Groups Offer 5 Recommendations for Protecting Patient Data on Third-Party Apps

The Workgroup for Electronic Data Interchange and the Confidentiality Coalition have written a letter to federal officials calling for more protections for patient information accessed through third-party mHealth apps.

Two organizations focused on protecting patient data are urging federal officials to take several steps to protect that data from unsafe third part mHealth apps.

The Workgroup for Electronic Data Interchange (WEDI) and Confidentiality Coalition have written a letter to Health and Human Services Secretary Xavier Becerra and Commerce Secretary Gina Raimondo offering five recommendations for protecting patient information on third party apps, much of which isn’t covered by the Health Insurance Portability and Accountability Act (HIPAA).

“Some CEs, including health plans, physician practices and inpatient facilities have already built or have contracted with business associates to develop patient access APIs and apps and are actively promoting their use,” the letter points out. “Specifically, these apps deployed by providers and health plans are typically covered under HIPAA and therefore the individual’s accessing data have assurances that their information is being kept private and secure. We are concerned, however, regarding the lack of robust privacy standards applicable to the large percentage of third-party app developers not associated with CEs and therefore not covered under HIPAA and the fact that there currently is no federally recognized certification or accreditation for these apps.”

“The potential exists for PHI gained via the apps to be inappropriately disclosed to the detriment of patients and their families,” the letter states. “While we strongly support patient access to their PHI via apps, we assert that a national framework is required to ensure that health care data obtained by third-party apps is held to high privacy and security standards.”

In response, the two groups are urging Becerra and Raimondo to:

1. Release additional guidance on the types of third-party app security and privacy verification that will be permitted and allow CEs themselves to undertake an appropriate level of review of a third-party app before permitting it to connect to their APIs;
2. Require entities that are not HIPAA CEs or business associates to clearly stipulate to the individual the purposes for which they collect, use, and disclose identifiable health information and require that these individuals be given clear, succinct notice concerning the collection, use, disclosure, and protection of individually identifiable health information that is not subject to HIPAA;
3. Work with the private sector in the development of a privacy and security accreditation or certification framework for third-party apps seeking to connect to APIs of certified health IT. Once established, CEs should be permitted to limit the use of their APIs to third-party apps that have agreed to abide by the framework. Such a program would not only foster innovation, but also establish improved assurance to patients of the security of their information;
4. Apply similar security requirements in the private sector as CMS applies to its Blue Button 2.0 and DPC initiatives, requiring all third-party apps seeking to access PHI via provider or health plan APIs to prove adherence to a strict set of privacy and security guidelines or successfully complete a CMS-approved security certification; and
5. Partner with groups like the Confidentiality Coalition, WEDI and other professional associations in the development and deployment of education aimed at a wide range of consumers and CEs. Enhanced consumer and CE education will lead to significant improvement in the ability of the consumer and the CE to understand their rights and responsibilities under the law.

According to the two groups, recent evidence indicates mHealth third-party apps are vulnerable to unauthorized access and use. They applaud efforts to update HIPAA to account for new technologies and tactics, but say more needs to be done now.

“While we are supportive of increasing data exchange for patients via third-party apps, there is a clear potential that using these apps could result in patients having their information inappropriately disclosed,” the letter states. “We also assert that it is inappropriate to put the burden of warning the individual solely as the responsibility of the CE. CEs will typically not be experts on app data privacy and security protocols and will have little time to warn patients of the potential dangers associated with transmitting ePHI to third parties not covered by the HIPAA protections. Under current regulation, CEs are not permitted to require formal verification checks on individual third-party apps before allowing the application to connect to its API.”

“We believe that for health care data exchange to occur in an interoperable manner as called for under the 21st Century Cures legislation, there must be a consistent and high level of trust among all participants, including entities that are not legally a CE or bound by a BAA,” it concludes. “The deployment of effective federal policies is critical to assist in facilitating this trust framework.”

WEDI was formed in 1991 by then-HHS Secretary Dr. Louis Sullivan to “identify opportunities to improve the efficiency of health data exchange.” The Confidentiality Coalition is a broad group of healthcare organizations formed by the Healthcare Leadership Council to focus on advancing effective patient confidentiality protections.