Third Party App Security Framework for the CMS Interoperability Plan

The American Academy of Neurology (AAN) spoke about their concerns on the interoperability plans of the HHS’ Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS).

In February, ONC and CMS recommended new rules that could help minimize information blocking and have better interoperability. Problems in data blocking and interoperability push clinicians to devote more time doing clerical tasks, which in turn lessens the time spent on providing patient care.

The AAN is a supporter of ONC and CMS. The AAN is convinced that many of the proposed new rules are essential for empowering providers and patients by giving them access to patient information. However, the AAN has stated concern regarding patient safety and security when implementing the ONC and CMS interoperability plans.

The AAN is supporting the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to enable patients to easily access their health data, such as claims information, laboratory test results, prescribed medicines, and clinical notes. Doing so helps facilitate care coordination and could improve the understanding of patients’ concerning their conditions and treatments. Nonetheless, there are potential issues.

Consistent policies are required across the board to encourage and facilitate data sharing across systems. A lot of EHRs are not compatible with the robust usage of application program interfaces (APIs) for data sharing or are restricted by APIs that are used exclusively inhibiting data exchange. There are also concerns about privacy and security.

Although the AAN is aware that once PHI is shared by way of an API, the provider is no longer responsible to protect that information. However, the AAN thinks there must be a security framework for third-party applications to avoid unauthorized disclosures as soon as providers transmit PHI.

There is presently no federal regulatory framework that addresses unauthorized PHI disclosures aside from FTC’s enforcement. With no a regulatory framework, providers have the burden to make sure that they notify patients regarding the potential risks, when in fact app developers should be responsible to take all required precautions to ensure PHI security. The AAN wants to clarify the accountability of third-party applications in ensuring the protection of patient information.

After the transfer of PHI, unauthorized disclosures are not considered as HIPAA violations. However, it could negatively affect a provider’s reputation. Additionally, telling the risks to patients might result in patients not giving their consent to share their information, which is counterproductive to CMS’s goal of encouraging data exchange and could negatively impact the relationship between providers and patients.

Considering the sensitive nature of PHI, the trust between providers and patients is very important. The AAN is asking CMS and the FTC to make clear security guidelines governing third-party APIs and to enforce the rules regarding the responsibility of third-party applications to secure patient data.

There is also concern about the sharing of particular types of sensitive data, for instance high-risk genetic testing data. Prior to sharing such sensitive information with patients and their families, it is essential to provide appropriate counselling first. The AAN recommends not sharing highly sensitive information through APIs.

The AAN likewise thinks that the proposed six-month implementation of the changes is too short. Compliance with the new requirements will put a significant burden on healthcare providers and more time will likely be necessary for system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is likewise recommending the CMS and ONC to stretch the timescale for HIPAA compliance from six months to three years.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at