As the National Coordinator for Health Information Technology (ONC) keeps pushing forward interoperability regulations to unblock patient data, healthcare providers get more opportunities to innovate the industry with patient-centered apps. One way to do that is to use the Epic EHR/EMR API.
Let’s say you’re a provider working at a hospital or an outpatient clinic that relies on Epic for electronic health record (EHR) management. And you need to develop a healthcare app to work with patient data. The great news is you can get this data into your app by using their USCDI API. Let’s briefly recap what USCDI means before moving forward.
What is Epic USCDI API?
USCDI stands for the United States Core Data for Interoperability. It’s a standard that dictates what health data classes and its constituents EHR software vendors have to make available via APIs for exchange between health applications.
The USCDI standard is part of the Affordable Care Act, and, therefore, provides the legal basis for the minimum information that EHRs and EMRs have to make available for exchange.
And API, in layman terms, is a set of rules for working with data. Developers refer to APIs to learn how they can extract data and send it back to a server, what other operations are available, etc. So Epic USCDI API is a set of rules for getting health record data in the USCDI format from EPIC.
FHIR is another abbreviation that often appears when discussing how to integrate with Epic EMR. As a health care practitioner, I’m sure you’ve probably already heard a little about FHIR, but here’s a brief explanation to refresh your memory.
Simply speaking, FHIR is a special API for exchanging health records and a method to describe how health data should be formatted when traveling between authorized applications. The FHIR data format ensures that patient data traveling between healthcare apps remains consistent and digestible by all apps.
Finally, Epic, as you’re well aware, is the leading EHR software in the U.S. with around 34% market share.
Why Do I Need It, Again?
This EPIC EMR API (aka Epic USCDI on FHIR) allows individuals to access data from a provider-facing app without any charges being assessed to customers. You also get free access to the specifications. So, as a healthcare provider, with the USCDI API, you ultimately get free one-way patient data sync from Epic EMR to your app. You can then visualize, analyze, run AI algorithms — do anything you need with this patient data to foster value-based care.
In some cases, using API EPIC EMR helps to either move away from having to manually access Epic or to avoid using more expensive and less scalable data integration options, such as HL7 2.X and CCDs (continuity of care documents). When it is a feasible solution, it is extremely attractive because of its scalability and the cost-effectiveness of the implementation.
Use Cases for Integrating Epic USCDI on FHIR
Let’s list some of the use cases when you may benefit from integrating with the Epic USCDI API.
- Any provider-facing application that wants to be able to pull relatively standard data on a patient (e.g., medications, allergies, conditions/problem list, demographics, test results, epic electronic medical records)
- If one is looking for an integration to pull data that can scale easily and cost-effectively
- If one does not need to launch the application from Epic
- If one does not need to push data to Epic
A good example would be a telehealth app that pulls data in for a remote provider for reviewing while treating a patient. Another example is a patient management app that tracks and monitors treatment plans. The app pulls initial and ongoing clinical data (such as medication status and test results) when a patient’s record is being reviewed and keeps track of changes.
Here’s a screenshot from an MVP app we built to demonstrate how one can develop a simple health app using the Epic USCDI API.
As you can see in the screenshot, the app allows you to find a patient and view her electronic health record with previous diagnoses, prescribed medications, care plans, etc. The app also pulls the patient’s demographic data with the integration. You can use this data when seeing a patient remotely or for any other processing purposes.
When Epic API Is Not a Good Fit
Let’s also go through a few cases where you might need other APIs because, in those scenarios, you’d want to do more than merely viewing patient data:
- It should be avoided when one wants to sync data back to Epic.
- The EPIC EMR integration API is not designed for patient-facing applications.
- It should be avoided for integrations when you want to extract vast quantities of data for analytics.
- When the receiving health system depends on Epic to create patients. An example of a pre-existing system where this would occur would be one that involves using ADT messages to create new patient records. USCDI requires some patient demographics to perform a patient search.
- When an app’s workflow depends on Epic pushing data.
Patient-facing app dillema
Even though we said that Epic USCDI on FHIR is not designed for patient-facing apps, there’s nothing stopping you from building such an application.
However, you need to keep in mind the following disadvantages:
- Patients will need to use their credentials from a patient portal hooked with an Epic EHR.
I know that not all healthcare facilities provide such web applications for patients to access their data. And even if you do, you will need to educate your patients to use the same credentials.
- Only some data is available via Epic EHR API on FHIR on a free-tier basis to your customers.
Despite these caveats, you can still build and approve with Epic (usually take a day or two) a patient-facing application using their FHIR API.
How Do You Start Epic EHR Implementation?
When it comes to figuring out how to integrate with Epic EMR/EHR, you need to make sure that the sites you want to pull data from are on a supported version of Epic (most of them should be). You can confirm this by having the site check with your account/ integration manager.
The next step is to go to uscdi.epic.com, register for a free account, and review the endpoints/data that is available. That’s a crucial step as you want to ensure that all the data needed is available. The account that you created at uscdi.epic.com can be used to register the EPIC EHR API as well.
