- With preliminary meetings over the past two weeks, the Health IT Policy Committee’s API Task Force has begun to uncover possible barriers to the widespread adoption of open application programming interfaces (APIs) in healthcare. It has also started to probe for real and perceived privacy/security risks that could hamper development of APIs within the broader scheme of health IT interoperability.
During its most recent meeting on Dec. 4, the task force took a look at the API landscape as it exists today. “When you try to gauge the current state of market adoption, it’s hard. There’s not a single catalog or list to answer questions for us out of the box,” explained co-chair Josh Mandel of Boston Children’s Hospital and Harvard Medical School. “That information alone tells us a little bit about the state of the art or the ecosystem.”
Nonetheless, the group sees opportunity amid the void of API information. The task force is considering an outreach survey that would serve as a mechanism to gain a better understanding of the healthcare API marketplace and to gather security and privacy considerations for APIs. A possible survey partner is the Electronic Health Record Association, a trade group of about 40 EHR vendors.
While aiming to keep the survey brief to maximize response and reduce the burden on respondents, the task force has begun to draft possible survey questions, including the following:
- Does your organization provide an API available directly or to third parties?
- Are there production deployments of your APIs?
- Is there a catalog or store of tools built for them?
- What is the fee structure?
- Are there third-party certifying authorities?
- Are there specific security or privacy considerations unique to the use of APIs in healthcare?
In addition, the task force is likely to include a few more broadly based questions, such as: “What is holding you back from API development?” and “What are your plans for 2016?”
Co-chair Meg Marshall, director of health policy at Cerner, pointed out, “The value here is to understand market readiness — and then, outside of healthcare, are there other best practices that we can draw from?”
Mandel noted that a lot of material for creation of an API catalog could come from the EHR certification criteria for meaningful use Stage 3. “One of the things the vendors will have to do is describe their APIs in a public document and include a link to a website where they describe their APIs. For this workgroup, we’d like to get some early insights into where we are today, instead of waiting until the full certification process matures,” he observed.
Drilling down on privacy and security
Task force member David Yakimischak, executive vice president at Surescripts, also informed the Dec. 4 discussion with several general privacy and security considerations that could apply to healthcare APIs. For example, Google’s Gmail app uses publicly available APIs behind the scenes, with a security model layered on top to protect assets where needed. “Something that easy to use and that universal” would be worth investigating, he said.
Yakimischak added that the task force should spend time on the issue of data metering. “Is there a type of call that can get thousands of patients worth of data at a time? An API that accesses multiple records at a time presents a different set of security risks and privacy concerns. Single use, one patient at a time, is a recommendation we might want to consider to limit the access someone could get,” he commented.
He also suggested further discussion on whether data from APIs would be free and open or “digitally sealed” — so that a patient could find out who opened their envelope. Leslie Kelly Hall, senior vice president for policy at Healthwise, advocated a tamper-proof seal, but added that development of that type of protection would be a long-term project. Ultimately, she noted, “one of the biggest opportunities is for the patient to be a data intermediary; the patient is going to be part of the mix to help move data around.”
Finally, several committee members voiced concern over how identity management or authentication would be handled in an open-API ecosystem, and whether existing standards could be leveraged in some way.
Aaron Miri, CIO of Walnut Hill Medical Center in Dallas, emphasized, “This is going to tie into how people trust using information over an open API of any sorts.”
The proposed workplan for the API Task Force calls for two virtual hearings with expert panelists to be held at the end of January. The group is scheduled to present draft recommendations to both the Health IT Policy and Health IT Standards committees in early March. Final recommendations are due to those committees on April 19.