FHIR API Implementation: 12 Key Checkpoints

• March 24, 2023

Do you have a plan in place for meeting recent Cures Act Rule update to have a (g)(10) FHIR-based API? Keep in mind that this is only one part of the multi-dimensional certification requirements for EHRs and providers under the Cures Act. When deciding whether to build or buy a Cures Ready FHIR API, it's crucial to consider how the FHIR-API will meet all the necessary API requirements, including (g)(7) and (g)(9) criteria, as well as the (b)(10) EHI Bulk Data export criteria. Getting certified is a complex four-stage process, and there are important considerations to keep in mind before implementation. It's essential to remember these requirements and myths related to the Cures Act for both providers and EHR vendors.

Few myths related to the Cures Act and its impact on the implementation of FHIR

One-time effort : Firstly, many people assume that achieving compliance is a one-time effort. However, simply checking off a box on the CHPL site is no longer sufficient. Compliance requires ongoing efforts such as real-world testing, version updates every year, and biannual reporting. Failure to comply with these requirements by the deadline could result in decertification.

USCDI V1 compliance will solve every compliance issue : Another myth is that complying with the USCDI V1 will solve all compliance issues. However, this is not the case, as compliance with both USCDI V1 and V2 is required. Furthermore, the revised information blocking rule mandates that providers must now be able to provide patients with all data related to their ePHI included in the DRS.

Checklist for FHIR API Implementation

1. Provision FHIR Server(s)

   • Setting up and testing the FHIR Server.
   • To provision FHIR servers, you would first need to determine the specific requirements of the practices that will be using the servers.
   • Before installing a FHIR server, you must consider whether you want to customize it now or in the future. In many cases, a FHIR server using the Resource Repository cannot be customized unless you subclass the Interactions Strategy before creating the endpoint.
   • Check if you have updated your HIPAA/Cyber Insurance policy to include this effort. It is important to ensure that you have adequate insurance coverage in case of any data breaches or other security incidents.
   • If you will be storing data on your FHIR servers, will you allow outside access to additional PHI/EHI within your domain? It is crucial to consider the potential risks of allowing outside access to sensitive data and to have appropriate controls in place to mitigate those risks.



2. Upload Patient Data in the USCDI Format

   • Validate your C-CDA (Consolidated Clinical Document Architecture) to the USCDIv1 (United States Core Data for Interoperability version 1) data elements. This is an important step in ensuring that your clinical documents are compatible with the latest interoperability standards.
   • Keep your CHPL listing up to date to ensure that your product is accurately represented and can be easily found by potential users.
   • It is important to have a clear and secure process for uploading PHI to ensure that the data is protected and remains confidential.
   • It is important to have a regular schedule for uploading patient data to ensure that the data is current and accurate.
   • How close to Real-Time Access are you? It is important to understand the level of access to patient data that will be available and whether it will be in real-time or delayed.



3. The Developer Portal

   To comply with the Cures Act, it is mandatory for every EHR to have a developer portal that assists in the authorization of third-party applications that intend to connect with the EHR's API. Cures Act Certified Solutions can be used to integrate with EHRs to create these portals.

4. Manage Ongoing Updates and Conduct Real World Testing (RWT)

   It is important to identify who is responsible for creating the RWT – real world testing plan. It is important to identify who will be responsible for writing the report for the RWT Plan and RWT Testing, which is required by the ONC-ATB to demonstrate compliance with interoperability standards.

5. Support the Addition of EHI to Meet the October 6, 2022 Requirements

   • It is important to have a clear plan in place for transitioning from PHI to EHI to ensure compliance with regulatory requirements.
   • Have you considered the requirement for Bulk Export - (b)(10)? It is important to consider the requirement for bulk export of health information, as it may impact the design and implementation of your FHIR server.



6. Version compatibility

   One of the most important things to check when evaluating an FHIR API is that it is compatible with the version of FHIR you are using. This ensures that any APIs you build will work correctly and won’t fail due to compatibility issues.

7. Security

   Make sure all data stored in the FHIR API and connections are secured with authentication and authorization protocols like OAuth 2.0 and OpenID Connect. Implement defences like rate limiting and input validation checks to prevent unauthorized access.

8. Reliability

   Check the underlying platform's high availability, redundancy, scalability, and uptime record to determine its reliability over time. Test the performance of your application under peak loads to identify potential bottlenecks or areas to optimize.

9. Documentation

   Ensure the FHIR API provider offers a comprehensive set of documentation, including examples and code samples for common tasks to help speed up development.

10. Interoperability

    Assess how well the FHIR API interacts with other services or systems both within and beyond your organization. Verify that different versions of FHIR and non-FHIR systems/standards are supported via integration protocols like OAuth2.0 or RESTful APIs.

11. Compatibility & Portability

    Check for support of FHIR API deployment on various platforms (desktop/mobile), across different operating systems (Windows/Linux/macOS), and compatibility across web browsers.

12. Support

    Consider the availability of support from your provider when needed, including different levels of customer support ranging from basic to advanced technical assistance services, training options, or managed services packages, depending on your specific use case requirements and team size/structure.

How can we help?

We have been helping healthcare organizations all over the US for more 18 years now. If your current FHIR API implementation partner has not helped you check any of the boxes above, let KPi-Tech come to your rescue. Our Healthcare IT experts will assist and guide you for FHIR implementation and ensure Cures act compliance.

Contact us : info@kpitechservices.com | +1 302 451 9598