The Office for the National Coordinator’s progress report on the current state of healthcare APIs shows developers are aware of and are working to correct some key privacy and security concerns, as the Department of Health and Human Services’ continues its interoperability push.
The report assesses the current landscape of API-based health information exchange based on the perspective of app developers and data integrators, as well as their role in effective data aggregation and exchange.
ONC has seen an influx in third-party developers emerging in the marketplace to support the need for health apps that can gather and exchange data from electronic health records, devices and systems. But as noted in SC Media reports, a host of privacy and security challenges and risks exist within the API and app ecosystem meant to support health data exchange.
For the last few years, awareness around the need to prioritize health app privacy and security safeguards has been top of mind in Congress and among industry stakeholders. The FTC has also reaffirmed its commitment to enforcing its rarely used Health Breach Notification Rule, which outlines vendor requirements when collecting consumer health data.
Risk assessments, approval process lead to delays
The latest ONC update outlines the current challenges faced by aggregators and developers, tied to the availability and quality of security practices when developing, testing and deploying these exchange solutions.
Specifically, the “lengthy security risk assessments and overly complex approval processes” for some developers or providers “often cause delays in implementation schedules.” There’s also a need for more granular levels of consent or scope to provide consumers better transparency on the specific data and timeframes on when their data will be shared.
The developers are also calling on more guidance for the administrative processes for the privacy and security requirements around contracts, the Health Insurance Portability and Accountability Act Business associates, user consents and data use agreements.
Lastly, “app developers need to become accustomed to providing a privacy statement to users specifying their commitment to security and the risks of releasing EHI to any third-party.”
However, the developers and aggregators are concerned that some provider organizations often lack robust security processes or don’t leverage trusted frameworks to manage patient data exchanged in third-party apps. Some health systems also lack the governance structure needed for determining necessary privacy and security workflows or reviews of third-party health apps.
“There’s a link between the lack of a governance structure and the lack of internal stakeholder alignment,” according to the report. “There’s often not a single point of decision making, but rather many relevant stakeholders.”
Two participants noted the current FHIR APIs “allow app users to consent to a granular level exchange of their EHI down to specific data elements.” But there are challenges in extracting the health data from the source system, like the EHR, to the third-party app or personal mobile device.
“One discussion participant summarized that FHIR offers a sufficient framework for the development of apps but does not solve other processes, such as privacy, security, and consent,” the report authors wrote. But initiatives, such as the Argonaut Project, aim to create more granular consent flows.”
“As third-party health apps become more ubiquitous … participants described their desire to empower app users to make their own decisions and the need to use case-specific workflows to ensure the privacy and security of health data,” they added.
The report also outlined examples of questions that should be answered that could ensure a more streamlined approach to data governance, as well as possible solutions for the privacy and security of APIs.
In short, in terms of privacy and security elements of the current state of data exchange, ONC stressed that the trust in APIs and apps will largely depend on the use of strong privacy and security controls.
