Interoperability

Health Records Safety Exchange

Health-record extraction becomes safe, source-attributed, and reviewable before it becomes live.

SCRIMED Health Records Safety Exchange defines no-PHI health-record ingestion, extraction, normalization, interoperability, and patient-safety controls for synthetic and customer-approved sandbox evaluation. It does not authorize live PHI ingestion, production EHR access, patient matching, diagnosis, treatment, emergency triage, order entry, prescribing, payer submission, patient outreach, autonomous clinical decisions, record mutation, or production connector execution.

Statushealth-records-safety-exchange-control-plane-active
Capabilities5
Safety checks6
Workarounds20
Blocked actions20
Live blocked4

Operating Rules

SCRIMED can improve extraction and interoperability without touching live records.

The exchange supports synthetic FHIR, HL7 v2, C-CDA, DICOM metadata, X12/prior-auth, CSV, and note extraction planning while preserving PHI, connector, clinical, payer, and writeback hard stops.

01Reject PHI, patient identifiers, payer member IDs, production credentials, source records, and production endpoints in public or synthetic workflows.
02Use FHIR, HL7 v2, C-CDA, DICOM/DICOMweb, X12, USCDI, TEFCA, and terminology standards as readiness contracts, not live connector approval.
03Keep patient matching, diagnosis, treatment, triage, prescribing, patient outreach, payer submission, and record mutation blocked.
04Route ambiguous mappings, missing provenance, stale facts, medication/allergy safety, and units/terminology conflicts to qualified human review.
05Require customer sandbox approval, privacy/security/legal review, clinical governance, consent/purpose-of-use, audit, monitoring, rollback, and go-live approval before live data exchange.

Capabilities

Every record capability carries standards, extraction targets, safety controls, workarounds, and blocked actions.

synthetic-ready

FHIR health-record intake and normalization

FHIR R4/R4B, US Core, USCDI, SMART App Launch

Patient metadata placeholders · Encounter timeline · Observation, lab, and vital signals
  • Formats: fhir-bundle
  • Workaround: Use synthetic FHIR bundles and CapabilityStatement review before customer sandbox access.
  • Blocked: live FHIR read, EHR writeback, patient matching, clinical decision automation
customer-sandbox-required

HL7 v2 event and results extraction

HL7 v2 ADT, HL7 v2 ORM/OML, HL7 v2 ORU, deployment-specific interface profiles

Admission/discharge/transfer events · Order and result identifiers · Observation status
  • Formats: hl7-v2-message
  • Workaround: Request de-identified or synthetic HL7 v2 samples from the buyer interface team.
  • Blocked: production ADT feed, result posting, order mutation, unreviewed segment inference
metadata-only

C-CDA and document intelligence extraction

C-CDA, FHIR DocumentReference, LOINC, SNOMED CT, Atlas evidence layer

Document type and section map · Problem/medication/allergy section placeholders · Missing-section signals
  • Formats: c-cda-document, unstructured-note, csv-export
  • Workaround: Keep public demos on synthetic documents and redact all identifiers.
  • Blocked: live note ingestion, patient-specific summary release, diagnosis extraction claim, unreviewed document upload
metadata-only

Imaging record and DICOM metadata routing

DICOM, DICOMweb, FHIR ImagingStudy, IHE ATNA

Study and series metadata · Modality and accession placeholders · DICOMweb service readiness
  • Formats: dicom-metadata
  • Workaround: Use metadata-only synthetic DICOMweb fixtures.
  • Blocked: pixel-data ingestion, diagnostic interpretation, PACS retrieval, imaging result writeback
external-review-required

Payer, coverage, and prior-authorization record extraction

FHIR Coverage, FHIR Claim, FHIR ExplanationOfBenefit, X12 278, CMS prior authorization APIs

Coverage and eligibility context · Prior authorization status metadata · Required documentation checklist
  • Formats: x12-prior-auth, fhir-bundle, csv-export
  • Workaround: Generate synthetic prior-authorization packets and missing-evidence checklists.
  • Blocked: payer submission, benefit determination, claim filing, reimbursement guarantee

Extraction Pipeline

The path from source declaration to reviewer packet is gated at each step.

Data governance and integration owner

Intake gate

Synthetic fixtures, metadata-only references, or customer-approved sandbox samples only.

Accepted source-format declaration and rejected live-data signal list.
  • Block PHI, patient identifiers, payer member data, credentials, production URLs, and source records.
Interoperability engineering

Schema and profile detection

Declared format and sample metadata.

FHIR/HL7/C-CDA/DICOM/X12 profile hypothesis with version uncertainty.
  • Require human confirmation before treating a profile as deployment truth.
Atlas and interoperability agents

Extraction and normalization

Synthetic or approved sandbox payload only.

Canonical extraction map, missing-field register, terminology queue, and provenance ledger.
  • Draft-only output; no diagnosis, treatment, order, payer, outreach, or writeback action.
TrustOS and clinical governance

Patient-safety lint

Normalized signals and source provenance.

Safety-check results for identity, units, medications, allergies, stale facts, provenance, and action boundary.
  • Critical findings block release and route to a qualified reviewer.
Customer workflow owner and SCRIMED operator

Reviewer packet

No-PHI evidence, accepted synthetic findings, and retained external gate list.

