Application security, Security Architecture, Governance, Risk and Compliance, Privacy
Privacy risks loom without third-party app and API standards, healthcare groups say

Healthcare groups are urging regulators to address patient privacy posed by third-party apps. Pictured: Army Reserve Maj. Francy Legayada inputs her patient’s vitals into the hospital computer system, Jan. 19, 2021, at the Yuma Regional Medical Center in Yuma, Ariz. (Staff Sgt. Cambrin Bassett/Army)
As the interoperability push continues in healthcare, the Workgroup for Electronic Data Interchange (WEDI) and the Confidentiality Coalition are again urging regulatory leaders to address patient privacy and security risks posed by third-party apps generating healthcare data that falls outside of The Health Insurance Portability and Accountability Act.In a letter to the Department of Health and Human Services Secretary Xavier Becerra and Department of Commerce Secretary Gina Raimondo, WEDI and the Confidentiality Coalition make the case for a national privacy framework to address longstanding regulatory gaps.“A vast amount of health-related information does not fall within the HIPAA regulatory framework and is largely unprotected from misuse,” the groups wrote.There’s continued “concern patients will not have adequate information to be educated consumers regarding third-party apps and may not fully comprehend they’re assuming the risk of the security practices implemented by their chosen app.” Specifically, patients may not understand when their data isn’t protected by HIPAA.Application programming interfaces and health apps seamlessly support the exchange of healthcare data and enable patients with access to their information. But without addressing the lack of privacy standards for third-party apps, the risk to patient data is likely inevitable.Since HHS announced its info blocking and interoperability efforts in 2019, as detailed in the 21st Century Cures Act, industry stakeholder groups have long warned of third-party app risks. A 2021 report found major security concerns with the API developer ecosystem, meant as the backbone for interoperability.Broader concerns center around expanding the threat landscape, use of commercial products not regulated by HIPAA, a lack of prescribed standards or protocols for app developers, and the rapid development of tech that outpaces the security protections and controls. As it stands, the Federal Trade Commission has leveraged its authority to regulate health app developers that routinely share consumer health data with third parties without user consent. A 2020 settlement with Flo Health showed the app developer was misleading more than 100 million consumers about its health disclosure practices.Last year, the FTC again reiterated it intends to leverage its healthcare data breach rule, which regulates health apps and connected devices that collect or use consumer health data. WEDI and the Confidentiality Coalition lauded these efforts, but noted that it’s not enough.Healthcare stakeholder groups have repeatedly asked HHS and Congress to stand up a health app privacy standard since 2019, to address these risks from a healthcare perspective. However, privacy leaders have warned it’s Congress that bears the onus for health privacy standards, not HHS.WEDI and the Confidentiality Coalition urged HHS to tackle these challenges, which demonstrate the need for “robust privacy standards” able to regulate “the large percentage of third-party app developers not associated with covered entities and, therefore, not covered under HIPAA.” Without a federally recognized certification or accreditation for these apps to facilitate patient access to health data, the groups argue there’s no security baseline to hold app-vendors accountable. As such, the apps pose a risk of “potential misuse of patient health information by certain third-party apps.”
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds