stnazkul - stock.adobe.com

3 Health IT Standards Driving Healthcare Interoperability in the US

Direct, FHIR, and cloud fax help healthcare organizations share information and are paving the path to semantic interoperability.

A lack of widespread interoperability remains a sticking point for robust health data exchange. Looming federal regulations should help motivate the healthcare industry to adopt flexible and scalable solutions for information sharing and eliminate business practices that promote information blocking.

Today, a hodgepodge of health IT standards for exchanging data enables the movement of sensitive information between healthcare organizations. None has gained sufficient traction to advance healthcare interoperability on a massive scale. Even still, a one-size-fits-all approach is the most unlikely solution for an industry that is complex, highly-regulated, and slow to change.

That being said, several candidates for enabling electronic health data exchange have emerged from the pack: Direct, Fast Healthcare Interoperability Resources, and cloud fax. Here is an overview of each and their potential to eliminate paper-based workflows for sharing information.

DIRECT

The Direct standard has a relatively long history in the healthcare industry’s move to support electronic data sharing. Development on the standard began in 2010 by a public-private collaboration known as the Direct Project with the backing of the Office of the National Coordinator for Health Information Technology, which oversees health IT certification on the federal level. A year later, the collaboration published the first standard, with subsequent updates coming in 2012 and 2015 to the applicability statement for secure health transport.

DirectTrust, the non-profit that oversees the use of the Direct protocol to promote “secure, interoperable health information exchange” has detailed the simplicity of the standard:

Direct is essentially email, but with some important key differences.  Instead of the email (SMTP) server being maintained for the addressees/subscribers by an employer or by an email provider like Google or Yahoo, an agent known as a Health Internet Service Provider, HISP, handles the email exchanges.  The HISP also carries out the encryption/decryption and digital signing of each message and attachment, shown here as the Security/Trust Agent box within each HISP.

The use of Direct has grown considerably over the years. In November, DirectTrust announced that 197 million messages were sent and received within its network during the third quarter of 2019, a threefold increase over the previous year's quarter. The successful third quarter put the total number of Direct exchange transactions over 1.2 billion, an average of 68 million per month in 2019.

Use cases range from bidirectional referrals, automated patient summaries for ED visits, automated push event notifications for admissions, discharges, and transfers (ADT), and bidirectional patient messages.

In April 2019, DirectTrust furthered its efforts to develop health data exchange standards using Direct exchange and trust frameworks by earning accreditation from the American National Standards Institute (ANSI). Achieving ANSI accreditation will help DirectTrust advance its mission to connect healthcare organizations, providers, and patients for improved transitions of care, clinical efficiency, and care coordination.

The following month, the non-profit unveiled plans to develop health data standards for instant messaging. The Trusted Instant Messaging+ (TIM+) standard will be used to enable real-time health data exchange and communication in a secure manner between trusted entities.

Despite the increase in transactions, the Direct standard still faces barriers to adoption. The most salient is the lack of education about the technology, costs, and technical difficulties handling certain types of messages. Additionally, participating providers must have Direct addresses to receive messages and known their recipients' addresses to share information with the latter, addresses that are frequently hard to find. Provider preference for electronic faxing is also an impediment to adoption.

FHIR

Given all the talk in business and mainstream press, Fast Healthcare Interoperability Resources (FHIR) is the most well-known health IT standard in the market, built off of previous HL7 clinical and administrative data standards — v2, v3, and CDA [clinical document architecture].

FHIR is a specification for exchanging clinical and administrative healthcare data, based on REST and OAuth. Simply put, FHIR uses internet standards (XML, JSON, HTTP, Atom, OAuth, etc.) to connect end users with sources of data in a secure way.

FHIR messaging mirrors that of HL7 v2, the organization’s first information exchange standard. Unlike its predecessor, it supports a multitude of transfer mechanisms, such as HTTP-based transfer and the HL7 minimal lower layer protocol (MLLP).  The latter is the preferred standard for exchanging HL7 messages via TCP/IP, with a wrapping protocol required to signal the start and end of each message.

FHIR’s versatility is its strength.

“FHIR solutions are built from a set of modular components called ‘Resources,’” writes HL7. “These resources can easily be assembled into working systems that solve real world clinical and administrative problems at a fraction of the price of existing alternatives. FHIR is suitable for use in a wide variety of contexts – mobile phone apps, cloud communications, EHR-based data sharing, server communication in large institutional healthcare providers, and much more.”

Developed and maintained by Health Level Seven International, HL7, the earliest version first appeared in 2014 — DSTU 1. The next official release came the following year with the publishing of DSTU 2. And after several years of development and balloting came FHIR Release 3 and 4 in 2019.

According to ONC in late 2018, 32% of the health IT developers certified that their solutions were using FHIR, specifically FHIR Release 2. Slightly more than half (51%) appeared to be using a version of FHIR combined with OAuth 2.0. However, further analysis revealed that 82 percent of hospitals and 64 percent of physicians used FHIR-enabled products from this third of health IT developers.

