Posts By :

Hugh Gilenson

What are Open APIs and FHIR for Health Information? 1024 403 Hugh Gilenson

What are Open APIs and FHIR for Health Information?

The use of Open APIs is a relatively new form of secure data sharing in clinical healthcare. API stands for Application Programming Interface, and allows the health care provider to expose data on the web so correspondents can download it through automated applications. The industry is consolidating around an API technique called Fast Healthcare Interoperable Resources (FHIR), an HL7 standard. Although FHIR is not considered fully functional, it has a stable draft and has been integrated into several EHRs.

How are Open APIs / FHIR used?

FHIR and Open APIs primary workflows/use cases:

  • Retrieving selected C-CDA fields from an EHR
  • Polling EHR field data from mobile applications
  • Offering new services to compliment email style “push” messaging

What are the advantages of Open APIs / FHIR?

Open APIs and FHIR are attractive to software solution developers because they represent a programmatic, web services approach to retrieving specific data from another source. Web services APIs have proven very efficient and cost effective method of presenting existing data within a new application. Some very common and recognizable solutions using web service APIs expose local weather or stock market data, or a news feed in a web portal.

What are some of the challenges of Open APIs / FHIR

As previously noted, Open APIs and FHIR are relatively new techniques for sharing and acquiring clinical health data. There are many trials and production uses, but deployment at the source of data, most prominently provider EHR systems, is at the initial stage of implementation. Therefore new services and solutions that seek to use Open APIs and FHIR to retrieve patient data fields will find limited availability – and may need a narrow use case and / or population (ie – a specific health system where FHIR is available for test), trials and production rollout.

DataMotion Direct on FHIR

The DataMotion Direct messaging service and DataMotion Direct APIs are data sharing techniques complementary to the emerging FHIR Open API standard. DataMotion is working with partners to leverage both health information exchange techniques for innovative new solutions that enable patient engagement, care management, transitions of care, patient enrollment and other digital health solutions that align with the vision and health delivery transformation tenets of the 21st Century Cures Act.

Standards Groups, Direct Messaging and Open APIs/FHIR

Direct Trust, the organization responsible for managing and promoting the Direct Messaging standard, and the HL7 organization responsible for the FHIR API initiative, both have active tracks developing synergy, interoperability and testing use case scenarios and techniques for using FHIR and Direct Messaging in concert.

The current set of scenarios are identified as follows:

  1. Sending FHIR resources within a Direct Message as an attachment
  2. Utilizing Direct Trust certificates with the FHIR RESTful API to enable trust relationships to scale
Best Practices: Emailing Patient Records in Compliance with HIPAA 1024 403 Hugh Gilenson

Best Practices: Emailing Patient Records in Compliance with HIPAA

In January 2016, the HIPAA regulation got more teeth in the area of providing patients their medical records on request (files, notes, diagnostic images, lab results, C-CDAs). The US Department of Health and Human Services published detailed FAQs regarding patients rights with respect to requesting their medical records from their care providers:

  • Request full medical records from all HIPAA-covered entities, e.g.
    • labs, imaging and surgery centers
    • insurance plans, hospitals, pharmacies, and physicians
  • HIPAA covered entities have 30 days to respond
  • Provide in the format requested by the consumer
    • Electronic format
    • Specific messaging format

Under 45 CFR § 164.524, available at

The department of Health and Human Services has generated some educational videos for consumers (patients) – instructing them of their rights, and showing some role play at the doctor’s office. There’s also a HHS infographic, which you can find below, that explains the rule as well.

As a secure messaging company, there was some initial dismay at the videos and written guidance HHS provides patients:

“…..covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.”

Wow – unsecure email is OK for sending PHI (Protected Health Information) as long as the healthcare provider warns the patient that there is a security risk, and the patient accepts that risk. How do you track that? Is it realistic to think both sides of that transaction will be truly cognizant of the requirement to inform, and the real security risk?

I turned to our CMO, Dr. Peter Tippett for some guidance and perspective. What’s the best practice for a physician’s office to comply with HIPAA when emailing medical records to a patient?

His response – so practical, and sensible:

Covered entities should always use some form of secure messaging when emailing medical records to patients for several reasons.

