HealthFolder from Engage
To assist our customers moving to MEDITECH Expanse off of their legacy HIS and EMR systems, Engage offers an EMR agnostic data repository to house patient data you’ve decided not to migrate into your new Expanse system. This allows you to sunset those
legacy systems in favor of a simpler read-only cost-efficient and time-stable format.
Costly legacy EMR licensing, hosting support, and maintenance are a drain on the financial health of your organization. 99% of legacy data can be stored as PDF reports, simplifying data migration while retaining quick search and access for your end users
via a web-based frontend backed by Microsoft Azure.
Retire your legacy EMR and put your data into a secure, read-only, time-stable format.
Why HealthFolder from Engage?
- Secure. Data risk is financial risk.
- Simple interface, designed specifically for patient medical record search.
- No end-user training or installs needed.
- User activity audit and monitoring.
- Source EMR/Health Information System (HIS) agnostic.
- Link to patient archive records from within your new EMR/EHR, enabled by patient-ID cross references.
- Longitudinal data views (meds, vitals, lab results).
HealthFolder is an Engage software-as-a-service (SaaS) offering. The application is browser based requiring no client-side installs. Provider authentication is via your active directory federated services. Multi-factor authentication is required and
can be satisfied using your in-house MFA or using the application’s built-in two-factor authentication. While there are three discrete longitudinal data views, the majority of data is stored in time-stable PDF format.
Data loading is performed via a restricted ReST webservices based API. Most clients opt to have Engage perform the data load.
Unlike "document management" systems, HealthFolder was designed specifically for the archiving of legacy EMR data with an explicit security first approach. In fact, many traditional document management features were excluded in favor of better
securing the reposed data. A health record data archive reposes a wealth of patient data, representing an attractive target for malicious actors. Reducing data holding risk and cost is likely your primary driver for retiring your legacy EMR.
Recurring Penetration Testing
Engage works with third-parties to have both application specific and system-wide penetration testing performed on a recurring basis. HealthFolder received a “highly secure” rating by the Lares security company.
User Activity Logging
A high percentage of PHI breaches occur in house or with the assistance of valid provider credentials. There is extensive user activity logging and monitoring built into the HealthFolder architecture to monitor document search and retrieval activity.
Every user action is logged.
Activity Audit, manual
Audit screens facilitate data access log reviews with chronological filters by user, patient or report type. Log entries are human readable making it easy to form an impression of the end-user’s activity, second-by-second. Report dwell times can be
easily inferred. VIP searches and record views are highlighted along with the user’s VIP search justification.
Activity Monitoring - active and automated
Most external breaches are via phished employee credentials. At times, employees are even tricked into disclosing their multi-factor token PINs.
In the event your staff's credentials are compromised or a credentialed user acts improperly, there is real-time volume-based record access throttling and alerting in place. A service continually monitors user activity. Based on that activity, proactive
alerts are issued and/or the end-user’s access is automatically blocked.
Users are granted one of several data retrieval velocity/volume profiles which define when protective actions trigger. This is performed for search, document view and download activity. Users are permitted to perform a set number of searches, downloads
and document views within numerous sliding time spans. All users default into the low usage group. The highest velocity group is constrained well within ‘normal human business activity’ so that malicious scripting activity is automatically terminated.
Trigger points are defined within the system and configurable per client; details are not published here but may be further disclosed during your product selection security review.
Point contacts within your organization are alerted when abnormally high view activity is detected. The user’s access is subsequently blocked by the application when it reaches defined ‘blocking’ thresholds; the user is alerted on screen as are point
contacts within your organization (via email or cellular text). Engage administration will clear the block upon request if authorized by appointed client controllers. The client-side application administrator cannot clear the block themselves, by
Client-side two-factor authentication (2FA) is required to access the application. This can be satisfied using your in-house MFA, or by using HealthFolder’s built-in 2FA. The in-app 2FA supports both QR-code TOTP (time-based one-time passcode) app registration
and OTP via SMS/text. By security design, we do not support 2FA via email.
Client-Side Authentication via ADFS
We require authentication via Active Directory Federated Services (ADFS) for several reasons, but one is so that an attritioned employee’s access can and is handled as quickly and as automatically as your internal processes allow. As soon as the user
is inactivated in your active directory, they no longer have access to the archive. If by chance your termination processes do not move rapidly, Engage can inactivate individual users for you at the application level as well.
On-Site vs Off-Site Access
Your active directory policy will determine from where your users can authenticate into the application. If your IT staff is unfamiliar with how to restrict this within ADFS, Engage SMEs can assist.
- Web application HTTP requests and responses are encrypted via SSL from the user’s browser to the application server.
