When Prolifics engineers first learned about HL7’s FHIR standards, in response to the Healthcare industry’s challenge with interoperability, ideas began pouring into our Innovation Center. The result: our Quick FHIR solution that goes beyond API integration with your existing systems to include a layer of security and AI and machine learning technology to help you better manage and analyze your data.
This infographic provides an at-a-glance description of the benefits of FHIR to your health organization. Be sure to click to see the large version.
Who benefits from FHIR?
Developers
FHIR builds on, co-exists with and leverages HL7’s earlier product lines (HL7 v2, HL7 v3, CDA) and uses common web standards (RESTful services, XML, JSON, HTTP, and OAuth), so developers wanting to try their hand at FHIR may find themselves in familiar territory. They will also find the following appealing about FHIR:
Open-source and free to use
Comes with out-of-the-box interoperability
Base resources can be used as-is or adapted as needed
Integrates with popular web service technologies
Patients
Making health data accessible to patients lets them take more control of their own healthcare decisions. From diet and exercise to treatment and medicine, more data about health factors means smarter consumers. Patients benefit because FHIR:
Allows new technologies to aggregate health data
Example: Apple’s Health app
Eliminates duplicate tests and services, reducing costs
Prevents errors due to missing or incomplete patient data
According to a study conducted by Johns Hopkins, 44 percent of medical error deaths are preventable
Researchers
FHIR has the potential to make healthcare data more available for clinical research, epidemiology, outcomes research and more. Accessible EHR and patient-originated data can mean:
Shorter, less expensive clinical trials
Improved interactions with clinicians and patients
Improved risk assessment of new medical products
Physicians
EHR integration lets physicians find health records and the data they contain more quickly. With AI/machine learning added to the mix, the potential benefits of FHIR become even more attractive:
Improved diagnoses and treatment plans
Faster patient visits
Flexibility to change vendors due to increased system compatibility
Payers
The U.S. Department of Health and Human Services (HHS) is changing the ways health insurance carriers (such as UnitedHealth Group and Blue Cross Blue Shield Association) address interoperability and patient access to data. Under the regulations, payers can leverage FHIR standards to better coordinate care in many ways, including:
Easily update providers about health plan protocols
Freer exchange of claims data and other patient health information via apps from third-party developers
Automated evaluation/approval process, reducing time spent answering phone calls from practice staff about coverage
We invite you to share this with your colleagues and check out our FHIR information hub. If you want to learn more about technology solutions that help you optimize the FHIR standard and be prepared for new CMS and ONC rules for managing your data, contact us at solutions@prolifics.com.
The state of California starts enforcing the California Consumer Privacy Act (CCPA) on July 1. With enforcement comes fines of $2,500 per compliance violation, which goes up to $7,500 if the violation is considered due to negligence. Californians can also sue you if their personal information is compromised through a data breach, again if due to company negligence.
Under CCPA, Californians have the right to know what personal information of theirs is collected, used, shared or sold by you; can ask you to delete their personal information; and can opt-out of the sale of their personal information.
CCPA compliance (like GDPR compliance before it and other government data privacy laws on their way) begins with you knowing all about your customers’ personally identifiable information (PII) data. You must be able to answer questions like:
There are many products and solutions out there that say they can tell you all about your data. When evaluating any type of data privacy or data identification software, make sure to ask these questions:
Are you scanning all of my data?
Some products just scan file names or column headers or rely on sampling. You need a solution that will deep scan and find all the nooks and crannies where PII could be hiding – such as servers, email systems and shared drives, whether in the cloud or on-premises. Some products are only capable of looking at structured data. The problem with this is that CCPA compliance means knowing what’s in your unstructured and semi-structured data as well.
Can the solution learn as it goes?
A solution needs to go beyond the basic scan. Solutions armed with artificial intelligence and machine learning (AI/ML) see data dynamics and relationships, intentional or unintentional, that you may not even know exist. As it learns, an AI/ML solution can produce data rules, which become the basis for determining data quality.
What will the data scan deliver?
You should expect an inventory of your data assets and holdings with reports on data locations, quality, classifications and sensitivities. From these, you should be able to discuss how serious your data problems are, using the scan as the basis for your next steps. A determination of data quality upfront is an important time saver. It removes the need for lengthy discussions with your own personnel – your subject matter experts – on whether certain data values define quality. The solution should have already identified quality characteristics.
How long should a data scan take?
This pretty obvious question can have a wide range of answers, even depending on the size of the scan. Given comparable quality and size, the better solutions can take a few days to do the complete scan, compared to weeks for the others.
Will the solution continue to work for me?
Data privacy compliance is not a “one and done.” Data is constantly coming into your company. The solution should have the ability to remain in an ongoing role – a monitoring process for the inflow of PII going forward.
How can we help?
If you need someone to talk with about your CCPA preparedness, our experts are here for you. If we believe our solution will meet your needs, we can introduce our basic assessment offering – a “compliance health check.” We’ll do an inventory and assessment of the data you have in a way for you to understand your general risk and exposure.
