Health IT Security Considerations
We have learned that APIs act as a doorway to data that lets people with the right key
get through. APIs work in exactly the same way on different types of devices, in various
operating systems, and on a range of mobile devices. When using APIs, remember
that the security safeguards required by the ONC certication rule establish a oor of
security controls that all certied electronic health records must meet. However, even
when using certied health IT resources and tools, there are risks whenever data are
shared electronically.
The HIPAA Security Rule can help providers manage these risks. The Security Rule
requires providers that are covered by the rule to maintain reasonable and appropriate
administrative, technical, and physical safeguards for protecting electronic personal
health information, or e-PHI. Covered providers are required to perform risk analysis
as part of their security management processes. When health care providers add APIs
or other new technologies to facilitate information sharing, the best way to identify the
risks is to conduct a revised security risk assessment. If the analysis identies new
risks, security measures will need to be put in place to reduce those risks.
This process will help providers protect their practice from threats such as ransom
ware, theft, or other types of hacking. ONC offers a Security Risk Assessment Tool
online, free of charge, to help small and medium providers assess their risk so they can
take the appropriate precautions.
Federal Rules for Data Transfer
There are a number of federal rules that providers might need to comply with when
using apps to transmit data.
In 2015, ONC published the Health IT Certication Criteria rule. This regulation
requires certied health IT to provide access to health information using APIs.
Under the Health Insurance Portability and Accountability Act of 1996 – or HIPAA,
providers must release certain requested data to patients and provide security and
privacy technical safeguards. The Ofce for Civil Rights is responsible for enforcing
HIPAA privacy and security rules.
Under Federal Trade Commission rules, health care providers are prohibited from
unfair or deceptive acts or practices in or affecting commerce, and they must provide
reasonable and appropriate data security.
The Food and Drug Administration requires that apps must protect information
accessed or transferred from medical devices.
To learn more about what rules might apply, visit the FTC’s portal, which summarizes
some of the privacy and security requirements that might apply to Mobile Health apps.