A Strategic Approach to Complying with the Cures Act

Hospitals, health systems, and physician practices need to focus on how they will safely and securely collect, exchange, and protect data as they use application programming interfaces (APIs).

Although the intent of API technology is to enable smooth information exchange between diverse health IT systems, poorly designed third-party applications that don’t follow standard guidelines can present patient privacy and data security risks when interfacing with a healthcare organization’s system of record.

Organizations need to have a plan for mitigating these risks while also avoiding situations that could be perceived as information blocking—intentionally withholding patient health information.

Even though the compliance dates for the interoperability rule keep shifting due to the pandemic, it is critical that healthcare organizations create the framework for regulatory compliance now—if they haven’t already. Adequate preparation will take time and rushing the process will not set an organization up for success.

What does a strong preparation effort entail? The following sections offer a basic roadmap to guide the work.

Embrace the Right Mindset

In laying the foundation for compliance, it’s important to keep the work in perspective.

The Cures Act is not just another set of regulations to follow. It presents an opportunity to gain further insight into the health of patients and the personal and environmental factors that influence it.

Smooth and unfettered information-sharing will help advance innovation, speed communication, reduce duplicative care and keep healthcare costs in check.

Effectively meeting the ONC’s requirements will also allow an entity to differentiate itself in the marketplace because the organization will be able to facilitate greater patient access to health information and make the healthcare process less onerous.

Develop a Business Plan

A formal business plan can help guide compliance efforts and can ensure steady and consistent implementation of key plan components, including a risk assessment, an API governance framework, and targeted patient and staff education.

To create a thorough and achievable business plan, it may be helpful to put a steering committee together who will bring diverse perspectives to plan development and champion compliance. This committee should include health information management (HIM) professionals, data security experts, IT leaders, legal and compliance team members, and representatives from patient support services. The CIO and CMO should provide senior leadership oversight and sponsorship.

HIM professionals will play a prominent role on this committee because they bring substantial knowledge and expertise to discussions on patient information sharing, data integrity, and data management. Healthcare organizations should consider tasking HIM professionals to be data custodians and information stewards, leading the API vetting process for third-party applications and setting up a framework to safeguard data from unauthorized parties.

Conduct a Risk Assessment

There are various privacy, security, and safety risks that emerge when sharing and accessing patient data from consumer applications, such as those that will use APIs.

For example, a healthcare organization’s lack of security standards or an insufficient security framework can increase the chances of a data breach through unprotected APIs. There is also a risk of harm to patients or users when third-party apps act inappropriately, which can cause data corruption. In addition, an unstable app can generate an excessive load on the organization’s system of record, resulting in data loss or unavailability. From a compliance standpoint, there are risks as organizations aim to preserve data privacy without running afoul to information-blocking regulations.

Because of the wide range of threats, it’s essential to conduct a risk assessment as part of the business plan development process. When considering potential API and third-party app issues, organizations should look to see whether its data security protocols are strong enough to address potential concerns without constituting information blocking. In addition, the organization should make sure its current electronic health information (EHI) policies do not violate information-blocking rules. If they do, consider how they need to change and who will guide the revision process.

Establish an API Governance Policy

A well-crafted governance policy can enable efficient API integration without putting the organization at risk. The governance policy should standardize a defined process for vetting API-enabled applications to assess the feasibility and safety of sharing data. HIM professionals should champion this effort, examining things like the type of information requested, cost of sharing information, available resources, control of the relevant platform, and app security.

While the Cures Act has given the Department of Health and Human Services (HHS) authority to prohibit information blocking and protect patients, there are carve outs. All the actors that are subjected to HIPAA regulations have the opportunity to vet third-party apps in accordance with the HIPAA guidelines. However, providers need to be cautious since any inappropriate vetting practices may lead to penalties under the information blocking rule.

To ensure consistency and compliance, the vetting process should include established check-ins at key milestones that must be met before moving to the next phase.

This tollgate process allows an organization to verify that each third-party application requesting data meets the organization’s safety and security criteria before it interacts with the system of record. Such a process allows providers to be more proactive about mitigating risks instead of reacting to problematic patient apps on a case-by-case basis.

Note that any activities done under the heading of “data governance” will be subjected to scrutiny by the ONC to verify the activities don’t constitute information blocking. If an app does not align with an organization’s data governance policy, and the organization is forced to deny access, HIM professionals should make sure there is enough proof that the app was reviewed and assessed using defined criteria, and there were malicious intents that presented a threat to patient safety and data security.

As part of the vetting process, HIM professionals should consider including these key steps:

• Make sure the solution uses certified API technology under the ONC final rule
• Ensure the app only requests data and information that is integral to patient care and health management, reducing unnecessary data collection
• Check that any personal information collected has a clear purpose
• Review all technical controls, including those related to data authentication, authorization and transmission encryption
• Verify how the app uses and stores EHI
• Determine the level of consent required to support EHI transfer
• Check if the third-party app developer is considered a business associate under the HIPAA rule. If it is, it will be required to have certain technical controls in place, per the HIPAA Security Rule
• Assess any potential privacy and/or security risks posed by the technology or third-party developer
• Make sure the app has the provision to delete any and all data as per the ONC guidelines

Apply Governance Unilaterally

Once the governance policy is established and the list of vetting criteria has been created and approved, organizations should apply the policy and vetting process to all third-party apps. Not only does this consistency limit the likelihood a bad actor could access private information through an app, but it also serves as a way to justify the instances where the organization must deny third-party access due to risk concerns, thereby preventing information-blocking challenges.

Educate. Educate. Educate.

The introduction and use of APIs and third-party applications represent a fundamental shift in how healthcare organizations will share protected information. Both internal and external stakeholders need to fully understand the risks and requirements of the ONC rule. HIM professionals should take the lead on implementing education programs.

From an internal standpoint, education and training should ensure that affected departments know about the changes and what their roles will be in facilitating information exchange while preserving data security. Critical departments to educate include information technology, medical records, marketing, compliance, contracting, and anyone else who is responsible for making and responding to information requests.

Equally if not more important is educating patients about their options for accessing clinical data and the privacy implications surrounding healthcare apps. All healthcare organizations should weave this type of education into their business plans for ONC compliance.

Patient education should focus on advantages and disadvantages of permitting EHI information-sharing, as well as security risks that may arise with third-party app use. Note the purpose of the education should be to increase awareness but not prevent or in any way influence a patient’s decision to share EHI with a third-party app developer.

The organization should also have a mechanism for notifying the patient about whether a third-party app meets or does not meet the security and privacy guidelines. To enable this level of communication and education, an organization may want to establish patient support centers or structures that will help individuals understand the importance of making informed decisions about accessing and sharing their health information electronically.

No Time Like the Present

Like any large-scale change, adequately preparing for APIs and third-party applications while ensuring compliance with information-blocking rules requires leadership commitment, careful planning, process standardization and consistent application. By starting now, HIM professionals can help their organizations effectively meet the requirements and fully take advantage of the innovation the new rules will engender. As part of this process, it is wise to keep abreast of any additional regulatory aspects that may evolve in the future. Business plans should be robust yet agile to drive successful implementation and foster an environment conducive to seamless information exchange.

Dhaval Shah (Dhaval.Shah@citiustech.com) is senior vice president of medical technology, and Simran Mittal (simran.mittal@citiustech.com) is senior healthcare consultant of medical technology at CitiusTech.