Reviewer-ready packet with workarounds, blocked actions, retained gates, and proof routes.
  • Human approval required before customer sandbox, PHI, connector, or production workflow expansion.
critical

PHI and live-record blocker

Payload declares PHI, patient identifiers, payer member IDs, production URLs, credentials, or live clinical records.

  • Reject request and return no-storage boundary guidance.
  • Use synthetic fixtures, metadata-only references, or customer-approved sandbox data after signed controls.
critical

Patient identity and matching guard

Request asks SCRIMED to match, merge, deduplicate, or select a live patient.

  • Block patient matching and route to customer MPI/identity governance.
  • Use synthetic patient placeholders and show the required MPI acceptance test.
high

Unit, terminology, and semantic drift lint

Labs, vitals, medications, procedures, or conditions lack units, code-system version, or mapping provenance.

  • Mark extracted facts as unresolved and require terminology review.
  • Expose a mapping queue with LOINC, SNOMED CT, RxNorm, ICD, CPT/HCPCS, and local-code placeholders.
critical

Medication and allergy review guard

Medication, allergy, or interaction context is requested for clinical use.

  • Keep output draft-only and require pharmacist/clinician review before any care action.
  • Generate a review checklist instead of advice, prescribing, or patient instruction.
high

Stale, conflicting, or unattributed source guard

Extracted facts conflict across sources or lack timestamp/provenance.

  • Block fact promotion into reviewer packet until source conflict is resolved.
  • Create a missing-evidence register and route to the customer records owner.
critical

Writeback and patient-action blocker

Request asks for EHR mutation, order entry, outreach, payer submission, triage, or final clinical recommendation.

  • Reject the action and preserve a no-authority audit event.
  • Produce a human-reviewed draft packet and retain the live-action gate.

Limitations and Workarounds

Each hard stop has a safe path forward and a retained approval gate.

Privacy, security, legal, customer compliance, and data governance

Live PHI and patient identifiers

Privacy breach, contractual breach, regulatory exposure, and loss of buyer trust.

Use synthetic fixtures, metadata-only references, and customer sandbox placeholders.
  • Control: Public and synthetic routes reject PHI and live records; extraction evaluator requires syntheticOnly=true.
  • Gate: Signed BAA/DPA or non-PHI determination, privacy/security review, retention policy, and customer approval.
  • Proof: /health-records, /clinical-care-activation, /approvals-readiness
Interoperability engineering, customer integration owner, security, and clinical governance

Production EHR, HIE, payer, imaging, and device connectors

Unsafe data exchange, silent record mutation, trading-partner breach, and patient-safety exposure.

Run conformance kits, fixture validation, CapabilityStatement review, and sandbox mapping packets.
  • Control: Connector work remains standards-aware and synthetic until partner acceptance testing exists.
  • Gate: Customer sandbox approval, partner acceptance, security review, purpose-of-use, consent, audit, monitoring, and rollback.
  • Proof: /interoperability, /interoperability/evaluations, /health-records
Clinical governance, TrustOS, product, and customer clinical owner

Patient safety and clinical action

Incorrect patient context, unsafe care recommendation, missed escalation, or unauthorized clinical decision support.

Produce reviewer checklists, missing-data registers, and escalation queues instead of recommendations.
  • Control: Outputs are draft-only, source-attributed, reviewer-gated, and blocked from clinical action.
  • Gate: Licensed clinical governance, intended-use review, validation protocol, safety case, and customer go-live approval.
  • Proof: /clinical-authority-readiness, /clinical-care-activation, /health-records
Customer identity governance, interoperability engineering, and clinical safety

Patient matching and longitudinal record assembly

Wrong-patient record merge, duplicate facts, incomplete histories, and unsafe downstream automation.

Use synthetic identity placeholders and route matching to customer MPI or identity-governance owners.
  • Control: SCRIMED does not match live patients or merge production longitudinal records.
  • Gate: Customer MPI acceptance tests, identity policy, consent path, error reconciliation, audit, and clinical owner approval.
  • Proof: /health-records, /interoperability, /workflows/runtime-safety
RCM owner, legal, customer sponsor, and payer integration owner

Payer submission and reimbursement outcomes

Improper payer transaction, false reimbursement expectation, and regulatory or contract exposure.

Route payer work to human RCM review and customer payer-policy owners.
  • Control: SCRIMED creates synthetic prior-auth support packets and missing-evidence lists only.
  • Gate: Payer/trading-partner approval, X12/FHIR API testing, coding review, legal review, and customer release authority.
  • Proof: /health-records, /growth-engine, /enterprise-business-ops

Source References

Standards and policy references are treated as implementation constraints, not approval claims.

2026-06-25

HL7 FHIR R4 and FHIR release directory

FHIR is the primary resource model for synthetic record extraction, CapabilityStatement review, AuditEvent, Provenance, and deployment-specific profile validation.

https://www.hl7.org/fhir/R4/
2026-06-25

ONC TEFCA

Nationwide exchange requires purpose-of-use, participant/QHIN path, privacy/security controls, and exchange governance before real patient data flows.

https://healthit.gov/policy/tefca/
2026-06-25

DICOM current standard

Imaging metadata can be prepared for routing and provenance, but diagnostic interpretation and pixel-data workflows remain separately gated.

https://www.dicomstandard.org/current