Helping patients protect their electronic health information

Oracle Health | February 28, 2023

As our industry continues to move toward more people-focused care, we’re driven to improve patient engagement and enhance outcomes to create a better healthcare experience for everyone. By making it more convenient for people to access their health data wherever and whenever they need it, we can help empower individuals and clinicians to make better health and well-being decisions.

“We imagine a world where individuals are empowered and have their healthcare data at their fingertips,” says Rob Helton, vice president of platform development, Oracle Health. “They have ownership of their data and are able to review and add to it. They can choose to share it, and who it gets shared to. We believe by putting patients in control of their data, they’ll become active participants in managing their health.”

The US federal government is continuing its push to place patients at the center of their own care, including ensuring patients have access to all of their electronic health information (EHI). The 21st Century Cures Act Information Blocking Rule, among other things, ensures patients have electronic access to their EHI in the manner the patient chooses, a right originating in HIPAA’s individual right of access.

Additionally, the federal government is setting minimum standards for health IT (HIT) that chooses to participate in the HIT certification program under the Office of the National Coordinator for HIT. While most healthcare organizations are striving to comply, some struggle to stay on top of the extra work needed to reach the full potential of interoperability. Luckily, technology can help streamline the process, reducing the regulatory burden on providers and making it easier for people to securely access their data.

Automating patient health data access

Historically, for a patient to use a health app of their choosing, a health system would have to review and approve the health app beforehand. However, with Oracle Health’s newly released functionality, called consumer automatic provision, this process is streamlined enabling patients easier access to their health data.

Consumer automatic provision allows consumer-facing health apps to be immediately provisioned for FHIR API endpoints upon registration. From there, health data stored within the electronic health record (EHR) system can be retrieved by the app upon explicit authorization from the patient or their authorized representative. Patients maintain full control over authorizing an app to access any of their EHI or only certain data types.

Advancing meaningful health insights and maintaining regulatory compliance

When people can use apps on their smartphones to measure and record critical information like physical activity, weight, sleep, heartbeat, and blood sugar level or track their medicine to ensure they don’t miss a dose, they can make better decisions about their health.

In addition to the clinical benefits, the consumer automatic provision aligns with several regulatory requirements that impact healthcare providers, including rules regarding the Medicare Promoting Interoperability programhealth IT certificationHIPAA privacy, and information blocking and sharing.

The bottom line of these regulations is patients have the right to access their information electronically for any purpose they may choose, and that right should be facilitated by health IT developers and healthcare providers. Automatic provisioning of successfully registered consumer apps for your FHIR API endpoint helps patients access health information through any app of their choice in a timely fashion without any additional action by your organization.

Protecting patient health data

Protections are built into the FHIR APIs to help keep health data private and secure, but there are potential risks involved with authorizing the disclosure of EHI to a third-party app. While these risks are largely mitigated by protections built into the API connections and access, we all have a responsibility to help educate patients on how to keep their data safe. Although the constraints and protections that Oracle Health can put in place under the 21st Century Cures Act regulations are limited, here are the actions we’re taking to further protect consumer privacy and make the health app ecosystem more reliable and secure for consumers.

  • Employing industry-standard privacy and security protections as a built-in feature of the APIs
  • Developing enhancements to provide consumers with details of an app’s posture in relation to certain security-related best practices as part of the authorization user interface
  • Instructing developers connected with Oracle Health APIs to align with industry best practices for the safe and ethical handling of EHI communicated by the CARIN Alliance
  • Implementing patient-directed scope selection and redaction in the consumer app authorization workflow

The CARIN Alliance provides useful tips for consumers including:

  • Only download from trusted app stores
  • Always review app privacy terms and conditions
  • Know the app developer
  • Find out if the app is sharing or selling your data
  • Use strong and unique credentials

View the full list of recommendations.

Streamlining patients’ ability to access personal health data through an app of their choice is an important part of prioritizing the human experience in healthcare. Consumer automatic provision is one step of several that we’re taking to help patients control their own health and care, enhance clinical decision-making, and improve regulatory compliance for greater interoperability.

For more information, check out our resources on information blocking.

Oracle Health

Oracle Health is building an open healthcare platform with intelligent tools for data-driven, people-centric healthcare experiences to connect consumers, healthcare providers, payers, public health, and life sciences.