Exposing patient health information as Application Program Interfaces (APIs) is one of the most critical components in Stage 3 of the EHR Incentive Programs and all providers will be required to comply with MU3 requirements by 2018. The APIs will ensure improved patient engagement by providing data access in application of patient’s choice instead of current patient portal channel only.
In compliance with HIPAA privacy and security rules, the implementation of APIs that expose sensitive PII/PHI data must be properly protected in terms of Authentication, Authorization, Audit, Message and Transport Level Security, Encryption etc.
Some of the key requirements for the API interface are:
- Uniquely identify a patient and return an ID or other token that can be used by an application to subsequently execute requests for that patient’s data.
- Allow a request for “all” the patient data, or specific “by specific data category” i.e. demographics, labs, procedure, medications etc.
- Must include accompanying documentation that contains API syntax, function names, mandatory and optional parameters, methods and their returns, and terms of use.
- Documentation must be available via publicly accessible hyperlink
- Authentication, Access Control, Authorization , Auditable Events and Tamper-Resistance — Trusted connection — Auditing actions on health information
Solution using IBM APIC:
- APIC security policies jwt-validate or validate-usernametoken can uniquely identify a patient and use of JWT/OAuth token management system through DataPower can return token to requesting client for subsequent requests.
- APIC is an integrated creation, runtime, management and security foundation for enterprise grade API’s, and Microservices to power modern digital applications. Fine-grained services based on data category demographics, lab results etc. can be quickly built with standards-based visual API spec creation in Swagger 2.0.
- APIC provides customizable, self-service developer portal for publishing APIs. Through the portal, application developers can access APIs directly and can take sample code snippet from the portal to implement APIs in their applications.
- APIC self-service developer portal can be accessed publicly for API subscription and documentation.
- IBM APIC provides access control over API’s, API Plans and API Products. API runtime environment – API gateway (Micro gateway or Datapower) acts as Policy Enforcement Point, and maintains security and control to APIs. Datapower’s AAA policy can support variety of Authentication/Authorization formats JWT, LTPA, SAML,WS-Security, OAuth etc. Datapower should also be used to provide message level security by encrypt/sign and transport through the use of SSL/TLS.