Patient Chart app allows physicians to view patient's medical record on their local device using OAuth 2.0 framework that enables
the app to obtain limited access to user's medical record from Epic's FHIR server. Once the patient or user authorizes access
to his or her account by logging into Epic Patient Portal, the physician can view patient's medical record without
logging into the Epic system. The App reads information from Epic’s FHIR server using the following APIs and access
token that it receives from Epic’s authorization server and displays content on the screen if access is granted.
The app complies with the following Developer Guidelines as well as ONC Certification criteria.
Security: Patient Chart App uses HTTPS protocol to read data from Epic’s FHIR server and has a built-in timeout functionality that logs out the user automatically after 15 minutes of inactivity. In order to resume or regain access that was stopped, a user has to re-login using OAuth 2.0.
Privacy: App uses Epic’s approved OAuth 2.0 standard as the mechanism for authorization and access to the patient data. The app only reads data from Epic FHIR server and doesn’t store any of the patient data in any form or shape on the local device. Only user session information along with patient ID get stored in a secure database for the audit log. The audit log is kept for 15 days. Once a user logs out, all the data is completely removed from the user device and cannot be accessed again without logging back in using OAuth 2.0.
Data Integrity: The patient medical record information is displayed on the screen how it is received from the Epic FHIR server without any alterations. However, some datasets that are received are used to run calculations to display a more meaningful content to the user. For example, when height and weight are received for a patient, the app calculates BMI using height and weight and displays it on the screen. The app doesn’t store any data on user’s local device.
Quality Assurance/Reliability: Patient Chart App has gone through several iterations of quality assurance during and after the development process and doesn’t negatively impact clinical operations or patient safety. The app has been developed by keeping the user in mind and the entire design is user-centric, which allows easy navigation between multiple sections.
Patient Selection: All the data between app and FHIR server is exchanged on a secure and trusted HTTPS connection using access token and unique patient id. The access token and patient id are provided by Epic’s FHIR server for a particular user account after the user (patient) grants access to the app.
Audit Logs: The app has a built-in functionality to create an audit log for each session. The audit log is kept for 15 days and can be viewed by an administrator from a separate admin console.
For more information please contact us at email@example.com.