Enabling A Patients HIPPA Right To Access Their Personal Health Information (PHI) With APIs

I am reading through the API task force recommendations out of the Office of the National Coordinator for Health Information Technology (ONC), to help address privacy and security concerns around mandated API usage as part of the Common Clinical Data Set, Medicare, and Medicaid Electronic Health Records. The recommendations contain a wealth of valuable insights around healthcare APIs but are also full of patterns that we should be applying across other sectors of our society where APIs making an impact. To help me work through the task force's recommendations, I will be blogging through many of the different concepts at play

In addition to highlighting the usage of "patient-directed APIs" that I wrote about earlier, and taking a healthy stance on privacy and security when it comes to healthcare APIs, I wanted to separate out the conversation around a patent's right to access their own personal health information, and how APIs are being used as the enabler. Here is the chapter from the task force's recommendations:

Many of the discussions within the task force centered around the notion that the patient directed app of our purview supports the patient’s HIPAA right to access his/her own PHI from a Covered Entity, as required under HIPAA § 164.502.

This could be characterized in several ways:

  1. the individual requesting access to their information
  2. an entity designated by the individual to receive a copy of PHI (as part of the individual exercising his/her right to access PHI)
  3. the medium on which the individual requests that PHI be provided or transmitted as part of the individual exercising his/her right to obtain a copy of PHI

Alternatively, the patient directed app may also be characterized as a third party formerly authorized by the individual to receive PHI or a tool for engaging the individual in treatmentEach of these scenarios creates challenges when attempting to determine oversight of an app’s behavior there is not one clear solution.

I am going to educate myself about HIPAA § 164.502, and get to work understanding what other precedents exist--maybe with FERPA or COPPA, or other similarly regulated industries. I am just looking to understand where the lines are drawn when it comes to people having a "right to access" when it comes to their data, especially when APIs are playing a central role like they are with healthcare interoperability. 

I have read the healthcare API task force recommendations several times now, but I am only a couple pages into when it comes to cherry picking ideas I want to consider more deeply, as well as have indexed as part of my overall API industry research. So stay tuned for continued posts about how APIs are being used to drive patient-centered access to their healthcare data.