- All data transit between the client, web application servers and databases are encrypted.
- Transactions between the Engage data center and Azure data stores are encrypted at the transaction level and performed within a VPN.
- At-rest medical reports are encrypted.
- Back-ups are encrypted.
Minimal Demographic Consolidation
Demographic data stored in table form is limited to only that needed for end-user document search and search result confirmation. For example, address, phone numbers and relations are not found in a patient demographic table as it is not required for
search. A point-in-time address would be found within a medical record admitting (PDF) report. In short, from a data theft perspective, we've devalued the consolidated demographic payload.
Read Only Data State
Unlike most document management systems, HealthFolder is a read-only patient centric health record repository designed for healthcare provider access. The only exception is the permitted ongoing maintenance of patient identifier cross-references. This
significantly reduces the possibility of malicious or unintended data destruction or alteration. Your archive is only modifiable during the the data load phase and only via the data load API by Engage credentialed users.
Load API Use Restrictions
While Engage will likely perform the data import for you, some clients opt to do their own data load. WebService APIs are available for loading data during initial data migration. These APIs follow standard security protocols but are further restricted
by intentional design decisions.
- All APIs are insert and update only. There are no data retrieval or data deletion APIs.
- API service accounts are termed upon data migration completion, by policy.
- API user accounts issued for data migration have explicit expiration dates. A data load account cannot be inadvertently left active.
- API user accounts have two auto-expiration mechanisms.
- The API is domained separately from the end-user application restricting its use within a more restricted point-to-point VPN profile.
- Data purge actions are mitigated by a two-party multi-step process with separation of concerns.
- The API leverages an expiring bearer token authentication scheme with standard session expiration handling.
Specific questions regarding API authentication and protection methods will be discussed with your IT team if your organization performs the data import. Details are not further published here.
Network Traffic Monitoring
Our network infrastructure further limits high traffic/request activity. Requests are limited by:
- Originating geography
- Request volumes/patterns
- Active IP interrogation
Again, network level protections are the same protections applied to our hosted Meditech HIS systems.
Data Center Storage and Hosting
The HealthFolder application uses a hybrid data storage approach. All data is stored within either Engage data centers or Azure cloud storage. HealthFolder is hosted in the same data centers hosting all Engage hosted Meditech systems, with the same
access protections, monitoring, disaster recovery and redundancy.
End-User and Data Access Support
You and your providers are supported 24x7 by analysts familiar with the application and its architecture. Formal SLA is 24x7x365 including tiers 1, 2 and 3.
Data Retention Risk Reduction
Data has value to the provider, and yes, is necessary to meet your state's legal data retention requirements. Beyond that, old records are a data risk representing real financial cost. Should you choose, we will work with you to define data reduction
business rules that execute on an annual or other recurring frequency. This reduces both your data risk and your HealthFolder subscription fees.
End of Contract Support
When archiving data with Engage, you don't assume a "data hostage" risk position . If you decide to terminate your HealthFolder subscription, perhaps due to a health system consolidation, we will work with you to provide a full data extract and securely
deliver your data back to you. If this is done in alignment with our normal delivery process it will be at no charge to you. You'll receive PDFs of all archived reports along with the structured defining metadata. You won't find this to
be the case with other archive services that convert your data into proprietary data structures.
Patient Health Record Search - Core Module
The search module allows for the searching and viewing of patient health records, maintaining patient identity cross-references and performing user access audits. The archive is source-system agnostic; archive all your legacy EMRs into a single cross-referenced
Pricing is simple and cost efficient.
The recurring document storage and subscription fee is based on archived report count. Pricing is $300 per month per million-documents with a 5-million document minimum ($1,500/month). Tiered discounts apply after 10-million documents and are
We don’t want you unnecessarily restricting provider access to patient data, for this reason we do not price HealthFolder on user count, provider count, patient count, bed count, source EMR count or post-live transaction activity. Provision as
many user accounts as is appropriate for patient care. What's more, we will work with you to define annual data purge rules so you can reduce your data retention risk and cost over time.
Implementation and data migration is quoted on a per project basis. Trust Engage to perform your legacy Meditech system data extractions.
End-of-contract data delivery back to you is provided at not charge, assuming a standard three year contract term.
The Health Record Search screens are purposefully simple with a singular focus -- enable providers to quickly find archived patient medical records without training or undo interruption to patient care time.
No training required: Record search and review was designed with a no-training-required objective. Your providers are busy learning their new EMR, you don't need to train them on how to access archived patient records.
AD credentials: No new credentials to remember. Your providers use their existing active directory credentials to authenticate via your ADFS.
