by Will Carlson
Product Manager, GCP
The first week in December, Healthcare IT News and multiple other publications carried an announcement by Google Cloud that its Healthcare Interoperability Readiness Program could help healthcare organizations prepare for and address the ONC’s Final Rule in the 21st Century Cures Act. The Cures Act seeks to end information blocking and boost interoperability within patient data architectures. The longstanding issue of information blocking – whether intentional or not – has kept patient data siloed inside provider and payer systems. The Rule aims to promote innovation in the healthcare technology ecosystem.
But, as Mike Miliard reports in the article above, healthcare organizations are not ready for the looming performance deadline on the Act. So, Google has offered up its program to help them prepare.
What the 21st Century Cures Act Final Rule Act Means to Patients
The ONC Final Rule implements the interoperability requirements outlined in the 21st Century Cures Act. The ONC states that healthcare organizations successfully addressing the rules of the Act will deliver:
- Transparency into the cost and outcomes of their care
- Competitive options in getting medical care
- Modern smartphone apps to provide them with convenient access to their records
- An app economy that provides patients, physicians, hospitals, payers, and employers with innovation and choice
As CMS Administrator Seema Verma put it: “For the American public as a whole, the Final Rule promotes innovation in the health care technology ecosystem to deliver better information, more conveniently, to patients and clinicians. It also promotes transparency, using modern computers, smartphones, and software to provide opportunities for the American public to regain visibility in the services, quality, and costs of health care. These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice.”
Finally, ONC’s final rule establishes secure, standards-based application programming interface (API) requirements to support a patient’s access and control of his or her electronic health information. APIs are the foundation of smartphone applications (apps). As a result of this rule, patients will be able to securely and easily obtain and use their electronic health information from their provider’s medical record for free, using the smartphone app of their choice.
With the recently announced extension to comply, healthcare organizations have until October to figure this out.
How We Get There
The short answer is this: we implement what is required in the Cures Act and align patient information with the USCDI – the U.S. Core Data for Interoperability. The USCDI is a standardized set of health data classes and data elements that are essential for nationwide, interoperable health information exchange.
Cloud Tools and Google’s Cloud Healthcare API
The Google Cloud Healthcare Interoperability Readiness Program says it is ready to help healthcare organization prepare for Cures Act compliance by working with cloud tools such as the Google Cloud Healthcare API. The Cloud Healthcare API can take information stored in traditional databases, consume those datastores, and easily map them to FHIR.
If you haven’t been talking about and interacting with FHIR, you probably will be soon. FHIR stands for Fast Healthcare Interoperability Resources and is a standard for data formats and elements in the application programming interface or API. Built upon previous data formats, including HL7, FHIR defines how healthcare information can be exchanged and stored between different computer systems.
Google provides FHIR store as part of the Cloud Healthcare API service. This is an important step in being able to create an API or application that is able to provide patient health information back to patients themselves.
There are already open-source projects aimed at helping organizations covered under the Cures Act by providing pre-built API’s. One such project is SMART. From their website: “SMART Health IT was launched with a New England Journal of Medicine article proposing a universal API (application programming interface) to transform EHRs into platforms for substitutable iPhone-like apps. With federal investment, SMART on FHIR API was developed as an open, free and standards-based API. Innovators use it to write an app once and have it run anywhere in the healthcare system.”
Loading Patient Data in the Cloud
No matter how far along you are in your cloud journey, moving the required patient data to the cloud is an important first step in utilizing a service like the Cloud Healthcare API. If just moving the data required by the Cures Act is your only goal, a strategy of moving required patient health information on a routine basis is crucial.
A cloud service that can help with this strategy is Google’s Storage Transfer Service which can connect to on-premise databases or storage locations, and transfer that data to modern, Google cloud-based services like Cloud Storage or BigQuery. Those services offer native integration and tooling with the Cloud Healthcare API.
Compliance of Patient Data
But beyond the excitement around all of the options these emerging cloud technologies offer is a concern central to the work going on 24/7 at ClearDATA: security and compliance of patient data.
If you have traditionally dealt with PHI on premise, it’s understandable that adhering to new regulatory requirements that seem to dictate making PHI easier to access over the public cloud can cause some compliance anxiety. We often see customers confused about the difference in HIPAA-eligible services offered by the public clouds, and what needs to be done to configure them to meet HIPAA compliance standards, as well as what technical controls need to be automated to help them stay compliant. We help with that via ClearDATA Comply™ software. But beyond the software is our approach to deeply understanding each customer use case and what they will need to do in the cloud. In addition to the software and available services, we negotiate our Business Associate Agreement to provide greater ‘shared responsibility’ than what our customers have been able to get direct from the cloud platforms, and we work with each customer individually to map and document their compliance needs.
Figure 1: Dashboard display of ClearDATA Comply with Managed Services for Google Cloud
Automating Safeguards for Improved Compliance
ClearDATA reviews each cloud service and all of the configuration options available on those cloud services, then maps those configuration options to compliance requirements. After that, a detailed compliance document is created, which is the foundation for all other products and services provided to ClearDATA customers. From that document, ClearDATA determines which automated safeguards – ClearDATA automation which analyzes and remediates compliance policy - are necessary to develop for that specific service. For an overview of ClearDATA automated safeguards, access this 90 second video.
ClearDATA also continually monitors the many new cloud services and updates being issued each month (hundreds across all three public clouds) to see if the customer’s configuration is still the best one. If any updates are necessary, the document is revised for the new compliance policy and development begins work on any new automated safeguards needed.
ClearDATA then shares those documents with its customers as a way of pointing out all of the compliance requirements for a given service like the Cloud Healthcare API, and then lists out who is responsible for what compliance item in that service. Typically, all configuration options are the responsibility of the entity utilizing the service; but as referenced earlier, ClearDATA can often assume responsibility through an enhanced shared responsibility model supported by products like Comply and services provided through our Managed Services offering.
Figure 2: Activity Report of ClearDATA Comply with Managed Services for Google Cloud
Ongoing Continuous Compliance Mapping and Monitoring
It’s important to understand that building your own compliance mapping, monitoring that compliance mapping for new cloud updates, publishing compliance documents, and then testing the compliance of your cloud environment is something you want to do in house or use a company like ClearDATA for—because one way or another, compliance and security need to happen continuously. Along with the compliance documentation, ClearDATA monitors, remediates and enforces compliance policies created through automated safeguards.
For example, if the only service you desire to use is the Cloud Healthcare API, there are a number of GCP service-level and project-level compliance considerations.
At the project level, ClearDATA enforces system and audit logging which currently applies to audit logs for 80 services to meet audit logging requirements from several standards and certifications. Project liens are enforced to protect any Cloud Healthcare API dataset backups. Finally, evaluation of policies for hardened images occurs, ensuring the use of compliance approved images and automatic IAM grants which prevent broad scope access of service accounts.
At the service level for the Cloud Healthcare API, to meet the PHI at rest backup requirement, secure backups are created for any HL7 or FHIR dataset. Along with project audit log enforcement, this creates a compliant environment for use with PHI. ClearDATA makes this backup and enforces the logging.
Of course, you may need to store results from the Cloud Healthcare API somewhere to make them useful, and ClearDATA protects those storage services as well. For example, in Cloud Storage, automated safeguards enforce the removal of any public access bucket (huge compliance concern), enforce versioning (PHI at rest backup requirement), and enforce a deeper level of audit logging to meet the audit logging requirement.
ClearDATA also offers automated safeguards for other data services such as BigQuery, CloudSQL, Spanner, and Firestore.
For a comprehensive list of services and controls ClearDATA provides automated safeguards for, contact us today!