What data can you pull from Epic free of charge?
Let’s discuss what type of data you can pull from Epic using FHIR. As we’ve mentioned, USCDI defines only the minimum health data sets that have to be freely available to all players in the market. And even though they broaden the requirements each year, you shouldn’t expect to be able to pull absolutely any data from Epic.
So what is available under a free tier?
- Observation (Vitals) — all the vital signs
- Observation (Labs) — lab test results
- DiagnosticReport — for example, results of MRI scans in the form of radiologist reports (images per se are not included)
- DocumentReference (Clinical Notes) — notes by nurses, physicians, or other healthcare professionals
- Binary (Clinical Notes) — part of DocumentReference
- MedicationRequest — lists prescribed medications
- Device — describes information about implantable medical devices
- AllergyIntolerance — info about the patient’s allergy or intolerance to a specific substance
- Condition – patient data from problem list records
- Procedure – surgeries, endoscopies, biopsies, counseling, physiotherapy, etc.
- Patient — demographics, care providers, and other administrative information about a patient
- Immunization — info about vaccine and vaccine administration details
Note that you can only Read, i.e. download data from Epic, free of charge. The Search and Create options are both paid options.
One thing to keep in mind while working on Epic EHR integration is there are different versions of FHIR, namely DSTU2, STU3, and R4. When working with legacy healthcare systems, you will need to support all of them for backward compatibility, however, R4 is becoming the golden standard for FHIR data exchange.
Also Read: E-Prescription App Development Guide
What you need to build a health app integrated with Epic
In order to create a health app working with Epic EMR, you need to set up a few things.
- A server with your health app running on it. Here you’re only limited with your imagination. It can be an AI app that analyses the patient’s health data and outputs a preliminary diagnosis and recommendations. Or it can be a simple informative app that just shows some health readings and links to educational resources.
- Integration with Epic via the FHIR API. Again, FHIR is just a REST-formatted API bundled with an OAuth 2 authentication mechanism. What that does is it connects with Epic, securely authenticates a user, and then pulls data from the Epic EHR to display/process in your health app.
- Register your app with Epic.
If you want to fully leverage Epic EMR resources, you will need a developer account in their App Orchard, which is sort of Epic’s app store for health apps. The nice thing about it is you can set up your health app to run on its own integrating with Epic EMR via API, but it can also function right within Hyperspace (Epic’s software for healthcare providers).
Also Read: Developing a Senior Care Application
2024 Considerations when Integrating Your Mobile App with Epic EHR
Even though Epic EHR offers dedicated mobile apps for patients and providers, some healthcare providers may find themselves contemplating a new possibility. What if they could integrate their EMR instance with a unique in-house mobile app? This customized application could serve patients or healthcare providers, offering use cases that go beyond what’s covered by MyChart and Haiku.
Check out the rating of the stock apps in the App Store and Google Play to see why they might be considering developing and integrating a custom mobile app with Epic:
Typical Steps for Integrating Epic EMR with a Mobile App
When planning to integrate your mobile app with Epic EHR, taking a strategic approach is crucial. You can ensure a seamless and effective integration by carefully considering various factors. Here are a few key points to keep in mind:
- Identify data types and detail level: Understand the specific data types your app will exchange with Epic EHR. This could include patient demographics, medical history, lab results, etc. Pay attention to the level of detail required within this data set.
- Direction of data exchange: Determine whether your app will read data from Epic, write it back into it, or both. This decision will shape your integration strategy.
- Workflow identification: Identify the specific workflows during which the data exchange will occur. This could involve appointment scheduling, medication management, patient check-in, and more.
- Selection of data exchange method: Choose the most suitable method for data exchange. Consider industry standards like HL7, DICOM, or FHIR as potential options.
- Data security: Ensure robust security measures are in place for data exchange. Implement authentication and authorization mechanisms to protect patient data and maintain confidentiality.
- Leverage support services: Take advantage of support services provided by Epic, such as open.epic and Vendor Services. These resources can be invaluable for troubleshooting and ensuring a smooth integration process.
By considering these factors, you’ll set yourself up for a successful integration with Epic’s EHR system. Remember, the ultimate goal is not just to integrate but to create an application that adds value to your healthcare service delivery, enhancing both the patient experience and operational efficiency.
To protect PHI and securely authenticate a mobile user (provider) in the EHR, you may want to use the Standalone Launch approach using Epic’s FHIR specification. This sign-in process relies on the industry-standard OAuth 2.0 and enables you to develop your app without building a credential management system.
Beginning with the August 2019 release of Epic, OAuth 2.0 implementation by Epic now includes support for Proof Key for Code Exchange (PKCE). Epic strongly recommends utilizing PKCE for integrations involving native mobile applications. The PKCE technique protects authorization codes from interception on mobile devices.
Alternatively, for earlier versions or if PKCE cannot be used, Epic recommends using Universal Links (on iOS) and App Links (on Android).
It’s also recommended to use a dynamic client registration protocol to enable offline access for the app.
