Questions arise over how federal rules for health care apps will affect pediatric
Natalie M.Pageler, M.D., FAAP and EmilyWebber, M.D., FAMIA, FAAP
Health IT Trends
Most pediatricians have heard the need: a mother trying to access her child’s medication
list while at an out-of-state emergency department or an adolescent patient at camp
trying to verify his vaccination record. Patients’ needs and rights to access and
own their clinical data is well-understood; however, balancing access and privacy
isn’t always as easy as hitting the App Store.
The Office of the National Coordinator for Health Information Technology (ONC) recently
released proposed rules outlining federal priorities for interoperability and information
sharing intended to improve patients’ and medical teams’ access. The document includes
rules for patient-facing application programming interfaces (APIs).
An API is a series of rules about how different systems communicate with each other.
APIs help move data out of electronic health records (EHRs) and onto other software
and web-based solutions, such as patient-facing third-party apps.
Federal rules for certified EHR technology mandate that patients must be able to electronically
export the defined Common Clinical Data Set directly into third-party apps of the
patient’s choice. These requirements are expanded in the proposed rules.
This required electronic export is achieved by clinics and health systems providing
access to EHR data by making it possible for patients to use an API. Many clinicians
are using EHRs that have this capability.
It is unclear how these regulations will be applied to pediatric patients and what
it means for pediatricians charged with protecting confidentiality of patient data.
The AAP recently sent a letter to the national coordinator for health information
technology commenting on the ONC proposed rules, including those related to APIs,
What’s in an app that uses an API?
Third-party apps for aggregating a patient’s data are not regulated under the Health
Insurance Portability and Accountability Act or any other specific health data privacy
laws. Patients assume the data privacy risk when they download data.
For physicians and health care teams who see themselves as stewards of clinical data
and continue to “first do no harm,” this lack of regulation is disturbing. An app
using APIs to extract health data untethers it from the required security standards
in EHRs. If an adolescent patient or a guardian shares that data with a third-party
app, the loss of privacy could be irreversible.
One or more parents or other proxies may need access to a child’s health information.
In pediatrics, the export of electronic health information by patients or their proxies
is complicated for several reasons:
There must be a way to identify who can have proxy access to a child’s data. This
may be addressed by the same workflows that have been established for access to a
health system’s patient portal. However, this remains a challenge for pediatricians
working without appropriate data segmentation or customized portals.
Existing apps allow a user to download only one person’s health information. Parents
or guardians must be able to download their own data as well as their child’s or children’s
data. The app should be able to separate the data and associate it with the appropriate
patient. There are not yet well-established apps capable of doing this.
The issue of adolescent confidentiality is challenging due to variation in state laws
and limited ability to segregate specific data in EHRs.
The proposed rules include exemptions based on existing laws. This presumably would
include state laws about adolescent confidentiality, which becomes very complicated.
As written, the proposed rules have the potential to effectively exclude children
and pediatricians from the widespread adoption of APIs. They do not address the segmented
data required for a shared record between adolescents and their parents.
This challenge is not limited to adolescents. Adults who give proxy access to their
spouses, adult children or others also need to keep some of their data private.
“Children are not little adults” is as true in EHRs and health information technology
as it is for medication dosing and developmental screening. Technical rules for the
EHR to meet pediatric needs require intentional advocacy. For many clinicians and
patients, the best-case scenario is that these new rules do not make existing problems
Simply put, children are not well-served by current patient-facing APIs and available
third-party apps. The proposed ONC rules would be strengthened by clarifying how implementers
will make these APIs and apps ready for prime time in pediatric care.
The AAP, under the leadership of the Council on Clinical Information Technology and
the Child Health Informatics Center, will continue to work with federal agencies and
other stakeholders to prioritize safety, security and high-quality care for children.
Dr. Pageler is a member of the AAP Council on Clinical Information Technology and
the Child Health Informatics Center Project Advisory Committee. Dr. Webber is chair
of the council’s executive committee.