Further ONC analysis of Medicare providers specifically found that 87 percent of hospitals and 69 percent of clinicians were using products certified to be using FHIR. When restricted to FHIR Release 2, hospitals remained the same whereas clinicians dropped to 57 percent. ONC officials, however, were quick to downplay the appearance of widespread FHIR use, emphasizing the difference between development and implementation.

Use cases for FHIR are myriad, truly depending on the unique goals developers and providers are seeking to achieve. But three are well acknowledged.

First, FHIR-enabled systems can support the aggregation of data into a personal health record (PHR) so that patients can access their medical records through a portal or other applications. Second, the FHIR standard supports document sharing (XDS) via a federated system of repositories. The third is the integration of clinical decision support tools into the provider's EHR system (e.g., drug-drug interaction, prescription safety checks, patient surveillance).

While enthusiasm for FHIR is high, the health IT standard is not without its drawbacks. Until federal regulations for interoperability and information sharing are final, no mandate exists specifying which FHIR version stakeholders ought to use. Variability in the choice of standard and its implementation could hinder rather than bolster data sharing by increasing confusion. With new FHIR versions in development and emerging, the speed of uptake will determine the agility of the protocol to improve data access and exchange.

What’s more, EHR developers have placed restrictions on the use of FHIR, making them read-only.

“Physicians using EHRs are understandably skeptical about importing outside clinical data into the EHR without validation. This substantially reduces the power of an application ecosystem of medical apps powered by FHIR, when no app can create an order or trigger a workflow within the EHR. Consequently, the pace of FHIR adoption will be slowed due to more limited use cases,” wrote John D’Amore in Medical Economics.

Cloud Fax

Today, healthcare’s most interoperable communication protocol available remains faxing, but it’s a new and improved form of faxing that’s enabling data exchange.

According to one estimate, 75 percent of all medical communication occurred via the fax. Faxing, likewise, is an enabler of provider-payer communication for prior authorizations. Findings from an  American Medical Association survey found that a majority of physicians use the phone and fax as the primary method for completing prior authorizations. Previous data from IDC also found that fax usage is on the rise year over year, with more organizations moving to cloud fax and seeking opportunities for integration with other technologies.

Physical fax machines allow for unauthorized access to sensitive health information, such as the ability to view built-in message stores or transmit information to the incorrect recipient either deliberately or accidentally. In its place has emerged cloud faxing technology, which can help covered entities and their business partners maintain HIPAA compliance.

Cloud fax services rely on internet protocols to send and receive faxes. The typical cloud fax technology enables users to send email messages with attachments to other fax services, digital and physical. These cloud-based services are hosted onsite in a private cloud or offsite in a fully-hosted environment, with hybrid models also available.

Leading cloud fax technologies also include added layers of security to maintain compliance with health data security and privacy laws and regulations:

Transmission security: Encryption using Transport Layer Security (TLS) encryption over the deprecated Single Sockets Layer (SSL) maintains HIPAA-compliant transmission security for data in motion.

Data encryption: Alongside the use of TLS encryption protocols, certified cloud faxing technologies use Advanced Encryption Standard (AES) of at least 128-bit, though some products have exceeded that level by including 256-bit encryption for added protection for incoming faxes and data at rest.

Access control: Certified cloud faxing technologies require the use of unique IDs, administrative privileges, and AES encryption (as well as other protocols) to limit ePHI access to authorized personnel only.

Audit control: HIPAA technical safeguards stipulate that covered entities and business associates have in place technical policies and procedures to manage authorized access to individuals and software programs. Top-of-the-line cloud faxing solutions offer multiple levels of audit control (e.g., secure archiving, transmission tracking) that allow providers and other stakeholders to adhere to HIPAA. And HITRUST CFS Certification is the gold standard for ensuring compliance to nationally and internationally accepted standards, including ISO, NIST, and PCI in addition to HITECH and HIPAA.

As for use cases, cloud fax enables any instance of information sharing currently needed by the healthcare industry — referrals, transitions of care, prior authorizations, to name a few.

What remains an obstacle to further adoption is a lack of awareness about cloud faxing as compared to traditional faxing and government efforts to eliminate the fax as a mode of health data exchange despite its integral role in enabling medical communication today. Additionally, the integration of data shared via fax with other technologies stands in the way of the technology, gaining a more significant foothold among healthcare organizations.

Achieving widespread interoperability will require not one, but a combination of health IT standards and technologies. Any attempt to advance health data exchange and prevent information blocking must first take into the mechanisms enabling access to and sharing of health information. At the end of the day, what is most important is allowing stakeholders access to timely and rich data to make impactful decisions for patients.

______________________________________________________________

About J2 Global:

eFax Corporate® recently became the first major Cloud Fax provider to achieve HITRUST CSF® Certification. With eFax Corporate, faxes can be securely sent and received by email, from any desktop, tablet, smartphone or from within EHRs via APIs – helping organizations boost productivity, enhance regulatory compliance and eliminate on-site fax hardware.

Dig Deeper on Cybersecurity strategies