HHS Urged to Develop National Framework to Better Protect Patient Health Information

The Workgroup for Electronic Data Interchange and the Confidentiality Coalition recently sent a letter to the Secretary of Health and Human Services and the Secretary of Commerce with recommendations to better protect patient health information from third-party apps.

The WEDI, formed by HHS in 1991, is an authority on improving the use of health IT and health information exchange.

According to the letter, third-party apps have been gaining access to certain patient information that isn’t protected under the Health Insurance Portability and Accountability Act. 

“We are concerned … regarding the lack of robust privacy standards applicable to the large percentage of third-party app developers not associated with [consumer electronics] and therefore not covered under HIPAA,” the letter states.

Although the group supports patients accessing their personal health information through apps, the letter asserts more national framework is required to ensure health care data obtained by third-party apps is held to high privacy and security standards. 

Security recommendations include: releasing additional guidance on third-party app security; requiring entities that are not HIPAA Covered Entities or business associates to clarify collection of health information; developing a privacy and security accreditation or certification framework for third-party apps; and creating coordination between groups focused on improving CE education. 

CMS currently uses tools like the Blue Button 2.0 feature to require third-party apps seeking access to patient health information to complete a kind of CMS-approved security certification. According to the letter, that model could be used to strengthen security requirements for the private sector. 

Alexa can be reached at [email protected]