Q&A: Securing healthcare app data

Q: HHS has a proposed rule out that would make sharing of health information to patients easier through the use of APIs and smartphones. What’s important to know for making these apps secure as we work with vendors who will ultimately be producing these apps for a CE?

A: Even though the proposed rule has not been finalized, health information technology currently supports the use of APIs and smartphones to use and disclose PHI. As with any vendor, it’s sound practice to vet vendors up front if you intend to contract with them as BAs. 

When evaluating vendors, it’s good practice to require vendors to complete a security questionnaire and, if there are any red flags, require the vendor to address any security deficiencies before contracting with them. If the vendor is unwilling or unable to address security deficiencies, look for another vendor.

If the vendor states they are HIPAA compliant, make them prove it. Too many vendors claim to be compliant, but more often than not, that only means the vendor has implemented sound technical safeguards. 

The biggest risk when it comes to information security is the people side of the equation—administrative safeguards. Ask about implemented policies and procedures, when they conducted their last risk analysis (ask for a copy of at least the summary of the associated report), whether they provide security training, and so forth.

This is not a one-time event. It is a good idea to periodically require the vendor to complete an updated security questionnaire. They may have implemented a sound security program today, but it may not still be the same tomorrow.

Editor’s note: Apgar is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.