--- layout: post title: >- Enabling A Patients HIPPA Right To Access Their Personal Health Information (PHI) With APIs image: >- http://kinlane-productions2.s3.amazonaws.com/api-evangelist-site/blog/DDOD-agency-icon-blog-feature-image-640x380-2016-01-22-2.jpg tags: - Access - APIs - Personal --- I am [reading through the API task force recommendations](https://www.healthit.gov/facas/sites/faca/files/SingleSourceofTruth-APITFRecommendations.pdf) out of the Office of the National Coordinator for Health Information Technology (ONC), to help address privacy and security concerns around mandated API usage as part of the Common Clinical Data Set, Medicare, and Medicaid Electronic Health Records. The recommendations contain a wealth of valuable insights around healthcare APIs but are also full of patterns that we should be applying across other sectors of our society where APIs making an impact. To help me work through the task force's recommendations, I will be blogging through many of the different concepts at play In addition to highlighting [the usage of "patient-directed APIs" that I wrote about earlier](http://apievangelist.com/2016/05/10/the-concept-of-patientdirected-apis/), and taking [a healthy stance on privacy and security when it comes to healthcare APIs](http://apievangelist.com/2016/05/10/a-healthy-stance-on-privacy-and-security-when-it-comes-to-healthcare-apis/), I wanted to separate out the conversation around a patent's right to access their own personal health information, and how APIs are being used as the enabler. Here is the chapter from the task force's recommendations: _Many of the discussions within the task force centered around the notion that the patient directed app of our purview supports the patient’s HIPAA right to access his/her own PHI from a Covered Entity, as required under [HIPAA § 164.502](https://www.law.cornell.edu/cfr/text/45/164.502)._ _This could be characterized in several ways:_ 1. _the individual requesting access to their information_ 2. _an entity designated by the individual to receive a copy of PHI (as part of the individual exercising his/her right to access PHI)_ 3. _the medium on which the individual requests that PHI be provided or transmitted as part of the individual exercising his/her right to obtain a copy of PHI_ _Alternatively, the patient directed app may also be characterized as a third party formerly authorized by the individual to receive PHI or a tool for engaging the individual in treatmentEach of these scenarios creates challenges when attempting to determine oversight of an app’s behavior there is not one clear solution._ I am going to educate myself about _[HIPAA § 164.502](https://www.law.cornell.edu/cfr/text/45/164.502)_, and get to work understanding what other precedents exist--maybe with [FERPA](http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html) or [COPPA](https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions), or other similarly regulated industries. I am just looking to understand where the lines are drawn when it comes to people having a "right to access" when it comes to their data, especially when APIs are playing a central role like they are with healthcare interoperability.  I have read the healthcare API task force recommendations several times now, but I am only a couple pages into when it comes to cherry picking ideas I want to consider more deeply, as well as have indexed as part of my overall API industry research. So stay tuned for continued posts about how APIs are being used to drive patient-centered access to their healthcare data.