BLOG

Blog Post by Brian Selfridge, Partner at Meditology Services

---

In May 2020, while the healthcare industry grappled with the outbreak of a global pandemic, the US Department of Health and Human Services (HHS) quietly issued a Final Rule that has major implications for the secure electronic delivery of health information to patients via third-party platforms and apps.

Increased interoperability between systems has many potential benefits for patients, but it also introduces a larger technology footprint for sensitive patient information including Protected Health Information (PHI). We know that many vendors servicing healthcare do not have a strong track record on security and privacy, which raises concerns about expanding the footprint and technical means of accessing PHI.

In this blog post, we explore the new regulations and their implications for healthcare security and risk management programs.

The 21st Century Cures Act

The 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program [1] is designed to give patients and their healthcare providers secure access to health information. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured electronic health information using smartphone applications.

To support the implementation of secure electronic exchange of patient information, ONC has adopted and promoted a standard communication framework developed by the industry standards group HL7 called the SMART App Launch Framework [2]. The framework leverages a communication standard called FHIR (pronounced “fire”) that includes security standards for related APIs.

Interoperability and Information Blocking

According to HHS in a March 2020 press release [3], “the ONC Final Rule identifies and finalizes the reasonable and necessary activities that do not constitute information blocking while establishing new rules to prevent “information blocking” practices (e.g., anti-competitive behaviors) by healthcare providers, developers of certified health IT, health information exchanges, and health information networks as required by the Cures Act.”

The Centers for Medicare and Medicaid Services (CMS) also introduced the Interoperability and Patient Access Final Rule which finalizes new policies that help “liberate heath information” [4]. These new policies include:

• Patient Access API (applicable January 1, 2021)
• Provider Directory API (applicable January 1, 2021)
• Payer-to-Payer Data Exchange (applicable January 1, 2022)
• Improving the Dually Eligible Experience by Increasing the Frequency of Federal-State Data Exchanges (applicable April 1, 2022)
• Public Reporting and Information Blocking (applicable late 2020)
• Digital Contact Information (applicable late 2020)
• Admission, Discharge, and Transfer Event Notifications (applicable spring 2021)

More information about the CMS Interoperability Rule can be found on the CMS.gov website. [5]

The US Office of the Inspector General (OIG) has enforcement oversight of the information blocking provisions and can issue fines of up to $1m per incident for EHR vendors that fail to comply with the information blocking provisions. Offending developers and EHR platforms can also be banned from attaining CMS certifications going forward.

API’s Connect Electronic Health Records & Smartphone Apps

Implementation of these new rules has led to the development of Application Programming Interfaces (APIs) to connect EHR platforms with third-party smartphone apps.

Third-party EHR vendors including Epic and Cerner have stood up sandbox environments to allow testing and development of API interfaces for access to patient information via smart phone apps. It should be noted that Epic lobbied aggressively against the Cures Act and related information blocking provisions citing privacy concerns. Some critics note that a more likely source of Epic’s contention may have been related to losing a grip on proprietary control of patient data rather than patient privacy considerations.

Big name tech vendors are quickly getting into the app development space for access to patient information including Microsoft Azure's FHIR APIs and Apple Health App interfaces and code development.

Security & Privacy Risks for “Liberating Health Information”

The new rules that CMS touts as “liberating health information” are generating debates in privacy and security circles about the pros and cons of easing the flow of patient information across systems and platforms.

HHS has noted in the final rule that privacy and security remain as core tenants of these information sharing initiatives. The interoperability rules are not designed to conflict with privacy and security objectives and the government has emphasized the need for organizations to comply with existing HIPAA privacy and security regulations in the development and deployment of related APIs and technologies. Additional security requirements are also spelled out in the rule for authentication criteria related to multifactor authentication and encryption controls.

Healthcare entities and third-party vendors are able to claim exceptions for sharing information with third-party vendors based on security concerns, however, they must document detailed justifications for such actions.

Risk assessments of related technologies including patient portals, EHR API’s, and smartphone apps will need to be prioritized by healthcare entities and third-party risk management programs. Security and privacy policies will also need to be updated to reflect information sharing protocols and standards for third-party vendors to comply with interoperability rules while also protecting patient privacy and security of sensitive health information.

Our Recommendations

1. Continue to invest in security risk assessment and third-party risk management capabilities to keep up with the anticipated influx of new APIs, vendors, and systems that have access to PHI under the new rules
2. Incorporate new APIs and smartphone application deployments into your annual enterprise-wide risk assessment scope
3. Prioritize security risk assessments for third-party API’s from EHR vendors and smartphone-enabled transmission of patient data
4. Validate that your organization is using the latest certified version(s) of EHR platforms that include the technology and protocols required to comply with the new rules
5. Incorporate these new rules into your organization’s privacy impact analysis, privacy risk assessments, and compliance program initiatives
6. Conduct privacy risk assessments of vendors to understand their compliance with HIPAA Privacy Rule mandates as well as interoperability and information blocking provisions
7. Establish data governance policies, procedures, and oversight to track and authorize which information can flow to downstream platforms and evaluate related security controls
8. Assess fourth-party relationships for EHR vendors that are sharing patient information with smartphone app and other technology vendors in compliance with the information blocking rules
9. Require vendors to conduct and provide attestations of penetration testing services for newly developed or deployed APIs for patient data sharing
10. Require vendors to maintain third-party certifications such as HITRUST and SOC 2 Type 2 to gain assurance that security procedures are established consistently at an organizational level for the vendor
11. Update security and privacy policies including data sharing and notice of privacy practices policies to reflect these new regulations
12. Maintain dialog and communication with your EHR provider on the deployment of supported apps and APIs as they evolve; provide input on decisions related to the data governance and security and privacy controls of your patients’ information

The proliferation of sensitive data to third-party platforms and technologies has been a consistent trend for the last several years. These new interoperability and data sharing rules are likely to accelerate that pattern.

Finding a wholistic cure for information security and privacy risks is unlikely and time soon. However, a great deal can be done to limit the outbreak and impact of breaches of sensitive information that are driven by federal interoperability initiatives.

Contact us to learn more about these emerging regulations and how we can support your organization’s security, privacy, and compliance programs.

---

REFERENCES

[1] https://www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification
[2] http://hl7.org/fhir/smart-app-launch/
[3] https://www.hhs.gov/about/news/2020/03/09/hhs-finalizes-historic-rules-to-provide-patients-more-control-of-their-health-data.html
[4] https://www.cms.gov/newsroom/fact-sheets/interoperability-and-patient-access-fact-sheet
[5] https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index