Interoperability & Data API Guidelines
Interoperability & Data API Guidelines
The procedure page aims to outline guidelines for the implementation of Interoperability FHIR standards (as defined by DHCS/CalAIM initiatives) within San Mateo County’s BHRS system. The adoption of FHIR is crucial for enhancing interoperability, data exchange, and communication among various stakeholders within the behavioral health domain.
This document outlines guidelines for the implementation of FHIR standards within the San Mateo County Behavioral Health and Recovery Services (BHRS) system in compliance with CMS Interoperability Rule. These guidelines ensure the secure exchange of patient data across various healthcare entities, including healthcare providers and third-party applications.
Interoperability Objectives
1. Facilitate seamless data exchange: FHIR implementation will enable the secure and efficient exchange of patient data between different healthcare entities within the county behavioral health system.
2. Improve care coordination: By standardizing data formats and protocols, FHIR will support better coordination of care among behavioral health providers, primary care physicians, social services agencies, and other relevant entities.
3. Enhance patient outcomes: Access to comprehensive and up-to-date patient information through FHIR will enable providers to make more informed decisions, leading to improved patient outcomes and quality of care.
4. Ensure data privacy and security: The policy emphasizes compliance with relevant privacy and security regulations, such as HIPAA, to safeguard patient information during its exchange and utilization.
Infrastructure and Framework (FHIR)
The document outlines a structured approach for implementing FHIR standards within the county behavioral health system, including technical specifications, data mapping, and integration with existing health IT infrastructure. San Mateo County BHRS Infrastructure for FHIR is provided through our primary health care system: Netsmart.
- Technical Specifications: The FHIR API will follow v4.0.1 standards and implemented via Oauth 2.0 standards
- Data Mapping: Data from claims, encounters, and provider directories are integrated into the API in real time.
Governance and Oversight
County understands that establishing governance structures and oversight mechanisms is crucial for managing FHIR implementation projects, ensuring compliance with policies, and resolving any issues or disputes that may arise.
In observance of that need, San Mateo County relies on the guidance provided by state regulators, DHCS, county health division leadership, and county health governance committees. San Mateo BHRS is also fully engaged in adherence to the privacy policies parameters outlined by DHCS and SUD privacy policy directed by 42 CFR Part 2.
Link to San Mateo County BHRS: General HIPAA, Privacy and Security control/release of information release pages
Connecting with San Mateo County BHRS Patient and Provider API’s
County works with Netsmart to provision 3rd party access upon request. Netsmart provides the County the capability to manage this entirely.
For full documentation, API syntax, configurations, technical requirements, parameters, and API handling: these items can be found on the Netsmart FHIR Developer Portal https://careconnect.netsmartcloud.com/
Prospective partners will have to engage by reaching out to bhrs-it-support@smcgov.org to request to begin the process of OAuth account creation and token authentication.
Again, the County observes and supports FHIR standard v4.0.1 protocol.
The policy defines interoperability requirements for software vendors, healthcare providers, and other stakeholders involved in the exchange of behavioral health data.
How to Connect with county FHIR API:
- A request would be made to BHRS-IT-Support@smcgov.org to initiate process for review to initiate and establish connection to our FHIR API.
- A county software vendor security review and assessment will likely need to be completed with vendor.
- County will partner with vendor and our Netsmart system to provision/de-provision 3rd party access upon request or need.
All API vendor/partners are expected to adhere to the following data sharing policy/procedure guidelines:
- Security Risk Analysis:
- Compliance to ISD/HIT Security assessments, establish county software business operating agreement, and audit reviews as determined to be needed
- Risk and Notification:
- If a determination is made that continued access or security is deemed unacceptable, county will notify the third-party application provider of the decision and remove access temporarily or permanently.
- Remediation is to be reviewed at the discretion of county ISD/HIT governance
- Decision to Deny/Discontinue:
- If, after security reassessment, county reasonably determines that the security risks remain unacceptable, proceed with the decision to deny or discontinue the third-party application’s connection to the API.
- Notification of Decision:
- Notify vendor and county partners/stakeholders, including affected users, healthcare providers, and the organization’s internal IT and security teams, about the decision to deny or discontinue API access for the specific third-party application.
- Documentation:
- Documentation of all policy and procedure decisions to enable, remove, or terminate data share agreements are documented for HIPAA retention requirements.
- Compliance:
- Adherence to privacy and security to BHRS privacy guidelines in regards to data sharing should be mirrored in FHIR API standards. Vendor compliance ensures that sensitive patient information is shared securely and in accordance with consent guidelines mandated by federal and state regulation: meeting the highest standards of confidentiality and data protection. Our policy emphasizes the responsible use of FHIR API, safeguarding mental health and SUD data through member consent and against unauthorized access and ensuring a trusted and interoperable healthcare environment.
Patient Access API
Claims and Encounter Data:
Encounter data is mapped and referenced directly through Netsmart’s Avatar system via the FHIR portal.
Member Claims information is populated using 835 data available in Netsmart Cal-PM and MSO modules. Only data electronically received and posted via an 835 will be listed in the EOB resource.
- In Netsmart’s Cal-PM module, this will be once the 835 file has been posted in the “835 Health Claim Payment/Advice” form.
- In Netsmart’s MSO module, this is available once an 835 is generated for the inbound 837.
