API Proxy to provide a more secure, role-based access to EHR Patient data

Fel Bautista
-

"More providers (healthsystems) are realizing the potential impact modern APIs have on bottom lines, both in patient care and in profit.  In a 2014 HIMSS Analytics Survey, 83% of healthcare providers reported using cloud services.  HL7’s decision to develop FHIR, along with Meaningful Use Stage 3 API requirements, have solidified the hype and marked API essential for a provider.

Currently for Meaningful Use Stage 3, providers will have to certify an open, patient-facing, read-only API with a deployed CEHRT (certified EHR). The ONC (Office of the National Coordinator for Health Information Technology) has made it clear that supporting the patient API is the provider’s responsibility.

API Meaningful Use Stage 3 requirements:

  • APIs must allow patient access to data categories found in CCDs (electronic summary of care document) using the application of their choice.
  • Information must be returned meaningfully, using required data standards in computable format.
  • APIs must be open and transparent, and publish access instructions, documentation, and terms of use online and on the ONC website.
  • The ONC has not yet set standards and security measures, but have indicated they intend to require FHIR and OAUTH2.
  • Requirements for APIs are mostly read access." *

The Health Stack project at UCSF CDHI is deployed using an API Proxy Platform that serves-up secure, role-based interoperable data of EPIC's APIs while adhering to FHIR, OAUTH2 and SMART-on-FHIR guidelines.  This session will provide a walk-through of the design and implementation, and demonstrate live-code usage of Patient API access.  Differences among user roles of trusted and untrusted applications calling into these APIs will also be discussed.

*Corepoint Health reference

 

Previous Knowledge

EPIC Interconnect/FHIR APIs

OAUTH2

FHIR

SMART-on-FHIR

Software Installation Expectation

None.