care. If we do, we can make the kinds of improvements clinicians need right now: Ones that make getting data in and getting data out of our EHRs more efficient.

After all, how can we expect providers to effectively manage entire populations of patients, when we still have room to improve the individual patient encounter?

Data security

One of the questions raised by the new ONC proposal is how to ensure the integrity of patient data and protect it from threats like ransomware and hacking until it is handed to the patient — and, further, how to keep it safe once it leaves the EHR.

So far, the answer has been driven by industry and government regulations like HIPAA: Multiple layers of security are built into the systems that collect, transmit, and store patient data, with those systems following standards that have been agreed upon by health IT vendors and developers, and aligned with government rules and objectives.

For example, the major players in the “public cloud” — Google, Microsoft, Amazon, and others — employ hundreds of staffers dedicated to maintain the security infrastructure behind it, running state-of-the-art server tools that support early detection and response to potential threats. On a smaller level, IT vendors who provide “private cloud” services — such as an EHR for a hospital — also build security and data protection into their systems.

These layers of security mean that health information stays in a safe environment, and that patients can be confident in the integrity of the cloud to protect their data.

It remains an open question how that information can be protected once the patient has their information, since the proposed rule says, basically, that they can do what they want with it.

While ONC’s new proposed rule sets standards for how APIs use health data, it is silent on how to secure patient information outside of the EHR environment; this may be another opportunity for the IT industry to lead, in this case developing robust cybersecurity policies that would govern patient data.

At MEDITECH, we continue to develop new solutions that connect providers and patients in a secure, cloud-based environment and enhance our existing products. We’re investing in technology that allows our customers to develop their own API solutions using Greenfield, while also creating those solutions ourselves.

Posing potential hurdles to API development is the lack of a universal patient identifier to track all of a patient’s data in the various places where it’s stored, and the question of whether and how patients will be responsible for updating their own records.

However these questions in health IT are resolved, we remain committed to keeping patient information secure and raising the standards for storing and sharing that data, to meet or exceed the guidelines set down by the government.

Ultimately, I see that as the goal within our industry — to “boldly go” forward to further opening lines of communication between providers and patients; improving patient ownership of their health data; and supporting new technological developments.

That means driving innovation and delivering the next generation of healthcare solutions, leveraging cloud tech and the promise it holds to provide modern architecture; support mobile technology; enable access and openness; and ensure security for health data.

I look forward to continuing to explore this new frontier!


Read how MEDITECH customers leverage our solutions for better patient outcomes.

View The Innovators Booklet Online

Written by Howard Messing, CEO, MEDITECH

Howard Messing joined MEDITECH as a programmer in 1974 and soon after, decided to make healthcare technology his life’s work. CEO since 2010, Mr. Messing brings four decades of experience in electronic health records to the helm; he has served on MEDITECH's Board of Directors since 2011 and works closely with the Board to guide the company's policies, business, and product direction. Before his promotion to CEO, Mr. Messing was President and Chief Operating Officer, a position he held for almost eight years and for which he was unanimously appointed by the Board of Trustees. Throughout his presidency, Mr. Messing has overseen MEDITECH’s steady growth, while maintaining the company’s uniquely supportive, family-oriented culture for which it is known.