Lotus AI Logo

Developers

The prescription for FHIR implementation.

Application Programming Interfaces, or APIs, can support health information exchange and interoperability.

APIs Can Revolutionize Health Care

Let's start with something you're familiar with. Think about searching for a flight. Before APIs, people had to visit various airlines' websites to compare prices. Now, there are travel search programs that centralize airline flight information. How do they do this? By using APIs.

APIs in health care are already doing the same things. For example, mobile apps can use APIs to gather data from fitness trackers and add the data to a patient's personal health record. In the near future, patients may even be able to use an API to electronically share diagnostic information with their doctor in real time - like blood pressure readings, blood sugar levels, and other health information patients generate themselves.

Now that certified electronic health records are required to provide APIs, patients will be able to connect with these APIs to gather and share health information, like from health care providers' patient portals.

Health IT Security Considerations

The HIPAA Security Rule can help providers manage some risks. The Security Rule requires providers that are covered by the rule to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic personal health information, or e-PHI. Covered providers are required to perform risk analysis as part of their security management processes. When health care providers add APIs or other new technologies to facilitate information sharing, the best way to identify the risks is to conduct a revised security risk assessment. If the analysis identifies new risks, security measures will need to be put in place to reduce those risks.

This process will help providers protect their practice from threats such as ransom ware, theft, or other types of hacking. ONC offers a Security Risk Assessment Tool online, free of charge, to help small and medium providers assess their risk so they can take the appropriate precautions.

Federal Rules for Data Transfer

In 2015, ONC published the Health IT Certification Criteria rule. This regulation requires certified health IT to provide access to health information using APIs. Under the Health Insurance Portability and Accountability Act of 1996 - or HIPAA, providers must release certain requested data to patients and provide security and privacy technical safeguards. The Office for Civil Rights is responsible for enforcing HIPAA privacy and security rules.

Under Federal Trade Commission rules, health care providers are prohibited from unfair or deceptive acts or practices in or affecting commerce, and they must provide reasonable and appropriate data security.

The Food and Drug Administration requires that apps must protect information accessed or transferred from medical devices and the FDA is proposing regulatory frameworks that consider AI as medical devices under their purview.

To learn more about what rules might apply, visit the FTC's portal, which summarizes some of the privacy and security requirements that might apply to Mobile Health apps.