Providers can easily search for and find the archived patient records they are seeking:
In-context EMR linking: Link to archived patient records from within your non-legacy EMR. Launch an archived records search from within your EMR's patient context, passing the non-legacy EMR's patient identifier. We'll show you how to configure
this in Meditech Expanse.
Automatic cross-reference search: Automatically expand your record search across patient documents archived from multiple source EMRs, using one system patient identity.
Patient finding: Search for patients by partial name, source-EMR identifier, visit number, or your non-legacy EMR patient identifier.
Provider filtering: Filter results by related providers, selecting providers by partial name or NPI.
Record type filtering: Filter patient records by date, report type or visit number.
Longitudinal data views: While most data will be reposed as PDF documents, HealthFolder supports the loading and display of several longitudinal data types including lab results, vitals and medications. Longitudinal data searches respect all
the filters above.
Exports: Export reports or longitudinal data views (with appropriate system logging of course).
Patient access request view: Select numerous documents for export to a single PDF in order to more quickly satisfy patient access requests - coming soon.
There are two specialty role screens:
Audit Views: As described in the security section, all user activity is logged, click-by-click. Audit views enable your security staff to perform targeted or ad-hoc reviews of user activity from a named user, patient, or record type perspective.
This is a role restricted screen.
Patient cross-reference maintenance: Merge or demerge patient identities, including patient identities from your new/current EMR. This is a role restricted screen.
Scan & Attribute (S&A) Module
For the archiving of aged paper documents, Engage offers a “scan and attribute” module by which you can migrate your paper document stores into HealthFolder, after which you can attribute those documents for quicker search within the core module if desired.
These documents differ from data exported from a legacy EMR in that they lack defining metadata and may not even be patient records. At their simplest, they are paper documents in boxes consuming valuable real-estate that are both difficult to access
and difficult to search.
This module follows the same pricing structure and rates as the core module, but with its own document count minimum. Document counts from all modules are combined when determining volume discounts. Since older scanned documents may be of a larger file
size than basic reports converted from text to PDF, there is a GB surcharge of $0.15/GB when the average document size exceeds expected norms. We will work with you to properly size documents during data load.
The S&A module facilitates basic searching and viewing of the scanned documents. If you desire that content to be full-text searchable, this can be accommodated as well but at an additional search index storage cost. Typical costs range between $100
- $500 per month.
Additional implementation costs apply if you would like us to assist with data conversion and brokering/upload.
The S&A module is designed as a two-stage workflow: (1) Scan and upload and (2) Attribute.
Scan and Upload
Your document management staff can image paper documents via your scanner and upload them in volume to the data archive. Documents are uploaded into virtual batches or "box" containers with labels corresponding to their physical container labels and
locations. The container labelling scheme accommodates batch sequences, date ranges, alpha ranges and free text labelling.
Once your staff validates page counts and has previewed the documents in HealthFolder, the physical documents can be destroyed. It may be some time before your HIM staff attributes the documents, so we've made searching for and filtering through these
virtual boxes more efficient with batch and document search filters, and should you choose, full-text indexing.
As with the core module, all user actions are logged for PHI accountability and is reviewable in the same audit screen.
An API facilitates importing scanned content in large volumes, but documents can also be uploaded using a standard web browser.
Attribute & Search
Once scanned and uploaded, the documents can be attributed by HIM staff, enabling the records to be searched for and viewed in the Patient Health Record Screen/Module. This makes servicing future patient record access requests more efficient. While
scanned documents are treated as coming from a different "source EMR", the newly attributed documents can be cross-matched to existing patient identities from the other source EMRs.
Not A Document Management System
HealthFolder is a referenceable patient health record data archive (PHRA), not a back-office document management system (DMS) and not an EMR. PHRAs are a separate application within the enterprise application portfolio.
It is a common mistake for software selection committees to seek a single application to service both the DMS and PHRA use cases. DMS software selection is driven by workflow, document capture, and metadata (attribute) flexibility requirements and higher
per-user license pricing. Health record archives are selected based on large audience usability requirements, security (data exposure risk) and the recurring reposed document storage cost.
Document management systems enable administrative staff to continually capture, sort, process and otherwise manage back-office documents on a continuous basis. They are feature rich from a document management and workflow perspective requiring training
and are typically priced on a per-user basis. DMSs are not provider friendly in a clinical setting, not intended for huge PHI document payloads and don't offer longitudinal data views. DMSs have a lower security rating compared to PHRAs when
deployed to a larger provider audience for recalling patient health records. Engage does offer back-office DMS solution hosting if that is your need.
HealthFolder is a read-only PHRA designed to make the recall of legacy patient data quick and easy for providers and HIM staff, when that information is not otherwise reposed within your current EMR. It does so while reducing data retention risk and