  1. Email encryption, logging and other HIPAA requirements are expected and required UNLESS the patient EXPLICITLY is warned, and EXPLICITLY agrees to unencrypted mail.  Keeping these warnings and permissions straight and getting the right message to the right patient via the right modality will fall in the “too hard” category for most covered entities.
  2. Covered entities will worry because they will be sued anyway if a patient, for example agrees to receive blood test results one week; and a few months / years later, gets sent something truly private, which is exposed because it was regular email.
  3. Most patients will not answer the question at all as to whether or not it would be ok after a warning to send the message via regular email – which could lead to errors, so a hard stop in the workflow, and risk of not meeting the 30 day delivery window.
  4. The fact that at least some patients will want the message securely, will require all covered entities to have a solution.

Given that email is such a convenient way to exchange files, and email encryption solutions such as DataMotion SecureMail is so affordable and easy to use by senders and recipients – this new HIPAA measure is another driver for adoption by covered entities. It also enables files up to 2GB – perfect for diagnostic images. It’s a small price to pay for compliance (and happy patients)!

One response to “Best Practices: Emailing Patient Records in Compliance with HIPAA”

[…] person at the center of their care, and in patient-centered HIT, as will a heightened awareness of HIPAA rules for requesting and receiving patient records. For the mobile app developer, RESTful APIs for secure health information delivery services help […]

Salesforce Service Cloud and HIPAA Compliance 1024 403 Hugh Gilenson

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry.  Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud?  I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance story because it only covers the data while it’s residing within the Salesforce ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

So let’s take a look at your scenario:  Suppose you’re a CSR using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds logging and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!


Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility.  Your company needs to ensure those messages are encrypted between Salesforce and your customers.  If not, you’re subject to fines, penalties and loss of reputation.

Best Practices: Securing Data at Rest, in Use, and in Motion 1024 403 Hugh Gilenson

Best Practices: Securing Data at Rest, in Use, and in Motion

Sensitive business data is more vulnerable today than ever before. Corporate trade secrets, national security information, personal medical records, Social Security and credit card numbers are all stored, used, and transmitted online and through connected devices.

This proliferation of valuable data presents criminals with an increasingly wide range of opportunities to monetize stolen information and intellectual property. In addition, foreign governments and organized crime rings have embraced hacking as one of the most potent tools at their disposal.

Organizations are also at risk from internal threats. A negligent or disgruntled employee can expose confidential information even faster than a hacker if there aren’t adequate safeguards in place to prevent the accidental or intentional release of sensitive data.

Security is critical, but it can’t come at the expense of your ability to complete daily tasks. This article examines the best practices for conducting a risk assessment and striking the right balance between security and functionality.

The Three Critical Components of a Total Information Security Strategy

Data at Rest

Data is at rest when it is stored on a hard drive. In this relatively secure state, information is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised.

Encrypting hard drives is one of the best ways to ensure the security of data at rest. Other steps can also help, such as storing individual data elements in separate locations to decrease the likelihood of attackers gaining enough information to commit fraud or other crimes.

Data in Use

Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users aren’t hiding behind stolen identities.

Organizations also need to be able to track and report relevant information so they can detect suspicious activity, diagnose potential threats, and proactively improve security. For example, an account being disabled due to a certain number of failed login attempts could be a warning sign that a system is under attack.

Data in Motion

Data is at its most vulnerable when it is in motion, and protecting information in this state requires specialized capabilities. Our expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally— forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email. Today, more than 100 million business emails are sent every day.1

When you send an email, it typically takes a long and winding journey through the electronic infrastructure at universities, government facilities, and other network locations. Anyone with the right tools can intercept your email as it moves along this path. However, there are effective ways to make email more secure.

The best way to ensure that your messages and attachments remain confidential is to transmit them through an encryption platform that integrates with your existing systems and workflows.

Optimally, users should be able to send and receive encrypted messages directly from their standard email service. More than 90% of organizations that currently use email encryption report that they have this capability.2

Looking ahead, it will also become increasingly important for the encryption service your organization uses to cover mobile email applications. The Radicati Group1 predicts that 80% of email users will access their accounts via mobile devices by 2018, but more than 35% of organizations currently using email encryption say their users currently lack the ability to send secure messages from their mobile email client.2

How to Conduct an Effective Risk Assessment

Unless your organization has recently conducted a holistic risk assessment, the threat of a data breach is probably much larger and more immediate than you realize.

Organizations often underestimate their risk because they erroneously believe all of their sensitive data is contained within a few secure systems. In reality, this is seldom true.

