While MGMA appreciates ONC’s effort to fuel interoperability, the proposed timeline may push providers too far, too fast, which could lead to weaker privacy and security protections.
The Office of the National Coordinator should extend the timeline for its proposed information blocking rule or it risks pushing providers too quickly, which could lead to added administrative and financial burdens on providers and weaker privacy and security protections for health data, according to the Medical Group Management Association’s comments on the proposed rule.
In February, ONC released its proposed rule as part of the 21st Century Cures Act requirement. The comment period ended last week with stakeholders both applauding the rule – and leaving many with concerns about the timeframe, security, and the use of APIs to fuel interoperability.
The American Medical Informatics Association recently shared its concerns around privacy and security of an API-driven ecosystem. While MGMA also supports the use of APIs through FHIR release 4 and HL7 implementation guides, they also shared concerns similar to AMIA.
“We are concerned about the security implications with the deployment of APIs,” MGMA wrote. “Absent appropriate privacy protections, we believe patient information is at risk of being sold, used for vendor marketing, and shared without permission with third parties.”
“Patients must be the primary authority in designating rights to access, exchange, and use of their data, but practices have a role to play as well,” they added. “ONC must design a process that gives practices the assurance that a third-party application has met a minimum level of security … [and] ensure patients are educated on the rights, responsibilities, and to the potential threats to their data.”
What’s more, third-party application developers aren’t typically required to adhere to HIPAA, as their apps are offered directly to consumers and not providers or health plans. MGMA stressed that ONC needs to develop a method for how covered entities and business associates are equipped to securely share patient health information.
The concern is that patients won’t have adequate information and won’t completely understand that they’re assuming the security risk of their chosen app, MGMA explained. And patients don’t typically understand when their data is or isn’t covered by HIPAA.
The Office for Civil Rights recently released a guide to clarify provider responsibility around third-party app use, after several reports revealed that many popular health and mental health apps share patient data without being transparent about the process.
The FAQ revealed that providers aren’t responsible under HIPAA for verifying the security of the app chosen by the patient, as long as the app was not recommended or created by the provider. Although MGMA appreciated the guidance, “this ‘safe harbor’ does not address the potential vulnerability of patient information when sent to the application.”
“The Proposed Rule stipulates that a practice is not permitted to conduct ‘verification’ checks on individual third-party applications before allowing the application to connect to its API, but rather must conduct such ‘verification’ on the developers themselves and must complete the process within five business days,” MGMA wrote.
“Although ONC provides some examples of acceptable ‘verification’ processes in the proposed rule, the permissible scope and purpose of ‘verification’ is still unclear given that a practice is prohibited from seeking additional information about the third-party developer’s application or its security readiness,” they added.
ONC needs to provide clear guidance on the precise types of verification that will be permitted and that providers are allowed to undertake before permitting them to connect to their APIs, MGMA explained. The agencies should partner with the private sector to develop a privacy and security trust or certification framework for third-party apps that connect to certified health IT APIs.
Once a framework has been created, ONC needs to allow practices to limit the use of their APIs to third-party apps that have agreed to follow the framework.
“Such a program would not only foster innovation, but also establish improved assurance to patients of the security of their information,” MGMA wrote.
Under the current proposal, APIs should require a ‘yes’ attestation that the app provides patients with notice and control over how their data is used to connect to the API. However, MGMA explained this traditional requirement that directs users to accept the conditions to this type of model is not sufficient to communicate the potential risk to their data.
“We have significant concerns regarding the complex and costly compliance requirements on practices and the documentation, patient education and risk issues related to the proposed API provisions,” MGMA wrote.
“Simply put, the traditional approach to granting permission to APIs may be insufficient,” they added. “It is imperative that patients fully comprehend the risk prior to using their data in apps and in choosing using the API.”
In addition to API security, MGMA raised concerns with ONC’s timeline, calling it “too ambitious.” The timeframe and requirements could lead to compromised patient care, physician burnout, and security issues.
To avoid this, MGMA suggested that ONC stagger the final requirements to give providers and vendors sufficient time to develop and implement the proper tech.
ONC should also ensure the new requirements don’t result in unnecessary provider burden, as well as making sure that data quality is promoted over quantity. Further, MGMA noted that “appropriate privacy and security provisions are paramount in the deployment of APIs and other interoperability provisions.”
To ensure privacy and security is bolstered throughout the process, MGMA recommended ONC avoid “overly aggressive mandates” and implementation timeframe that could be counterproductive by leading to unnecessary financial and administrative burden.
These elements could threaten health information security and potentially compromise patient safety.
What’s more, ONC should require third-party app developers to sign business associate agreements “to better ensure that appropriate security measures are in place.”
“A BAA would create a safe harbor from liability for practices, if health information is disclosed by a third-party and unauthorized by the patient, MGMA wrote.
To MGMA, the info blocking rules are far too complex and would significantly increase administrative burden and create confusion as to what data can be disclosed and when, as well as increase the risk of sharing sensitive health data inappropriately or when it’s not needed.
“Rather than subject providers to information blocking penalties, we recommend ONC engage in an educational campaign to better inform clinicians and their patients regarding their rights and responsibilities vis-à-vis information exchange,” MGMA recommended.
“The final regulation should be reasonable, actionable, and not add needless administrative burden,” they added.
To support this, ONC should allow providers to use their professional judgement to protect patient privacy rights, including what constitutes “minimum necessary” as required in the proposed rule. Officials should also “ramp up” EHR oversight to ensure the software meets requirements set out in ONC certification, including security protocols.
Several security researchers have shared similar concerns with HealthITSecurity.com in recent months, including the need for standards to ensure ONC is not inadvertently expanding healthcare’s attack surface.
Date: June 12, 2019
Source: Health IT Security