Health Records Safety Exchange
Health-record extraction becomes safe, source-attributed, and reviewable before it becomes live.
SCRIMED Health Records Safety Exchange defines no-PHI health-record ingestion, extraction, normalization, interoperability, and patient-safety controls for synthetic and customer-approved sandbox evaluation. It does not authorize live PHI ingestion, production EHR access, patient matching, diagnosis, treatment, emergency triage, order entry, prescribing, payer submission, patient outreach, autonomous clinical decisions, record mutation, or production connector execution.
Operating Rules
SCRIMED can improve extraction and interoperability without touching live records.
The exchange supports synthetic FHIR, HL7 v2, C-CDA, DICOM metadata, X12/prior-auth, CSV, and note extraction planning while preserving PHI, connector, clinical, payer, and writeback hard stops.
Capabilities
Every record capability carries standards, extraction targets, safety controls, workarounds, and blocked actions.
FHIR health-record intake and normalization
FHIR R4/R4B, US Core, USCDI, SMART App Launch
- Formats: fhir-bundle
- Workaround: Use synthetic FHIR bundles and CapabilityStatement review before customer sandbox access.
- Blocked: live FHIR read, EHR writeback, patient matching, clinical decision automation
HL7 v2 event and results extraction
HL7 v2 ADT, HL7 v2 ORM/OML, HL7 v2 ORU, deployment-specific interface profiles
- Formats: hl7-v2-message
- Workaround: Request de-identified or synthetic HL7 v2 samples from the buyer interface team.
- Blocked: production ADT feed, result posting, order mutation, unreviewed segment inference
C-CDA and document intelligence extraction
C-CDA, FHIR DocumentReference, LOINC, SNOMED CT, Atlas evidence layer
- Formats: c-cda-document, unstructured-note, csv-export
- Workaround: Keep public demos on synthetic documents and redact all identifiers.
- Blocked: live note ingestion, patient-specific summary release, diagnosis extraction claim, unreviewed document upload
Imaging record and DICOM metadata routing
DICOM, DICOMweb, FHIR ImagingStudy, IHE ATNA
- Formats: dicom-metadata
- Workaround: Use metadata-only synthetic DICOMweb fixtures.
- Blocked: pixel-data ingestion, diagnostic interpretation, PACS retrieval, imaging result writeback
Payer, coverage, and prior-authorization record extraction
FHIR Coverage, FHIR Claim, FHIR ExplanationOfBenefit, X12 278, CMS prior authorization APIs
- Formats: x12-prior-auth, fhir-bundle, csv-export
- Workaround: Generate synthetic prior-authorization packets and missing-evidence checklists.
- Blocked: payer submission, benefit determination, claim filing, reimbursement guarantee
Extraction Pipeline
The path from source declaration to reviewer packet is gated at each step.
Intake gate
Synthetic fixtures, metadata-only references, or customer-approved sandbox samples only.
- Block PHI, patient identifiers, payer member data, credentials, production URLs, and source records.
Schema and profile detection
Declared format and sample metadata.
- Require human confirmation before treating a profile as deployment truth.
Extraction and normalization
Synthetic or approved sandbox payload only.
- Draft-only output; no diagnosis, treatment, order, payer, outreach, or writeback action.
Patient-safety lint
Normalized signals and source provenance.
- Critical findings block release and route to a qualified reviewer.
Reviewer packet
No-PHI evidence, accepted synthetic findings, and retained external gate list.
- Human approval required before customer sandbox, PHI, connector, or production workflow expansion.
PHI and live-record blocker
Payload declares PHI, patient identifiers, payer member IDs, production URLs, credentials, or live clinical records.
- Reject request and return no-storage boundary guidance.
- Use synthetic fixtures, metadata-only references, or customer-approved sandbox data after signed controls.
Patient identity and matching guard
Request asks SCRIMED to match, merge, deduplicate, or select a live patient.
- Block patient matching and route to customer MPI/identity governance.
- Use synthetic patient placeholders and show the required MPI acceptance test.
Unit, terminology, and semantic drift lint
Labs, vitals, medications, procedures, or conditions lack units, code-system version, or mapping provenance.
- Mark extracted facts as unresolved and require terminology review.
