Healthcare Information Security

Patient Privacy News

What Are Data Security Concerns with Healthcare APIs?

While APIs in healthcare have the chance to give patients more control over their own health data, it is important for organizations to understand data security concerns.

By Elizabeth Snell

Potential health data security concerns and security risks have previously been touted as barriers for the use of application programming interfaces (APIs) in healthcare. However, if covered entities understand the basis of the technology, it will likely not pose any larger threat than other innovations.

Group discusses data security concerns in healthcare APIs

APIs allow information to move between computer systems or programs. With healthcare, industry stakeholders hope for it to aid the push toward interoperability and secure exchange of health data.

The Commonwealth Fund recently published a post discussing the benefits of APIs, and how patients could greatly benefit by being able to easily and quickly view and share their own health data.

“APIs have the potential to remove many barriers to the sharing of health information between providers, patients, and others but they are fairly new to health care,” wrote the blog post’s authors, including Commonwealth Fund Senior Vice President for Policy and Research Eric Schneider, MD, MSc. “In addition, not all types of APIs are equal when it comes to sharing digital health information. Some restrictive APIs could even be used instead to block patients from accessing their health information.”

The authors added that the HITECH Act, MACRA, the 21st Century Cures Act - if it is signed - are all helping to push the idea of APIs forward.

“The certification program incentivizes the exchange of interoperable information between EHRs and other health IT systems such as apps, pharmacy systems, or laboratories,” they explained. “APIs for EHRs must include features such as identity authentication and must enable secure exchange of digital health data in a form that can be read and used by other computers the way a shopping order from one computer can be verified by another.”

If consumers are given greater access to their data and how it is shared, it could make it easier for them to move among providers, help providers coordinate care across settings, and promote innovation for new health apps, devices, and services, the post stated.

However, there are still some steps that must be taken to foster further API growth in healthcare:

  • Congress has encouraged the use of openly accessible APIs for patient health data through the recently enacted 21st Century Cures legislation.
  • The Department of Health and Human Services (HHS) could use its authorities under previous legislation (HITECH and MACRA) and through 21st Century Cures to update its Health IT Certification Program to include consumer access to openly accessible APIs.
  • HHS and/or Congress could fund development of open-source, standards-based API for EHR technologies through standards development organizations or groups of industry representatives.

The private sector must also take the initiative in certain areas, such as provide purchasing tools to help health providers procure openly accessible APIs and invest in “continued development of open-source API technologies through industry groups such as standards development organizations.”

“If policymakers, delivery system leaders, and consumer advocates encourage the use of open APIs in health care now, they will clear a path for innovative uses of electronic health data that serve the needs of patients, thereby improving the quality and affordability of health care,” the authors concluded.

As previously mentioned though, health data security concerns often arise with API discussion. An API Task Force was also established by the Health  IT Policy and Standards Committee, with the Task Force releasing an April report addressing those concerns.

"There are fears that APIs may open new security vulnerabilities, with apps accessing patient records 'for evil', and without receiving proper patient authorization," the report read. "There are also fears that APIs could provide a possible 'fire hose' of data, as opposed to the 'one sip at a time' access that a web site or email interface may provide."   

However, the Task Force said that such concerns are unfounded. Well-managed APIs can provide superior security compared to "ad-hoc interfaces or proprietary integration technology" already in use.

"While access to health data via APIs does require additional considerations and regulatory compliance needs, we believe existing standards, infrastructure and identity ­proofing processes are adequate to support patient­ directed access via APIs today," the Task Force said.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks