PHI Data Security During EHR Integration Planning

Proper Planning Protects EMR-EHR

When dealing with PHI data transfer during EMR-EHR integration, the most typical scenarios involve interacting with medical portals, pharmacy eCommerce sales portals, and other similar applications. These systems can provide a master record for a patient and the interactions of the medical organization with the patient. 

Whenever EMR integration solutions are being performed, a company such as Clarity Ventures is going to break it down into several different subcategories. When interacting with the data itself, there needs to be a workflow or a decision tree for what steps in the process trigger the data to be updated in the master record. In other words, we need to update the data accurately and don't want to update from disparate systems. We only want to update the data that has an authoritative set of information, and there needs to be a process to follow to make these decisions and map out which of the disparate systems are going to update the data. During integration, the developers are often going to be implementing multiple external systems; it’s vital that the master records have authority. 

The second thing that we're going to typically look at is we're going to take a look at the physical infrastructure and the security. It’s important to make sure that we're interacting with the system in as limited of a fashion as possible, all while including layers of security before the data actually makes it back to the EMR-EHR system and before the data is available to an external system. In other words, we need to look at the security steps and the flow of data, as well as how that data is secured in transit and through multiple failovers that will ensure that the system is redundantly secure within the medical portal. 

In addition, it's very important to ensure persistence, queuing, scalability, and the ability to have intelligent business logic so that, if there are any outages of the internal system while we're working to push data back to it, that the data can be queued and persisted until the internal system is back online. It's also important that any outages on the external system don't cause it to miss data updates from the master record for that particular end-user. We need to manage for any outages on either end and business logic to handle when these systems come back online. This can be for simple things like maintenance and patching of the HIPAA compliant website and/or portal, where there may be an outage that's planned. 

Another important aspect of an integration that many organizations don't plan for is getting a solid testing environment — a “sandbox” — in place and being able to set up a stable environment that is also very secure. This digital space is an important place to replicate and simulate what the production environment is like.  

This is very important for testing to make sure that it matches HIPAA website compliance before the site launches and that data is managed regarding that medical portal security, then we have to actually test the system. If we're going to be doing extensive testing, we need to attempt to breach the system and we need to attempt to get through different security aspects with White Hat hacking. Everything should be tested and patched as necessary. Having a proper test environment that's truly mirroring the production environment as much as possible is key to maintaining HIPAA security best practices. 

Another key aspect is the ongoing updates and changes that occur with EHR-EMR integration solutions, and the fact that they will need to be updated and modified. Fields may change, covered entities may change the versions of the software, or protocols for the APIs and integrations may change. Because of these changes, we need to take this into account during and after development so that we can ensure that there is a seamless process for handling alterations. Although most of this is going to boil down to communication and coordination before updates are pushed, pre-planned processes and principles applied can make these changes much easier to handle. These are standard things that have to happen to operate the organization and keep things moving, but there are ways that we can implement these that make it very productive and don't cause major issues. 

Maintaining Existing Business Logic

During EHR integration with medical data internal systems — including pharmacy apps, medical equipment warehouse management, EMR-EHR data, or any PHI data — it’s important to set up a decision tree that accommodates each company’s business logic and mappings to ensure secure integration that meets HIPAA security best practices. This means that the established business logic doesn’t have to be abandoned to establish and upgrade HIPAA security. 

This starts in the discovery process. The discovery is completed up front before the actual development begins. A comparative way to think of this is building a house: Spend as much time as you can with the architect before the builders start construction. If you work with a team like Clarity, you’ll find that there are many good questions we ask — based on our past experience and issues we've dealt with — to avoid problems down the road. In fact, we have processes in place with worksheets and guides that we can share with you and your team to complete on your own. Timeline and budget can be impacted if these early steps aren’t performed. 

Planning for the Future

During EHR integration, Clarity asks questions about the standard workflow for key processes that are ingrained and vital to your business. We also want to hear about any future projects that might be considered for the future so that we can lay the foundation for them so that we don't have to tear up the foundation the next time. In other words, building a strong foundation now can make it easier to add additional stories to the house in the future. It's the same thing with software: Whenever we're going through the discovery questions, we want to understand where your team believes the application may end up. 

Hospitals are already aware of this idea in the physical realm. In most cases, a hospital campus will purchase more land than they currently need in hopes of future expansion. Some aspects of the future expansion — clearing land, installing storm drains — may be done years before the actual building goes up. Similar preparations can be made during EMR EHR integration services. 

Whenever we're completing the discovery process, Clarity will look at the specific fields that need to be mapped from external systems to internal systems. We’ll forensically audit everything that your team is expecting to complete these integrations; this is going to help us to map everything and plan in advance.  

The discovery process can be made easier by involving your entire team when filling out the questionnaires mentioned above, which we’ll incorporate into the plans to make sure necessary information is included. We don’t like to rush the process, but you also don’t want to get in an “analysis paralysis” loop either. Getting even the basics in place can dramatically improve the outcome of the project. We’ve completed so many projects that we can often find that happy medium that allows the project to start while less important needs are still being collected. 

Get Started with Clarity

Planning is important for any project, but it’s vital to make sure that HIPAA data is protected. Whether you need a medical portal or HIPAA compliant website design, Clarity offers EMR and HIPAA compliance that will protect your PHI data.  

If you are in need of a EMR integration solutions, make sure to choose a company that has extensive experience. Contact us today to see what we can do for you.