- Expose a mapping queue with LOINC, SNOMED CT, RxNorm, ICD, CPT/HCPCS, and local-code placeholders.
Medication and allergy review guard
Medication, allergy, or interaction context is requested for clinical use.
- Keep output draft-only and require pharmacist/clinician review before any care action.
- Generate a review checklist instead of advice, prescribing, or patient instruction.
Stale, conflicting, or unattributed source guard
Extracted facts conflict across sources or lack timestamp/provenance.
- Block fact promotion into reviewer packet until source conflict is resolved.
- Create a missing-evidence register and route to the customer records owner.
Writeback and patient-action blocker
Request asks for EHR mutation, order entry, outreach, payer submission, triage, or final clinical recommendation.
- Reject the action and preserve a no-authority audit event.
- Produce a human-reviewed draft packet and retain the live-action gate.
Limitations and Workarounds
Each hard stop has a safe path forward and a retained approval gate.
Live PHI and patient identifiers
Privacy breach, contractual breach, regulatory exposure, and loss of buyer trust.
- Control: Public and synthetic routes reject PHI and live records; extraction evaluator requires syntheticOnly=true.
- Gate: Signed BAA/DPA or non-PHI determination, privacy/security review, retention policy, and customer approval.
- Proof: /health-records, /clinical-care-activation, /approvals-readiness
Production EHR, HIE, payer, imaging, and device connectors
Unsafe data exchange, silent record mutation, trading-partner breach, and patient-safety exposure.
- Control: Connector work remains standards-aware and synthetic until partner acceptance testing exists.
- Gate: Customer sandbox approval, partner acceptance, security review, purpose-of-use, consent, audit, monitoring, and rollback.
- Proof: /interoperability, /interoperability/evaluations, /health-records
Patient safety and clinical action
Incorrect patient context, unsafe care recommendation, missed escalation, or unauthorized clinical decision support.
- Control: Outputs are draft-only, source-attributed, reviewer-gated, and blocked from clinical action.
- Gate: Licensed clinical governance, intended-use review, validation protocol, safety case, and customer go-live approval.
- Proof: /clinical-authority-readiness, /clinical-care-activation, /health-records
Patient matching and longitudinal record assembly
Wrong-patient record merge, duplicate facts, incomplete histories, and unsafe downstream automation.
- Control: SCRIMED does not match live patients or merge production longitudinal records.
- Gate: Customer MPI acceptance tests, identity policy, consent path, error reconciliation, audit, and clinical owner approval.
- Proof: /health-records, /interoperability, /workflows/runtime-safety
Payer submission and reimbursement outcomes
Improper payer transaction, false reimbursement expectation, and regulatory or contract exposure.
- Control: SCRIMED creates synthetic prior-auth support packets and missing-evidence lists only.
- Gate: Payer/trading-partner approval, X12/FHIR API testing, coding review, legal review, and customer release authority.
- Proof: /health-records, /growth-engine, /enterprise-business-ops
Source References
Standards and policy references are treated as implementation constraints, not approval claims.
HL7 FHIR R4 and FHIR release directory
FHIR is the primary resource model for synthetic record extraction, CapabilityStatement review, AuditEvent, Provenance, and deployment-specific profile validation.
https://www.hl7.org/fhir/R4/ONC TEFCA
Nationwide exchange requires purpose-of-use, participant/QHIN path, privacy/security controls, and exchange governance before real patient data flows.
https://healthit.gov/policy/tefca/ONC USCDI
Record extraction targets must map to standardized data classes before SCRIMED represents health-record interoperability coverage.
https://www.healthit.gov/isa/united-states-core-data-interoperability-uscdiCMS Interoperability and Prior Authorization Final Rule CMS-0057-F
Payer/provider/prior-authorization workflows need API timing, payer policy, transaction governance, and no-guarantee reimbursement controls.
https://www.cms.gov/initiatives/burden-reduction/overview/interoperability/policies-regulations/cms-interoperability-prior-authorization-final-rule-cms-0057-fDICOM current standard
Imaging metadata can be prepared for routing and provenance, but diagnostic interpretation and pixel-data workflows remain separately gated.
https://www.dicomstandard.org/current