We have the products and solutions to help your company work towards compliance with any data privacy laws. This includes Data Hawk – an accelerator and an absolute key technology for data privacy projects. Data Hawk is unique to the industry in its deep data scanning and data interrogation capabilities.
Visit our expert hub to dive into all areas of data privacy. To learn more about our CCPA compliance products and solutions, email us at solutions@prolifics.com.
July 1 is the date set for enforcement of the California Consumer Privacy Act (CCPA). With this enforcement comes the threat of hefty fines if your company is not in CCPA compliance. Even with enforcement looming, a lot of companies still aren’t sure if they are really prepared. Our data governance team has fielded a lot of questions from executives, legal teams and information security experts. We’re sharing the top five questions we regularly hear, along with our answers, to help you see where you stand.
1) Does CCPA apply to me?
We encounter a number of execs who ask us what’s in the law, or summarily think CCPA doesn’t apply to their company. We’re not lawyers – and we don’t claim to give legal advice. But, based on our experiences, we do discuss guidelines and criteria that cover whether you’re bound by CCPA or other data privacy laws. So, that said, here are some basic rules to know:
You’re subject to the CCPA if you do business in California and one or more of the following are true for your company:
Has gross annual revenues in excess of $25 million
Buys, receives or sells the personal information of 50,000 or more consumers, households or devices
Derives 50 percent or more of annual revenues from selling consumers’ personal information
“Doing business in California” is given a broad definition – basically, if you have any customers residing in California, you need to pay attention to CCPA.
You must be able to comply with California’s new data rights, including:
The right to know what personal information is collected, used, shared or sold
The right to delete personal information held by businesses
The right to opt-out of the sale of personal information
The right to non-discrimination in exercising these rights
2) What’s my risk under CCPA?
You can be fined $2,500 per compliance violation, which goes up to $7,500 if the violation is considered intentional. This could add up quickly depending on your customer base. Perhaps more eye-opening is the new right of Californians to sue you if their personal information is compromised through a data breach, if considered due to company negligence. These are class action lawsuits waiting to happen.
In the larger data privacy picture, risk comes in various forms – not just fines or lawsuits under mandates like CCPA, but also things like the public relations nightmare and related damage to the company brand if there’s a data breach. Companies want to be known as good stewards of their customers’ data. So, risk begins with your data itself: what data do you store – such as personally identifiable information, or PII – that exposes you to risk, where is the data, who has access to the data, and what is the data being used for?
Risk scenarios pop up in unexpected places. For example, we found that a meter reader for a major utility had access to a system and could see all customers’ data – across the whole company. This was much more information than was necessary for the reader to do his job. In another situation, a company decided to move from on-premise systems to the cloud. However, there was data on an on-premise system that wasn’t supposed to be moved without prior third-party authorization. In the big picture, your risk is dependent on knowing all you can about your data.
“Unfortunately, legal departments don’t always have a clear understanding of the work that’s needed. Then when we get into it, they realize the exposure and scope are much broader.
– Varun Maddula, Prolifics Technical Architect, Information Management
3) What if we do nothing?
Amazingly, we get this question all the time. It’s hard to simply ignore a major piece of legislation, but some companies are willing to try. The most basic answer is that if you do nothing, you’ll never know your level of exposure – until it’s too late. It would be a difficult conversation with the rest of the C-suite or board if your only response to large fines is “we decided to do nothing.” Willfully doing nothing could be seen as negligence – putting your exposure into the higher fine and lawsuit categories.
We understand the reasoning of some companies: “We’ve only received one or two requests under CCPA so far. What’s the big deal? We’ll pay the fine when they get to us.” It could be easy to get lulled into thinking that the general public isn’t aware of these rules, that it’s just more noise among legislators and consultants. But the larger data privacy movement has deep community roots, and consumers are becoming more involved in this issue and more concerned about their personal data.
On top of that, there are activist groups out there that are making it their mission to inform people on the new rules – including “ambulance chasers” who would like nothing more than to nail a company with a lawsuit. Those one or two requests could easily turn into hundreds – or thousands – in a few months.
“If you do nothing – you’re just waiting to have someone come find you doing 200 mph on the interstate.”
– Brian Kordelski, Prolifics Global Sales Leader, Data & Analytics
4) Can we do CCPA manually?
This is usually the next question, and just a step up from, “What if we do nothing?” It is unlikely that, without some form of automation, you’ll ever know your level of exposure or whether you’re headed toward compliance. It’s improbable that you’d find all the data to comply with requests under CCPA or other data privacy laws (let alone find potential data breaches) through manual effort. What estimate of man hours do you think you’d need, and are you prepared to staff up accordingly?
Data seeps and morphs through an organization’s data bases, email systems, servers, shared drives and more – parsed and scattered for different uses by different people. It can be structured, unstructured or semi-structured. Data dynamics and relationships form that may be intentional or unintentional, and that you may not even know exist, regardless of the man hours dedicated to it.
