Coalition of hospitals, health plans and others urge for stronger guidance around third-party apps
Providers are not responsible for verifying the security of a patient's third-party app, but are vulnerable when that data is sent.
Photo: Westend61/Getty Images
The Confidentiality Coalition and the Workgroup for Electronic Data Interchange has sent a letter to the secretaries of Commerce and Health and Human Services voicing concerns about the potential misuse of patient health information by unregulated third-party applications.
The HIPAA law only goes so far to protect health information as it applies only to traditional healthcare covered entities and their business associates, the groups told HHS Secretary Xavier Becerra and Commerce Secretary Gina Raimondo in the March 24 letter. The groups said they are also concerned that patients will not have adequate information to be educated regarding third-party apps and the risk that their information may not be protected by HIPAA.
The Confidentiality Coalition includes hospital, medical teaching colleges, health plans, pharmaceutical companies, medical device manufacturers, EHR vendors and more. WEDI was formed to improve the efficiency of health data exchange.
WHY THIS MATTERS
Healthcare providers are not responsible under HIPAA for verifying the security of a patient's third-party app. "However, we note that this 'safe harbor' does not address the potential vulnerability of patient information when sent to the app," the letter said.
The groups offered several recommendations for the federal government to increase security and protect privacy.
THE LARGER TREND
In December 2020, the Centers for Medicare and Medicaid Services issued a proposed rule aimed at improving the electronic exchange of healthcare data among payers, providers and patients.
The final rule requires HL7 FHIR-based APIs to support data exchange and prior authorization. It also includes an API standard for healthcare operations nationwide. The rule builds on final rules around interoperability and patient access to fulfill provisions of the 21st Century Cures Act.
During HIMSS22, CMS Administrator Chaquita Brooks-LaSure said the rule didn't go far enough. Payers need to implement data exchange, she said, adding CMS would soon publish a rule on enhanced data exchange.
Twitter: @SusanJMorse
Email the writer: SMorse@himss.org