February 14, 2018
The report describes key considerations for implementing and managing application programming interfaces (APIs) in healthcare with respect to the privacy and security of health information (e.g., electronic protected health information (ePHI)). These considerations were developed as a result of testing and assessing a volunteer subset of the implementations of the Sync for Science (S4S) API in accordance with applicable Precision Medicine Initiative (PMI) Privacy and Trust Principles (PMI Privacy Principles) and the PMI Data Security Policy Principles and Framework (PMI Security Principles). Special publications from the National Institute of Standards and Technology (NIST) also served as a basis for assessment criteria of the participating S4S pilot organizations. Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must implement appropriate privacy protections and data security safeguards in their environments, and in particular, comply with the HIPAA Privacy and Security Rules. The PMI Privacy and Security Principles are consistent with HIPAA and can help bolster an entity’s privacy and security posture. The use of APIs in healthcare, which can enable individuals (e.g., patients or their personal representative) to request that a healthcare provider’s electronic health record (EHR) send health information about them to a specified third-party, such as a research application (app), can leverage the below considerations to help ensure privacy and security of health information with the appropriate safeguards in mind.
KEY PRIVACY CONSIDERATIONS
The following are key areas for privacy consideration when implementing APIs in healthcare:
1. Ensure that any electronic access request interface (e.g., an electronic form within a patient portal) provides individuals with an opportunity to approve the electronic transmission of health information in accordance with applicable legal requirements that enable such a request (e.g., HIPAA right of access).
2. Enable technology to provide for and respect individuals’ choices and/or preferences about the specific types of health information (e.g., medication lists, allergies) shared with the third-party. 3. Provide methods for individuals to revoke permissions for sharing health information about them in a manner that is clear and easily accessible. 4. Develop organizational privacy policies that are consistent with the PMI Privacy Principles and adequately address privacy risks.
KEY SECURITY CONSIDERATIONS
The following are key areas for security consideration when implementing APIs in healthcare:
1. Use Transport Layer Security (TLS) Version 1.2 or higher with strong cipher suites (such as the Advanced Encryption Standard [AES] or higher) to protect health information in transit via the API from the EHR to the third-party.
2. Ensure that the API cannot be manipulated to unintentionally expose health information or system vulnerability information.
3. Develop technical and administrative policies to ensure verification of the identity of users and contributors, prior to granting credentials for access to or contribution of health information.
4. Develop technical and administrative policies that describe how to issue credentials to individuals that will permit them to access health information about themselves.
5. Consider implementing risk-based authentication controls that flow from the organization’s security risk assessment, and are commensurate with the type of data, level of sensitivity of the information, and user type.
6. Develop systems with technical authorization controls flexible enough to support individual privacy preferences that are capable of limiting API access, use, or disclosure based on what is necessary to satisfy a particular purpose or carry out a function.
7. Evaluate any service provider’s infrastructure, security practices, and technical capabilities for hosting implementations of APIs and apps that store and access health information.
8. Implement data integrity protection controls that detect when unauthorized alterations are made to health information made accessible through the API.
9. Ensure that EHR patient portals that interact with the API are secure and protected against known vulnerabilities that attackers could exploit.
10. Develop organizational security policies that are consistent with the PMI Security Principles and adequately address security risks.
While there is a perception in the healthcare community that APIs are less secure than other components of an IT system (e.g., an EHR system), 8 the use of APIs to share information is prevalent in the financial and travel industries. In turn, similar to the use of APIs in other industries, as long as healthcare APIs are implemented with appropriate privacy and security safeguards in place, APIs can add value to individual-directed sharing of health information. As adoption of API use in healthcare becomes more widespread, this document can serve as a resource for specific privacy and security considerations for health information technology (health IT) implementers.
The full report can be accessed here.