Fast Healthcare Interoperability Resources, or FHIR, is an interoperability rule that will enable on-demand information exchange of clinical records among providers and data systems. FHIR was created by the Health Level Seven International healthcare standards organization (HL7) specifically for healthcare organizations. The goal of FHIR is to assist practices in delivering more value to patients between appointments, so that they can focus on providing the best possible care to patients in the office. This will, in turn, result in more coordinated, cost-efficient care.

Too often, health systems are distracted by the technical or administrative processes that facilitate interoperability in healthcare. This causes providers to lose sight of their top goal: improving patient care by sharing the best information available at the point of care. By adopting the new healthcare data exchange standard, providers can more efficiently share patient data, payers can drive down costs and improve outcomes, and patients can take greater control of their health.

FHIR builds on previous data format standards like HL7, but it is easier to implement because it uses a modern web-based suite of API technology. FHIR makes it easy to provide healthcare information to healthcare providers and individuals on a wide variety of devices including computers, tablets, and cell phones. It also allows third-party application developers to provide medical applications which can be easily integrated into existing systems. FHIR helps Healthcare IT software providers rapidly create new innovative solutions to improve patient care. Because FHIR is a modern architecture solution and scales well, the next generation of applications can utilize FHIR to bring their solutions to market faster, and with greater impact.

Criterions partners with EMR Direct to help your practice improve patient care. EMR Direct can enable data from Criterions EHR at FHIR endpoints, for access to these resources by users you authorize, leveraging patient portal credentials already in place.

For more information on how to set up FHIR, complete the form below:

On March 6, 2020, the CDC released guidance for Healthcare Providers to prepare for the Coronavirus Disease 2019 (COVID-19). One of the steps listed was to leverage telemedicine technologies.

In February, the Office of Civil Rights released a reminder about HIPAA privacy obligations during the Novel Coronavirus outbreak. Privacy regulations are not set aside during an emergency. HIPPA obligations still apply to healthcare providers while treating patients remotely. Providers may wish to use remote encounters to reduce exposure to their staff and susceptible patients.

How HIPAA May Apply During a Health Emergency

There are three provisions that the Office of Civil Rights highlighted in their February notice that are worth reviewing. The first two require authorization by state law, but the third relies on the discretion of the provider.
In general, reporting about an identifiable patient to the media or to people not involved in the patient’s care may not be done without the patient’s written authorization.

PUBLIC HEALTH AUTHORITIES

HIPAA permits covered entities to provide PHI to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.

PERSONS AT RISK OF CONTRACTING OR SPREADING DISEASE

HIPAA permits disclosure to persons at risk of contracting or spreading a disease if authorized by state law or if authorized by a public health emergency.

DISCLOSURES TO PREVENT A SERIOUS AND IMMINENT THREAT

Healthcare providers may share patient information with anybody as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or to the public, and consistent with state law and applicable codes of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.

Communicating Protected Health Information Through Email or Text is Likely a HIPAA Violation

The HIPAA Conduit Exception allows transmission of PHI if the conduit does not have access PHI nor do they store copies of the data. They simply act as a path which the PHI flows. The Post Office is an example of a conduit with which a Provider would not have to have a Business Associate Agreement.

If a provider sends electronic Protected Health Information (ePHI) to a patient through text or email, the ePHI is not simply transmitted to the patient, it is held by the service provider. The mobile carrier or the email provider is not simply a conduit for the transmission of the data as the ePHI will continue to reside with the provider. For example, the email would reside on the Google inbox or the text message on the Verizon server.

Unless you have the provider of such service under a Business Associate Agreement, communication of PHI using these methods could be interpreted as a violation.

Does HIPAA Allow Video Telemedicine?

The same requirement for patient privacy and confidentiality that apply for a face to face doctor visit apply to visits conducted remotely over video, and the provider’s responsibilities to protect PHI are the same.

Any video software that a provider uses must provide two-way, end to end encryption. Additionally, the software should not record, save or store video unless the provider is (1) under a Business Associate Agreement and (2) the patient has provided consent for the recording of the session.

To qualify under the Conduit Exception, a vendor cannot store, even transiently, the video passed between the provider and the patient. In contrast, a vendor that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Some video services now provide automatic transcription services along with the video. If the audio or transcription service is utilized, it may be stored on the vendor’s server in more than a transient fashion and could affect the determination of HIPAA compliance.

Are Additional Consents Required When Utilizing Telemedicine?

It is a mistake to assume that remote communication of PHI is the same as when the communication is between doctor and patient over a video system. The communication is different than the doctor and patient were face to face in a private treatment room. The provider should ensure that the patient is in a private area or has consented to the people around them who may be able to see or hear the examination.

As stated above, any recording of a telemedicine session must have patient consent (and would likely require the vendor to be under a BAA). Furthermore, the provider should take sufficient steps to confirm the identity of the patient before starting any telemedicine consultation. Finally, informed consent for telemedicine could be a legal requirement in your state or could be a prerequisite or condition of getting payment from the payer. Some states require verbal consent and some require written consent, so be sure to check your local requirements.

Ensure That the Video Provider Qualifies as a Conduit or the Relationship is HIPAA Approved

If you are using a video program with a vendor that you do not have a BAA with, you are using it at risk of a HIPAA violation.

There have been significant penalties levied against providers who have mischaracterized a vendor as a conduit rather than a Business Associate. These violations can arise when the vendor stores PHI on their cloud environment and doesn’t simply provide the end to end communication.

There is debate as to whether applications such as Skype or Facetime are HIPAA complaint, and providers use them at their own risk.

Some providers have HIPAA complaint versions of their service that providers can sign up for, such as Zoom and Microsoft offers a telehealth program on its Azure platform and on March 9, 2020 announced a telehealth program based on its Teams platform.

There are several other commercial options that are specifically designed to be HIPAA compliant with vendors that are willing to enter into a BAA.

If you have any questions about what you have read here, please contact the Criterions team:

Sources:

• https://www.cdc.gov/coronavirus/2019-ncov/healthcare-facilities/steps-to-prepare.html
• https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf