EXECUTIVE SUMMARY
This document describes key considerations for implementing and managing application programming interfaces (APIs) in healthcare with respect to the privacy and security of health information (e.g., electronic protected health information (ePHI)). These considerations were developed as a result of testing and assessing a volunteer subset of the implementations of the Sync for Science (S4S) API in accordance with applicable Precision Medicine Initiative (PMI) Privacy and Trust Principles (PMI Privacy Principles) and the PMI Data Security Policy Principles and Framework (PMI Security Principles).
Special publications from the National Institute of Standards and Technology (NIST) also served as a basis for assessment criteria of the participating S4S pilot organizations.4 Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must implement appropriate privacy protections and data security safeguards in their environments, and in particular, comply with the HIPAA Privacy and Security Rules. The PMI Privacy and Security Principles are consistent with HIPAA and can help bolster
an entity’s privacy and security posture.
The use of APIs in healthcare, which can enable individuals (e.g., patients or their personal representative) to request that a healthcare provider’s electronic health record (EHR) send health information about them to a specified third-party, such as a research application (app), can leverage the below considerations to help ensure privacy and security of health information with the appropriate safeguards in mind
