Privacy and Security Concerns Remain a Barrier to API Adoption

Provider organizations are worried about the risk of data breaches related to APIs and third-party apps; they believe that strong privacy and security protections are vital for successful API adoption.

Providers want the enhanced EHR functionality that APIs provide, but concerns surrounding data privacy and security stand as barriers to API adoption, according to the newest “Accelerating APIs” report.

Accelerating APIs for Scientific Discovery: Provider Perspectives Brief,” examines provider perspectives on the current landscape of API-based health information exchange.

“Provider organizations are often the primary stewards of a patient’s medical history, and data captured in electronic health records (EHRs) influence a provider’s workflow and clinical decisions,” ONC officials Mera Choi, Stephanie Garcia, and Chelsea Richwine wrote in a HealthITBuzz blog post. “As a result, it is imperative that we understand providers’ perspectives as we build towards an interoperable healthcare system.”

API usage has significantly increased among provider organizations over the last several years.

In 2016, when the Cures Act was signed into law, only 38 percent of non-federal acute care organizations enabled patient data access via an API-based health app. By 2019, 70 percent of non-federal acute care organizations gave patients access to their health information through an API-based health app, the ONC researchers stated.

The increase of health apps has enhanced the ability of patients, providers, and researchers to access EHR data to enhance patient care, improve health and wellness, and support reporting requirements, ONC stated.

Overall, providers are generally enthusiastic and supportive of using standardized APIs to extend core EHR functionality. APIs let clinicians use apps to improve quality of care, enhance clinical decision-making, and increase patient engagement and satisfaction.

Participants in the ONC survey said APIs are helpful, as they allow organizations to implement health IT solutions to supplement or replace features in their core EHR, filling unmet specific needs for patients or providers.

“Provider organizations reported they often implement apps to promote patient safety and organizational efficiency in clinical areas not adequately supported in the EHR (oncology, genomics, chronic disease management) or where apps facilitate a more seamless user interface that provides access to external data, information, or analytics,” the ONC researcher wrote in the report.

Even though providers encourage the use of APIs, they are still experiencing several challenges related to the implementation of these technologies.

Many provider organizations are limited by technical resources and lack of experience in implementing APIs and apps. They often rely on their health IT developers to provide implementation assistance for new functionalities.

“It is essential for health IT developers to communicate effectively with them regarding API functionality, availability, timelines, and costs associated with the implementation of new features,” the ONC researchers wrote. “While some health IT developers take a very active role in ensuring their customers have effectively upgraded and implemented API capabilities, others take a more passive and customer self-service approach where it is up to the customer to initiate the implementation process.”

Staffing limitations also challenge providers. One discussion participant said their organization’s IT department staffing was “stretched thin,” as staff members needed to play multiple roles to address staffing shortages and spent most of their time providing end-user support to ensure smooth operations.

Additionally, providers had contrasting experiences regarding governance and implementation of new APIs or app functionalities.

“Discussion participants reported that several of their organizations have a formalized, robust process to evaluate, strategize, prioritize, and implement new technologies; others reported that their organizations had no formal process,” the researchers said. “The organizations without formal governance procedures lacked the resources required for successful implementation and management of APIs and apps.”

Not only is API adoption limited by operational challenges but also by privacy and security concerns. Greater patient access to healthcare data can increase the risk of a security breach.

While HIPAA supports patient access to health information, the information blocking Final Rule outlines a technical capability that can be used to support that access.

“The Final Rule requires health IT systems to provide access to the USCDI (data set) via APIs, and providers must allow patient-authorized apps to access an API,” the report stated.” That access is authorized by the patient using authentication and authorization processes that are fully under the provider’s control.”

Under the ONC interoperability rule, providers must allow any patient-authorized app to access data, or they will be liable for information blocking.

Provider organizations are concerned about the risk of data breaches associated with apps, the report mentioned.

Providers want strong privacy and security protections for implementing APIs and health apps. However, the ONC Final Rule does not allow providers or EHR vendors to impose security assessments restricting patient data access.

One respondent said consumers might not fully understand when they agree to data exchange via a third-party app; the app may continuously extract data for an extended period until the consumer revokes their consent.

“More granular levels of consent are needed to provide consumers with additional transparency about specific data elements and explicit timeframes when their data will be stored and shared,” a respondent suggested.

“Data sharing agreements may protect providers against liability, but consumers do not have any recourse in the case of a breach other than what the federal government may impose as a penalty on the third-party app developer.”

Next Steps

Dig Deeper on Clinical documentation

Cloud Computing
Mobile Computing