Privacy risks loom without third-party app and API standards, healthcare groups say

As the interoperability push continues in healthcare, the Workgroup for Electronic Data Interchange (WEDI) and the Confidentiality Coalition are again urging regulatory leaders to address patient privacy and security risks posed by third-party apps generating healthcare data that falls outside of The Health Insurance Portability and Accountability Act.

In a letter to the Department of Health and Human Services Secretary Xavier Becerra and Department of Commerce Secretary Gina Raimondo, WEDI and the Confidentiality Coalition make the case for a national privacy framework to address longstanding regulatory gaps.

“A vast amount of health-related information does not fall within the HIPAA regulatory framework and is largely unprotected from misuse,” the groups wrote.

There’s continued “concern patients will not have adequate information to be educated consumers regarding third-party apps and may not fully comprehend they’re assuming the risk of the security practices implemented by their chosen app.”

Specifically, patients may not understand when their data isn’t protected by HIPAA.

Application programming interfaces and health apps seamlessly support the exchange of healthcare data and enable patients with access to their information. But without addressing the lack of privacy standards for third-party apps, the risk to patient data is likely inevitable.

Since HHS announced its info blocking and interoperability efforts in 2019, as detailed in the 21st Century Cures Act, industry stakeholder groups have long warned of third-party app risks. A 2021 report found major security concerns with the API developer ecosystem, meant as the backbone for interoperability.

Broader concerns center around expanding the threat landscape, use of commercial products not regulated by HIPAA, a lack of prescribed standards or protocols for app developers, and the rapid development of tech that outpaces the security protections and controls. 

As it stands, the Federal Trade Commission has leveraged its authority to regulate health app developers that routinely share consumer health data with third parties without user consent. A 2020 settlement with Flo Health showed the app developer was misleading more than 100 million consumers about its health disclosure practices.

Last year, the FTC again reiterated it intends to leverage its healthcare data breach rule, which regulates health apps and connected devices that collect or use consumer health data. WEDI and the Confidentiality Coalition lauded these efforts, but noted that it’s not enough.

Healthcare stakeholder groups have repeatedly asked HHS and Congress to stand up a health app privacy standard since 2019, to address these risks from a healthcare perspective. However, privacy leaders have warned it’s Congress that bears the onus for health privacy standards, not HHS.

WEDI and the Confidentiality Coalition urged HHS to tackle these challenges, which demonstrate the need for “robust privacy standards” able to regulate “the large percentage of third-party app developers not associated with covered entities and, therefore, not covered under HIPAA.” 

Without a federally recognized certification or accreditation for these apps to facilitate patient access to health data, the groups argue there’s no security baseline to hold app-vendors accountable. As such, the apps pose a risk of “potential misuse of patient health information by certain third-party apps.”

Recommendations to address API, third-party app challenges

While Congress and HHS work toward a federal standard, the groups presented five key recommendations that could address some of the biggest challenges.

HHS and DOC should release additional guidance outlining the permitted verification types for third-party app privacy and security, while enabling the provider organizations themselves to “undertake an appropriate level of review of a third-party app before permitting it to connect to their APIs.”

Further, entities that fall outside of HIPAA regulations must be required to clearly outline to consumers the purposes for how and why they collect, use and disclose identifiable health data, as well as promptly informing consumers of any changes.

DOC and HHS should work with the private sector to develop an accreditation or certification framework, regulating the privacy and security of third-party apps that want to connect to certified health IT APIs.

“Once established, covered entities should be permitted to limit the use of their APIs to third-party apps that have agreed to abide by the framework,” the groups wrote. “Such a program would not only foster innovation, but also establish improved assurance to patients of the security of their information.”

Similar security requirements should be applied in the private sector, to address similar risks posed by the Centers for Medicare & Medicaid Services for its Blue Button 2.0 initiative and plans to expand patient access to their health information. 

Specifically, “all third-party apps seeking to access PHI via provider or health plan APIs [must] prove adherence to a strict set of privacy and security guidelines or successfully complete a CMS-approved security certification,” the groups recommended.

Lastly, the groups recommended the federal agencies partner with stakeholders to develop much-needed education for consumers and covered entities, which will significantly improve “the ability of the consumer and covered entity to understand their rights and responsibilities under the law.”

These recommendations will “serve to increase the assurance that health information is being securely exchanged and provide patients the confidence to become more engaged in their health decisions.”

“Again, while we are supportive of increasing data exchange for patients via third-party apps, there is a clear potential that using these apps could result in patients having their information inappropriately disclosed,” the groups warned. It’s also “inappropriate to put the burden of warning the individual solely as the responsibility of the covered entity.”

Currently, Congress is contemplating a bipartisan bill that would create a commission to explore the potential of a federal privacy law that could address some of these challenges. But despite a long list of proposed bills specifically targeting health data that falls outside of HIPAA, there’s a long road ahead for some of these key asks.