It’s essential to keep in mind the distinction between FHIR versions (DSTU2/STU3/R4), mainly if you’re working with some FHIR resources that use the DSTU2 or STU3 standard and other resources that use the most recent R4 standard. Without going too much into tech details, developers will need to respect in code the version of FHIR resources they reference in the app.
Security best practices
When it comes to integrating your mobile app with Epic EHR, security is not just a feature – it’s a necessity. Here’s a quick rundown of the essential security practices you should implement:
- Industry-standard encryption: Utilize encryption algorithms like AES-128 or higher. It’s like building a digital fortress around your data.
- TLS 1.2 or higher: Adopt the TLS 1.2 or higher encryption protocol for sending or receiving data. Think of it as a secure courier service for your app’s information.
- OAuth 2.0 for authentication: Implement OAuth 2.0 (part of the recommended FHIR implementation mentioned above) for user authentication and authorization.
- No bypassing Epic’s APIs: Never pass user names, passwords, access tokens, or refresh tokens to non-Epic systems bypassing Epic’s APIs.
- One-way hashing or secure storage: Use one-way hashing algorithms like SHA-256 or secure storage provided by the host platform/operating system to protect data.
- Secure end-user data & enforce time-outs: Ensure all data on an end-user’s device is secured and enforce inactivity time-outs.
Mobile app security is a critical part of providing a reliable and trustworthy app.
Testing the integration
The HL7 V2 Message Validator is a powerful tool designed to assist developers in ensuring that their message formatting aligns with Epic’s requirements for proper interpretation by the EHR. While HL7 v2 allows for a certain degree of interpretation, this tool empowers developers to experiment with Epic and test HL7 V2 messages before sending them to a live system.
Understanding FHIR API Response Variations in Patient-Friendly Apps
When integrating a patient-facing application with FHIR APIs, it’s important to note that the returned data may vary. This is often due to specific filtering mechanisms in place to protect patient privacy and ensure data relevance. Here are some key points to consider:
- Authentication-Dependant Responses: FHIR APIs tailor responses to the authenticated patient.
- Pending Clinician Review: Data entered by patients may not appear until reviewed and reconciled by a clinician.
- User-Friendly Terminology: FHIR APIs might return more patient-friendly terms.
- Compliance with Regulations: Certain lab results might be excluded to align with state and local laws.
- Optional Filtering: Community members can disable this filtering for their Epic instance, resulting in similar responses across different apps.
Epic suggests comprehensive testing of each API at every Community Member’s site before going live. This ensures you’re familiar with each API’s behavior in that particular Epic deployment.
Simplified Access to Epic-Generated SMART Health Cards
Epic’s SMART Health Cards, a standard for vaccine credentials, are generated in two ways and can be accessed via various workflows.
- Patient Access: Patients can get their SMART Health Cards as a QR code or a downloadable file from the MyChart website or mobile apps.
- Health System Generated QR Codes: For patients without MyChart access, health systems using Epic can generate a QR code containing the SMART Health Card.
- QR Code Sharing: Patients can share QR codes directly from mobile devices or paper. Ensure your app can read QR codes from both sources.
- Device Download: Patients can download their SMART Health Card onto their device. If you’re developing a compatible app, associate it with the .smart-health-card filename extension.
Remember, SMART Health Cards are open, interoperable, and built on HL7 FHIR, aligning with W3C’s Verifiable Credentials.
Related Article: SMART on FHIR Guide to Healthcare App Development
Please note we’re only scratching the surface here. Get in touch and share your Epic EHR setup to get more clarity about integrating a custom mobile app with your electronic healthcare records system.
Let’s Build a Health App Integrated with Epic EHR
Even though it does not provide official support outside of posted documentation, there’s a clear advantage to using the platform for building innovative lightweight apps. Besides, we can help you navigate around any potential roadblocks or questions around data and device integration, and there’s also a Google Group that sheds some light on the EHR integration using the Epic USCDI API.
Other blogs about healthcare app development:
We’ll also educate you on other nuances of implementing such EPIC EMR integration (or EPIC EHR integration) projects, e.g., on the patient search feature, or any questions around existing API documentation you’re referring to. It is essential to test the parameters used in the patient search API calls to ensure that we are maximizing positive data returns.
- Healthcare App Development: Everything you need to know
- Healthcare Mobile App Design Guide
- How to Start a Healthcare Startup
- A Guide to Medical Website Development
- HIPAA Compliant App Development Guide
[This blog was originally published in May 2020, but has been updated for more relevant content]
Frequently Asked Questions
What is the Epic USCDI API?
It’s a set of commands that healthcare software may exchange with other systems complying with the United States Core Data for Interoperability — a standard defining health data classes and its constituents for EHR software vendors to support.
What is FHIR?
A special API for interchanging health records data between healthcare applications and a method describing required health data format for exchanging this data between authorized software platforms.
How can I benefit from using Epic USCDI on FHIR?
Build medical software that syncs patient data from Epic EMR, commission-free.
Can I sync any patient-generated data (say, from a medical sensor) back to Epic.
Unfortunately, not with the EPIC USCDI API. You can only load data from Epic to your healthcare provider-facing medical software