Doing it manually may show good intentions toward compliance and may get you out of negligence territory. But, without automation – and some machine learning thrown in for good measure – it’s almost the same as doing nothing. If you feel you don’t have the budget or know-how for data privacy automation now, realize that you can take baby steps. You don’t have to undertake a full, massive solution all at once – there are variabilities to solutions, from simple to sophisticated.
“On multiple occasions we’ve found executive and board of director compensation and personal information copied in databases throughout pockets in organizations – available for viewing by people who had not business seeing it.”
– Ron Davis, Prolifics Practice Director, Data Governance
5) How do CCPA and GDPR compare?
When discussing the CCPA/GDPR comparison, we usually hear two statements: “I didn’t have to worry about GDPR, so I don’t need to worry about CCPA,” or “I think I’m good on GDPR compliance so I must be okay for CCPA.” The two legislations are similar in many ways: protecting personal information, reporting data breaches, and looking for company transparency. Yet, there are enough differences that you need to look at CCPA on its own.
But, as noted earlier, laws like GDPR and CCPA are part of a larger data privacy movement, with more and more governments coming out with their own laws. In the states, laws in Hawaii, Massachusetts, New York and Maryland are pending. Our point is that, overall, companies should not wait and wonder when each individual state or government mandate is going to roll out and what the various comparisons will be. Data privacy is linked to, and part of, the larger issues of data governance, data management and data security. You should look for bigger picture answers that ultimately address them together, as one. Any new government mandate will fall somewhere under that umbrella, and you will be 99.9 percent ready for whatever comes next – with solutions in place that are applicable and repeatable.
“Companies collect much more data from their customers than is really required for a particular business process. We can generalize that all the problems start there. Once businesses collect more information than necessary, it is there in your data systems, existing for no reason. It’s a foundation of data privacy laws that you should only collect the minimum necessary data.”
– Varun Maddula, Prolifics Technical Architect, Information Management
How can we help?
First, know that if you need someone to talk with about your CCPA preparedness, we’re here for you. And if you want to dive further into what your company needs to do, we can do that too. We think of it as a compliance health check. We’ll start with a discussion and our basic assessment offering. We’ll do an inventory and assessment of the data you have, not in painful detail, but in a way for you to understand your general risk and give you an idea of your exposure. This can help you decide what level of risk you’re willing to accept and give you options for next steps.
We have the products and solutions to help your company work towards compliance with any data privacy laws. And while we offer a step-by-step approach for an end-to-end solution, we can help you at any point in your compliance journey.
Visit our expert hub to dive into all areas of data privacy. To learn more about our CCPA compliance products and solutions, email us at solutions@prolifics.com.
Two agencies have issued their final rules on sharing patient health data, and although we expected them, the rules leave most healthcare payers and providers wondering what to do.
The Centers for Medicare & Medicaid Services (CMS) outlines a series of policies on health information sharing and access in its Interoperability and Patient Access final rule (CMS-9115-F). Some of the policies become applicable as early as fall of this year, with one major policy – “Patient Access API” – coming into force January 1, 2021.
The Office of the National Coordinator for Health Information Technology (ONC) issued its final rule under the 21st Century Cures Act. ONC also promotes patient access, with a goal of “… an ‘app economy’ that provides innovation and choice to patients, physicians, hospitals, payers, and employers.”
Both the CMS and ONC rules adopt HL7/FHIR® standards. HL7s Fast Healthcare Interoperability Resources (FHIR for short) is simply a data API standards framework that lets us share data using simple web standards and build solutions that interoperate. FHIR lets us easily aggregate data from disparate systems to gain new insights using machine learning.
“The CMS rule stresses patient access to their own electronic health data from payers,” said Tim Henrion, Prolifics’ Quick FHIR Solution Director. “ONC is mostly concerned with interoperability and preventing ‘information blocking’ – real or perceived practices that an organization might use to keep information from patients. The goal of both CMS and ONC is to give patients the information they need to make decisions and shop in the healthcare marketplace – and ultimately drive down costs.”
Join Tim Henrion and other members of the Prolifics team for an educational presentation about CMS and participate in an open dialogue with others in your industry. The virtual event is happening at 4:30 p.m. ET, on Tuesday, April 22. Be a part of the conversation and stay informed.
A robust cloud integration strategy powered by a solution like IBM Cloud Pak helps connect data, systems, and external services, unlocking new opportunities that need comprehensive integration to succeed. But that’s only the beginning of what this powerful platform provides. Add to that Prolifics’ ICP Expertise and take your data experience to new heights.
Evolve your data management with containerized services. Harvest advanced insights from trustworthy data. Protect vulnerable data from potential threats. All of these capabilities are available on-premise, on the cloud, or in a hybrid cloud.
This brief explains the technology that makes all of this possible and the solutions you need to stay in charge of your data environment.