The American Hospital Association, in comments sent to the Centers for Medicare and Medicaid Services relating to the Hospital Inpatient Prospective Payment System for FY 2019, is calling attention to CMS on the need for more secure mobile apps.

There is a lot of information that regulators and hospitals need to know about the current data security status of mobile apps and while AHA asserts the importance of data exchange, much of its comments are sober.

“Hospitals and health systems believe that securely sharing health information is central to providing high quality coordinated care, supporting new models of care and engaging patients in their health, according to the association. New tools and technologies, including APIs and apps, will allow for more convenient and flexible access to health information and new ways for individuals to engage in their health.”

However, AHA warns of real and developing risks as new forms of data sharing are developed.

For example, the proposed rule would require hospitals to connect any application of a patient’s choice without permitting the hospitals to evaluate the app for security risks, or test that the app functions as designed.

Also See: Why cloud and connectivity apps are key for improving care

AHA calls for a transition period that allows development of a secure app ecosystem and time for providers to develop competence in using and securing APIs, and also suggests a change to a measure in the proposed rule:

“The eligible hospital or CAH ensures the patient’s health information is available for the patient (or patient-authorized representative) to access using at least one application that is configured to meet the technical specifications of the API in the eligible hospital or CAH’s certified electronic health record technology. We also recommend that CMS provide an exclusion for this measure in FY 2019 for hospitals and CAHs that cannot successfully identify an app that meets the security needs of their system.”

Provider rights

Providers also must have the right to control the technology being connected to their information systems to keep the systems secure, as any connected app poses risk of malware being injected into the hospital information system, AHA tells CMS. This could have catastrophic effects on systems and clinical operations while also being a HIPAA violation.

For instance, commercial app companies generally are not HIPAA-covered entities and when information flows from a hospital’s information system to an app, it likely is no longer protected by HIPAA, the hospital association warns.

“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained by a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA.” Further, hospitals could be seen as responsible if a patient’s data is sold to a third party or used for marketing purposes.

The Office of the National Coordinator has released a voluntary model privacy notice for app companies but its use is not required, AHA tells CMS. “In one study of diabetes apps, almost 80 percent did not even have privacy policies and about half those with a privacy policy indicated they would share data with third parties.”

AHA further recommends CMS join with the Office of the National Coordinator for Health Information Technology and the Federal Trade Commission to develop educational programs for consumers on how app companies use their data and the importance of updating privacy practices of their app. The AHA’s full comments are available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access