Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

A Look At Share Everywhere, Epic’s Patient Data Sharing Tool

Posted on September 28, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Lately, it looks like Epic has begun to try and demonstrate that it’s not selling a walled garden. Honestly, I doubt it will manage to convince me, but I’m trying to keep an open mind on the matter. I do have to admit that it’s made some steps forward.

One example of this trend is the launch of App Orchard, a program allowing medical practices and hospitals to build customized apps on its platform. App Orchard also supports independent mobile app developers that target providers and patients.

Marking a break from Epic’s past practices, the new program lets developers use a FHIR-based API to access and Epic development sandbox. (Previously, Epic wouldn’t give mobile app developers permission to connect to its EMR unless a customer requested permission on its behalf.) We’ll have to keep an eye on the contracts they require developers to sign to see if they’re really opening up Epic or not.

But enough about App Orchard. The latest news from Epic is its launch of Share Everywhere, a new tool which will give patients the ability to grant access to their health data to any provider with Internet access. The provider in question doesn’t even have to have an EHR in place. Share Everywhere will be distributed to Epic customers at no cost in the November update of its MyChart portal.

Share Everywhere builds on its Care Everywhere tool, which gives providers the ability to share data with other healthcare organizations. Epic, which launched Care Everywhere ten years ago, says 100% of its health system customers can exchange health data using the C-CDA format.

To use Share Everywhere, patients must log into MyChart and generate a one-time access code. Patients then give the code to any provider with whom they wish to share information, according to a report in Medscape. Once they receive the code, the clinician visits the Share Everywhere website, then uses the code once they verify it against the patient’s date of birth.

As usual, the biggest flaw in all this is that Epic’s still at the center of everything. While patients whose providers use Epic gain options, patients whose health information resides in a non-Epic system gain nothing.

Also, while it’s good that Epic is empowering patients, Direct record sharing seems to offer more. After all, patients using Direct don’t have to use a portal, need not have any particular vendor in the mix, and can attach a wide range of file formats to Direct messages, including PDFs, Word documents and C-CDA files. (This may be why CHIME has partnered with DirectTrust to launch its broad-based HIE.)

Participating does require a modest amount of work — patients have to get a Direct Address from one of its partners — and their provider has to be connected to the DirectTrust network. But given the size of its network, Direct record sharing compares favorably with Share Everywhere, without involving a specific vendor.

Despite my skepticism, I did find Share Everywhere’s patient consent mechanism interesting. Without a doubt, seeing to it that patients have consented to a specific use or transmission of their health data is a valuable service. Someday, blockchain may make this approach obsolete, but for now, it’s something.

Nonetheless, overall I see Share Everywhere as evolutionary, not revolutionary. If this is the best Epic can do when it comes to patient data exchange, I’m not too impressed.

How Trust Communities Enable Direct Networks

Posted on June 13, 2014 I Written By

Julie Maas is Founder and CEO of EMR Direct, a HISP (Health Information Service Provider) whose mission is to simplify interoperability in healthcare through the use of Direct messaging EHR integration and other applications. EMR Direct works with a large developer community to enable Direct for MU2 and other workflows using a custom, rapid-integration API that's part of the phiMail Direct Messaging platform. Julie is passionate about improving quality of care and software user experience, and manages ongoing interoperability testing within DirectTrust. Find Julie on Twitter @JulieWMaas.

Have you noticed the DTAAP-Accredited logos on your Direct provider’s web site?  These indicate the vendor has successfully completed the related audits stipulating a high bar of security and privacy practices established by DirectTrust.  DirectTrust was spawned from a Direct Project workgroup, and is a non-profit trade organization which establishes best practices and oversees accreditation programs for the businesses providing Direct-related services, in association with EHNAC.  In addition to HISPs, the DTAAP program also accredits Certification Authorities (CAs) and Registration Authorities (RAs). The HISP, CA and RA roles can be performed by the same organization. Most Direct Messaging CAs operate in only in the Direct space, but a few also issue certificates in the general public internet space, as well.

Direct Certificates are issued by CAs who follow a regular procedure to put their stamp of approval on a digital identity and its corresponding cryptographic key used for securing Direct messages.  This process is complemented by that of a Registration Authority, who performs the actual vetting of individuals and often the archival of related documentation as well.  Level of Assurance (LoA) is another term used a lot in the Direct space. Depending on the degree to which an individual’s identity has been vetted, and how certificates are managed and accessed by users, a Direct Exchange transaction can be assigned a Level of Assurance. When exchanging health information between providers, for example, you want a high Level of Assurance that the party you’re exchanging with is, in fact, the same party whose name is listed on the corresponding digital certificate.

HISPs who are either accredited or are at least part-way down that path may seek inclusion of the corresponding CA’s trust anchor in DirectTrust’s anchor bundle, a collection of trust anchors for Direct communication published and regularly updated by DirectTrust.  Since Direct messaging is based on bidirectional trust, the Participating HISPs can rely on the Transitional Trust Bundle to provide their customers with a uniform and up-to-date network of interconnected senders and receivers. The DirectTrust bundle consists of trust anchors representing a large portion of the EHR community.

These HISPs make up the DirectTrust Network, a so-called “trust community”. There are other trust communities such as those managed by the Automate the BlueButton Initiative (ABBI), with corresponding Provider- and Patient-centered bundles.  Trust communities and their corresponding trust bundles serve an important purpose, because Direct messages are only exchanged successfully between trusted Direct Exchange partners. Remember that if one party does not trust the other, the messages are dropped silently, and automating loading and maintenance of trust anchors for a community using a trust bundle sure beats manual loading and unloading of each of these anchors by each of the members, or other old-style one-off interfaces between systems.

So, to get the most out of Direct, climb out of your silo and go join a trust community today!