Think about the situation from a workflow perspective. Do employees access corporate systems from their personal devices or use company-issued devices to work from home? What happens when employees take their devices on business trips? How is data transferred between devices or communicated to other stakeholders? And have you thought about what your customers or business partners do with any sensitive files you send them?

Almost inevitably, information is going to end up spread across multiple devices and networks with varying degrees of security and risk. Before you can take effective action to mitigate your risk, you need to have answers to the following questions:

  • What types of sensitive data does your organization store, use, or transmit?
  • Who has access to this data?
  • Where, when, and why are they using it?
  • How is data stored when it is not in use?
  • How is access to databases controlled?
  • What mechanisms are used to transport data?
  • What are the pertinent laws, regulations, and standards?

Once you have a solid grasp of the potential risks, work with data security experts to determine the next steps to implement a total information security strategy. But don’t wait for the risks to make themselves clear; by that time it will almost certainly be too late to take effective action.

There is a long and growing list of organizations that have learned painful first-hand lessons about data security, including Target, Home Depot, Anthem, the Federal Office of Personnel Management, and the National Security Agency. Take action today to ensure your organization doesn’t end up on this list.
1. The Radicati Group. “Email Statistics Report, 2015–2019.” 2. DataMotion. “Secure Email and File Transfer Corporate Practices 3rd Annual Survey Results.”

What Exactly is a HISP? 1024 403 Hugh Gilenson

What Exactly is a HISP?

A Health Information Service Provider (HISP) is an authorized network service operator that enables nationwide clinical data exchange based on Direct Secure Messaging, a HIPAA compliant and interoperable transport method promoted by the Office of the National Coordinator of Health IT of the US Department of Health and Human Services (ONC/HHS). HISPs and Direct Secure Messaging are regulated and monitored by the, a governance organization empowered by HHS.

HISPs offer Healthcare organizations (hospitals, physicians, health plans, health information exchanges) and consumers an onramp to the Direct Secure Messaging network where trading partners can exchange protected health information (PHI), in structured and unstructured format, across the internet with maximum security and privacy.  Exchange partners can easily discover each other’s address on the DirectTrust network through a healthcare provider directory (HPD) compiled, shared, and published by HISPs participating in the DirectTrust HPD program.

The nationwide dial-tone delivered by HISPs and overseen by DirectTrust represents a modern, affordable, and standards-based alternative to sharing clinical data by fax, virtual private networks, and proprietary interfaces – exchange methods that are costly and increasingly outmoded as healthcare embraces digital communications with the economies, scale, and ubiquity of the internet.  Operationally, HISP-delivered Direct Secure Messaging services are most closely related to fax in that both methods “push” data between senders and recipients and return a delivery notification upon completion.

Collectively, HISPs are the communications backbone of the DirectTrust health information exchange.  Individually, HISPs are access points to the DirectTrust Network and are referred to as DirectTrust network service providers or Direct Trusted Agents.  Direct Secure Messaging, Direct exchange, ONC Direct, and HISP services are the terms generally used to describe the clinical data exchange service HISPs provide.

Because the message attachments (HL7 C-CDAs or CDA) processed by HISPs meet Health IT interoperability standards, PHI exchanged via Direct Secure Messaging can be sent and received from EHR workflow.  The same interoperability standard allows data sharing among any EHR and any software solution connected to a HISP.  Using an email analogy, you may have Microsoft Outlook installed on your computer, but if it isn’t connected to an email network, your emails can’t go anywhere and none can get to you.  Similarly, your CEHRT can send and receive Direct-compliant messages, but those messages won’t go anywhere unless you and those who you are communicating with have valid

HISPs are important partners for Health IT developers seeking ONC EHR Certification.  HISPs provide certification requirements related to Direct Secure Messaging that are out of scope for most developers, enabling them to meet and satisfy Certification requirements.

Some HISPs are end-user facing with recognizable brand names and user interfaces while others operate behind the scenes as an integrated module of an EHR or similar health IT solution.  HISPs that tightly integrate with EHRs or HIEs are sometimes owned and operated by the solution vendor and provide a captive service tailored to the solution.  Independent (aka: pure-play) HISPs are typically full-service providers offering a range of connectivity and service options to suit the needs of a range of end-user requirements.

