HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC).

In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients.

The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented.

The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain access to their health data, including claims information, lab test results, medications, and clinical notes. Easy access to that information will help with care coordination and will improve patients’ understanding of their conditions and treatments. However, there are potential problems.

Please see the HIPAA Journal Privacy Policy

“Consistent policies are needed across the board to incentivize and facilitate the exchange of data across systems,” wrote AAN President Ralph L. Sacco. “Many EHRs do not support the robust use of application program interfaces (APIs) for data exchange or are hindered by APIs that are implemented in proprietary ways that inhibit data exchange.” The AAN has also voiced concerns about privacy and security.

While the AAN understands that once PHI has been shared through an API it is no longer the responsibility of the provider to protect that information, but the AAN believes a security framework is required for third-party applications to prevent unauthorized disclosures once PHI has been transmitted by providers.

There is currently no federal regulatory framework to address unauthorized disclosures of PHI onside of enforcement by the FTC. Without a regulatory framework, a burden is placed on providers to ensure that they inform patients of the potential risks, when it should be the responsibility of app developers to ensure that all necessary precautions are taken to ensure PHI is protected. The AAN is seeking clarification on the responsibilities of third-party applications to ensure patient information is protected.

Unauthorized disclosures after PHI has been transferred do not constitute HIPAA violations, but they do have potential to negatively impact a provider’s reputation. Further, explaining the risks to patients may result in patients declining to share their information, which would work counter to CMS’s goal of promoting exchange of data and could detrimentally impact providers’ relationships with their patients.

“Given the sensitive nature of PHI and the paramount importance of trust between patients and providers, the AAN implores CMS and the FTC to ensure that there are clear security guidelines for third-party APIs and that there is robust enforcement to ensure that third-party applications are responsible stewards of patient data,” wrote Sacco.

Concern has also been raised about the sharing of certain types of particularly sensitive information, such as high-risk genetic testing data. If a patient has a genetic test that indicates there is a high probability that the patient will develop an incurable degenerative disease such as Huntington’s disease, prior to that information being shared with patients and their families it is necessary to make sure appropriate counselling is provided. The AAN suggests that that type of information should not be shared through APIs.

The AAN also believes the proposed six-month implementation time scale for many of the proposed changes is much too short. Complying with the new requirements in such a short time frame will place a significant burden on providers. More time has been requested for implementing the proposed system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is also urging the CMS and ONC to extend the timescale for complying with the proposed changes and has suggested an interim rule is required and the time frame for complying should be extended from six months to three years.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.