The bipartisan 21st Century Cures Act, passed in late 2016, included a mandate on the healthcare industry to leverage Application Programming Interface (API) standards to improve the interoperability of patient information. APIs are the technical foundation for the apps we use every day to book travel and shop online. One of the goals of the Cures Act was to apply this technology to healthcare and enable physician practices, other providers and even health plans to share information using APIs. For patients, the goal of the Cures Act is to give them control of their data on their smartphone.
The Office of the National Coordinator (ONC) for Health Information Technology (HIT), the primary government agency tasked with implementing this provision of the Cures Act, has proposed a set of rules to permit health information to be accessed, exchanged and used “without special effort” through use of APIs.
ONC has proposed to:
In comments to ONC on its proposed rule, MGMA reiterated its support for improving the ability of practices to share data with patients and other care settings. However, MGMA did raise concerns regarding several aspects of the government’s proposal.
Third-party app developers, which are entering the healthcare market at a rapid pace, are typically not required to abide by the provisions in HIPAA due to the fact they offer their apps directly to consumers and not on behalf of HIPAA-covered entities such as practices. MGMA argued that ONC should develop a better approach for how practices can confidently share patient information with app developers that are not typically bound by HIPAA requirements.
According to the ONC proposed rule, APIs should require a “yes” attestation by patients to indicate they have been provided meaningful notice and control over how their health information will be used to connect to the API. MGMA contended this traditional requirement for the user to click “yes to continue” or “I accept” to the conditions type of model will not be sufficient to appropriately communicate to the patient the risk managing that data might have or to give confidence to providers concerned that patients understand the risks and benefits of this data use. It is imperative that patients fully comprehend the risk prior to using their data in apps and in choosing to use the API.
The Association also raised the concern that patients may not have the information that would allow them to be “educated consumers” of health apps and they may not fully comprehend the risk they are assuming with their chosen app. Patients do not necessarily know when their information is and is not protected by HIPAA.
The proposed rule stipulates that a practice is not permitted to conduct “verification” checks on individual third-party apps before allowing the app to connect to its API, but rather must conduct such “verification” on the developers themselves and must complete the process within five business days. MGMA recommended ONC provide further guidance on the types of “verification” that will be authorized and permit practices to undertake some form of review of third-party apps themselves before permitting them to connect to their APIs.
In tandem with the release of the ONC proposed rule, the Office for Civil Rights (OCR), the government agency responsible for oversight and enforcement of HIPAA Privacy and Security rules, recently issued guidance to assist physician practices and others to better understand the new app environment. This guidance provides needed clarification to practices deploying app technology or releasing information to patient-directed apps. Highlights from the guidance include:
ONC is expected to release the final rule outlining API regulations later this year. MGMA Government Affairs will develop a member-benefit analysis of the final regulation and offer guidance to practices on how best to meet this new challenge.
The Office of the National Coordinator (ONC) for Health Information Technology (HIT), the primary government agency tasked with implementing this provision of the Cures Act, has proposed a set of rules to permit health information to be accessed, exchanged and used “without special effort” through use of APIs.
ONC has proposed to:
- Require EHR vendors to support API-enabled services to allow patients to direct a practice to send their health information to an app of their choice.
- Require EHR vendors to export data for multiple patients to another EHR. This will ease the burden on practices switching software vendors.
- Require API vendors to comply with certain requirements to promote an open and competitive marketplace.
- Set boundaries for the fees vendors could charge practices for API technology.
In comments to ONC on its proposed rule, MGMA reiterated its support for improving the ability of practices to share data with patients and other care settings. However, MGMA did raise concerns regarding several aspects of the government’s proposal.
Third-party app developers, which are entering the healthcare market at a rapid pace, are typically not required to abide by the provisions in HIPAA due to the fact they offer their apps directly to consumers and not on behalf of HIPAA-covered entities such as practices. MGMA argued that ONC should develop a better approach for how practices can confidently share patient information with app developers that are not typically bound by HIPAA requirements.
According to the ONC proposed rule, APIs should require a “yes” attestation by patients to indicate they have been provided meaningful notice and control over how their health information will be used to connect to the API. MGMA contended this traditional requirement for the user to click “yes to continue” or “I accept” to the conditions type of model will not be sufficient to appropriately communicate to the patient the risk managing that data might have or to give confidence to providers concerned that patients understand the risks and benefits of this data use. It is imperative that patients fully comprehend the risk prior to using their data in apps and in choosing to use the API.
The Association also raised the concern that patients may not have the information that would allow them to be “educated consumers” of health apps and they may not fully comprehend the risk they are assuming with their chosen app. Patients do not necessarily know when their information is and is not protected by HIPAA.
The proposed rule stipulates that a practice is not permitted to conduct “verification” checks on individual third-party apps before allowing the app to connect to its API, but rather must conduct such “verification” on the developers themselves and must complete the process within five business days. MGMA recommended ONC provide further guidance on the types of “verification” that will be authorized and permit practices to undertake some form of review of third-party apps themselves before permitting them to connect to their APIs.
In tandem with the release of the ONC proposed rule, the Office for Civil Rights (OCR), the government agency responsible for oversight and enforcement of HIPAA Privacy and Security rules, recently issued guidance to assist physician practices and others to better understand the new app environment. This guidance provides needed clarification to practices deploying app technology or releasing information to patient-directed apps. Highlights from the guidance include:
- Where the app is provided by or is developed on behalf of the practice itself, it would likely be considered a business associate of the practice. This includes if the app was developed by the practice’s EHR vendor. The practice could then be liable under HIPAA for any impermissible disclosure because of the business associate relationship between the practice and the app developer. A business associate agreement (BAA) would most likely need to be signed between the practice and the app developer. However, a BAA would not be required if the third-party app was provided by the patient or an entity other than the practice or its EHR vendor.
- Where the patient has supplied or identified the app to receive the data, the practice would not be liable under HIPAA should the app later experience a breach.
- Under the individual right of access, a patient may request a practice to direct his or her data to a third-party app in an unsecure manner or through an unsecure channel. OCR does recommend, however, that the practice consider informing patients of the potential risks involved the first time they make the request.
- The HIPAA Privacy Rule generally prohibits a practice from refusing to disclose data to a third-party app designated by the patient if the data is readily producible in the form and format used by the app.
ONC is expected to release the final rule outlining API regulations later this year. MGMA Government Affairs will develop a member-benefit analysis of the final regulation and offer guidance to practices on how best to meet this new challenge.