HISPs provide multiple sub-services underlying the Direct Secure Messaging service:

  • Direct Secure Messaging Addresses
    • A Direct address is similar to a typical email address with the exception that it operates exclusively on the DirectTrust network.  The specialized digital certificate affixed to a Domain/Direct Address is recognized by DirectTrust network operators can only be issued by an accredited DirectTrust HISP. The digital passport represented by the certificate makes Direct Addresses unique from Gmail, Outlook, Yahoo, and similar addresses that operate on standard email.  The Certificate also encrypts messages and confirm the identity of the sender and receiver, resulting in non-repudiation.  encrypt the data on behalf of an organization.  Support for managing the encryption and decryption at the HISP level
  • DirectTrust Onramp Connectivity Options
    • edge protocols (eg: XDR or S/MIME)
    • A web-based mail portal with accessibility support
    • Protocol transformation and routing: SMIME/SMTP, IHE XDR, web services
  • Digital Certificate Issuance and Live Cycle Management
    • The DirectTrust-authorized digital certificates provisioned by HISPs required specialized management and sharing capabilities that only HISPs are qualified to provide.
    • Participation in the DirectTrust Accredited bundle.
    • Certificate issuance and registration authority
  • Identity Authentication (aka: identity proofing)
    • To maintain the DirectTrust network clean of bad actors (e.g.: spammers), HISPs are required to confirm the true identity of participants in Direct Messaging prior to provisioning a Direct Address
  • Message Delivery Notification
    • Message completion acknowledgements collected and reported out by HISPs are considered to be irrevocable proof of message delivery and thus have important weight in legal and CMS reporting
  • Direct Secure Messaging Service Support
    • Providing online and phone support for onboarding, connectivity issues and outages, and other service needs
    • High-availability and disaster recovery:
  • Healthcare Provider Directory (HPD)
    • Publish Direct Addresses to DirectTrust HPD
  • Enforcing DirectTrust Rules of the Road
    • Maintain accreditation attesting to trust relations
    • Security and Trust Framework
Direct Secure Messaging 1024 403 Hugh Gilenson

Direct Secure Messaging

What is Direct?

Direct is a national encryption standard for securely exchanging clinical healthcare data via the Internet. It is also known as the Direct Project, Direct Exchange and Direct Secure Messaging. It specifies the secure, scalable and standards-based method for the exchange of Protected Health Information (PHI). It was developed in 2010 under a part of a federal project for standards-based healthcare communications.

As a part of qualifying for incentive payments under the Meaningful Use Stage 2 criteria issued by the Office of the National Coordinator for Health IT (ONC), healthcare organizations and providers must meet data transfer requirements using Direct Messaging. These requirements can be demonstrated with Electronic Health Records that comply with the ONC’s 2014 Edition EHR Certification Criteria which specifies electronic exchange of transition of care records with Direct Messaging.

Who uses Direct?

  • Hospitals
  • Providers/Clinicians
  • Care Team Members
  • Patients
  • Laboratories
  • Pharmacies
  • Long Term Care
  • Skilled Nursing
  • Specialists
  • Dental

Why should you care?

Direct helps to cut costs and deliver improved quality of care.

On the clinical side, Direct Messaging addresses gaps in transitions of care which have been identified as a significant patient safety issue. Incomplete exchange of patient health information among providers when transitioning from one care environment to another is a point of vulnerability that can compromise the overall quality of care a patient receives.

On the business side, Direct Messaging can reduce or eliminate the costs associated with fax workflows by transitioning relatively expensive fax communication to less expensive email workflows.

Direct Messaging provides many additional benefits including:

  • Strong security and privacy protection of PHI
  • One unified standard that all systems can leverage
  • Improved communications between providers
  • Easily sent and received referral information
  • Efficient report exchange
  • Ease of sharing patient information
  • Improved practice workflow

How is Direct used?

Here are some of the ways Direct can be used to communicate or share private health information:

  • Transitions of care (CCD, CCD-A documents)
  • Physician consult requests
  • Admit-Discharge-Transfer Requests (ADT)
  • Medication reconciliation
  • Lab/Test results
  • Patient communication
  • Order submission
  • Report distribution
  • Peer to peer collaboration

How does Direct work?

Direct can be incorporated into a variety of user interfaces such as an email client, a mobile device, healthcare IT system portals or as an automated data delivery feed. Any of these interfaces are capable of sending or receiving Direct messages. But in order to participate, both sender and recipient users will need a specific Direct email address provided by their HISP (see below). Healthcare IT systems can integrate Direct in multiple ways depending on the desired workflow.

Where can you get Direct?

Direct messaging services are provided by a Health Information Service Providers or HISP, such as DataMotion, and the DataMotion Direct messaging service. To learn more about HISPs click the button below.