- All data referenced within Netsmart’s interoperability calls to their modules in reporting and output is real-time
Availability of Data: All patient data maintained by BHRS for services on or after January 1, 2016, will be available within one business day after a claim is adjudicated or encounter data is received.
Privacy and Security: BHRS ensures secure exchange of health data via FHIR APIs while adhering to HIPAA and federal privacy guidelines along with those defined within the state under 42 CFR statutes.
Publicly Accessible API: https://fhir.netsmartcloud.com
Provider Access API
Provider Data and 274 Provider Directory Data Requirements:
San Mateo County BHRS commits to adhering to the 274 Provider Data Requirements set forth by state and federal regulatory agencies for Mental Health and DMC-ODS. Data is kept real-time and reflected immediately upon requested provider updates. Evidence of required changes is provided by audit and real-time reflected review in our charted Provider data on this webpage. This 274 data table is directly updated and entered through Netsmart’s Avatar system and fulfills the 30 day requirement as dictated by regulation. Evidence of compliance and accuracy of this data is required per audit and state agency review.
For the Fast Healthcare Interoperability Resources (FHIR) Provider Access API, this data is directly configured to be mapped from our 274 Provider data file. This ensures the accuracy, security, and interoperability of shared provider data, emphasizing compliance with FHIR standards. We prioritize maintaining up-to-date and complete information, implementing proper security and data handling measures. We also comply with independent, state, and federal regulatory agencies for audit and review of our reported provider data annually.
As noted, for full API data and documentation pertaining to Patient and Provider API config items can be found on the Netsmart FHIR Developer Portal in a publicly accessible API: https://fhir.netsmartcloud.com
Per DHCS Requirement: our Base URL for our connection to our Provider Directory URL can be accessed here: https://fhir.netsmartcloud.com/payer/provider-directory/v2/1639ac79-9144-4699-a38b-eb956f258677/
BHRS’s clinical system records and actively maintains logs of provider directory updates and conducts regular monitoring and auditing.
Member Educational Resources
A publicly accessible link to educational resources is provided to ensure members understand how to protect the privacy and security of their health information. The following are a list of health organization standards that third party Health apps must meet and subscribers must understand in signing up for access to these apps:
- The importance of understanding the privacy practices of third-party applications: patient-privacy-and-security-resources.pdf (cms.gov)
- Oversight by the Federal Trade Commission (FTC) on third party and mobile health app as well as access to submit complaints (see Oversight section below): Mobile Health App Interactive Tool | Federal Trade Commission (ftc.gov)
- Health and Human Services Third Party App API member access rights and compliance: The access right, health apps, & APIs | HHS.gov
Routine Testing and Monitoring
To ensure API performance and compliance:
- Routine Testing: BHRS will conduct ongoing tests via a third party FHIR API python app to send and retrieve standard environment sampled patient data generated directly on our Avatar system. SMC will run through standard patient/provider call data and validate on the data retrieved from the Patient Access and Provider Directory APIs to verify accuracy and functionality.
- Utilization Metrics: Starting in 2025, BHRS will submit quarterly reports of API utilization, including error rates, unique API consumers, and third-party applications using the API.
Security and Access Controls
BHRS actively takes the following steps to help protect the privacy and security of their health information:
- Compliance to privacy and data sharing guideline measures set forth by DHCS, federal, and state governing bodies
- Regularly set audits for controls of data and privacy by governing boards and independent auditors
- Secure internal health data, HIPAA compliant vendor communications, and multifactor authentication
- Multiple tiers of software security monitoring and required vendor security software assessments/clearances
- Disaster and data loss recovery plans regularly reviewed and audited
- Employ secure network communication protocols
General HIPAA-Covered Entities, Non-entities and Oversight Agencies
HIPAA (Health Insurance Portability and Accountability Act) covers entities that handle protected health information (PHI).
Covered entities include:
- Healthcare Providers: Doctors, hospitals, clinics, psychologists, and pharmacies.
- Health Plans: Health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid.
- Healthcare Clearinghouses: Entities that process nonstandard health information into a standard, interoperable format.
Entities or individuals that generally are not covered by HIPAA include:
- Employers: Employers, except in certain situations related to employee health plans.
- Life Insurers: Companies providing life insurance.
- Schools: Most schools, unless they provide healthcare to students through a separate healthcare provider.
Oversight Responsibilities:
- Office for Civil Rights (OCR): Part of the U.S. Department of Health and Human Services (HHS), OCR enforces HIPAA privacy and security rules for covered entities. It investigates complaints and conducts audits to ensure compliance.
- Federal Trade Commission (FTC): The FTC plays a role in enforcing privacy and security standards for non-HIPAA-covered entities, such as mobile health apps and health-related websites. It promotes consumer protection and addresses deceptive or unfair practices.
Submitting a Complaint to OCR: If you believe your rights under HIPAA have been violated, you can file a complaint with OCR:
- Online: Visit the OCR Complaint Portal on the HHS website.
- Mail: Send a written complaint to the appropriate regional OCR office.
Submitting a Complaint to FTC: To file a complaint against non-HIPAA-covered entities, you can use the FTC Complaint Assistant:
- Online: Visit the FTC website and use the Complaint Assistant tool.
- Phone: Call the FTC’s Consumer Response Center.
In both cases, providing detailed information about the incident will help the agencies investigate and address the complaint effectively. Keep in mind that the OCR and FTC work collaboratively to ensure comprehensive oversight and protection of health information privacy.