Could you illustrate a multiple EHR scenario using FHIR, including the aspect of trust and governance?
Answer from HL7 FHIR Governance Board Co-Chair and Corepoint Health CTO Dave Shaver:
Tags: FHIR, FHIRworks
Great question. I think one of the things that's really clear is we just can't willy nilly allow different applications to talk to one another. This is one of the challenges we have on the high cycle — the expectations that we're magically going to be able to extract data from anywhere, anytime.
I think the short answer is that governance is an issue with FHIR that's yet to be solved. Today, the answer for trust is to use OAuth 2.0 and basically punt it back to the EHRs. If a provider has a cloud environment and they have an EHR at one facility and other EHRs at another facility, you can imagine, from a technical standpoint, of going through the cloud to pull information or access information from one place and pulling it to another location.
What is to be developed is that governance and that trust framework for how the API on one application knows that the user on another application is authorized to gain access to the information they're querying. The way that has been focused today is that it is the responsibility of the application to provide that control in the EMR.
Today's solution is that we use an HIE with a sharing platform. We don't use FHIR; instead, the approach is that we take documents and we push them into a database in the sky. Facilities are then able to pull those documents back. I think that concept will be leveraged as part of FHIR. But we haven't gotten there yet.
The first phase of FHIR will be: How do we get these applications inside my four walls that already have trust established to talk to one another?