EHR vendors eye safe data access for third-party health apps
EHR vendors are designing data authorization scopes for third-party health apps. It's a process that hinges on patient trust and requires transparency.
EHR vendors are busy working to meet new interoperability requirements from federal regulators.
The new regulation from the Office of the National Coordinator for Health IT (ONC) requires EHR vendors to implement Fast Healthcare Interoperability Resources (FHIR)-based APIs within the next two years. Standardized APIs are intended to help patients connect to their health data via a third-party health app of their choosing. EHR vendors are also required to build authorization scopes to enable secure third-party app data access into their APIs, which they say is a complex process.
Authorization scopes ensure EHR vendors can verify and control what data a third-party health app has permission to access. When a healthcare app requests permission for clinical data access, the predefined authorization scopes determine what data the third-party health app needs.
As one option for third-party app authentication, EHR vendors are using OAuth 2.0, an open standard used by travel and banking apps, according to Don Rucker, national coordinator for health IT. OAuth 2.0 is an authorization protocol that EHR vendors can use to permit or deny an app secure access to data as well as limit what data is accessed.
"There are a lot of authentication technologies that are moving along rapidly, so I think in the next couple of years, we will see true consumer security and of course with all of the privacy protections that authentication brings," Rucker said during the organization's virtual ONC Tech Forum this week.
At the event, representatives from two of the nation's largest EHR vendors talked about the challenges authorization scopes present and explained why building out APIs between EHRs and third-party health apps is a balancing act between making enough but not too much data available to third-party apps.
Cerner, Epic API authorization scopes
Jenni Syed, director and senior principal engineer at Cerner Corp., works on the roadmap for Cerner's healthcare app platform. She's helping map out everything from how patients access their data through third-party health apps to how apps use the dataset provided by APIs and fit within the Cerner EHR workflow.
Authorization scopes for third-party health apps is one part of that roadmap. In building out Cerner's data scopes, Syed's first focus has been patient consent and making clear what data patients would be sharing, who they'd be giving it to and how long it would be accessible by the app. This authorization process occurs every time a third-party app requests healthcare data on behalf of a patient.
Initially, Cerner's authorization process was too complex for patients and involved too much text and too many clicks, according to patient feedback. Syed said scopes are a hard concept to describe to patients, which prompted Cerner to simplify things. Patients can now choose to view more details about what some terms, such as "diagnostics" or "documents," mean before they grant data access to third-party health apps. Cerner gives patients the authority to manage what health data third-party apps can access and provides links to third-party apps' terms of service and privacy policies.
One of the challenges EHR vendors face is how to offer patients a narrower scope of the data they choose to share. For example, there isn't a simple way for authorization scopes to pull vitals-only data out of the EHR, Syed said. Instead, if patients want to provide an app access to vitals data, they have to grant permission for the app to access diagnostic data, the set of data where vitals data is lumped.
"In the future for 21st Century Cures, a lot of bullet points will become check boxes where patients can select and deselect [data] to share with apps," Syed said.
Epic's authorization scopes follow a similar approach to Cerner's, and start with making sure patients understand what health data will be shared and how much control they have over what is shared, according to Janet Campbell, vice president of R&D relations at Epic Systems Corp.
Inside the patient portal, Epic now includes a process for authorizing data access to third-party apps. The first step is to explain to patients what data is being requested by the app, such as appointments, as well as what appointment data entails. The process also includes details about how long individual apps will have access to data, according to Campbell.
Campbell said it's vital that EHR vendors are clear with patients about what giving access to third-party health apps means; once a patient decides to share data with an app not provided by a HIPAA-covered entity, it is no longer under the protection of HIPAA.
"As we start to think about how we are moving consumers into a world where HIPAA-protected health information is leaving the protections of HIPAA, I think it's extremely important to empower patients with the tools they need in order to keep their data as secret and safe as they want it to be without overly panicking them or putting them in a situation where their data is shared in a way they didn't anticipate," Campbell said.
For the most part for the EHR vendors, I think it's going to get them to think more seriously about what kind of APIs they can offer above and beyond what these rules are asking for.
Brian MurphyDirector of research, Chilmark Research
Authentication tools like OAuth 2.0 should provide a trustworthy and secure method for authenticating third-party apps and data access, according to ONC's Rucker.
Moving forward, Brian Murphy, director of research at Chilmark Research, said the real challenge for EHR vendors is not how they reach the minimum requirement for data sharing, but how far they go above the minimum required when it comes to authorization scopes. ONC's interoperability rule requires EHR vendors to share data elements listed in the U.S. Core Data for Interoperability such as medications, clinical notes and laboratory test results. But Murphy said that's much less than what EHR vendors are capable of sharing.
"For the most part for the EHR vendors, I think it's going to get them to think more seriously about what kind of APIs they can offer above and beyond what these rules are asking for," he said.
