June 1, 2023
Patients have the opportunity to access their health information maintained by their payers using any of a variety of mobile or online apps. The CMS Patient Access and Interoperability rule of 2020 mandated that payers make access to these data available to app developers on behalf of patients as long as there is no threat to the payers’ systems, particularly threats to the privacy and security of the data available to the apps. To facilitate this, payers are encouraged to implement an attestation framework that collects information about the data privacy and information security practices of the apps requesting to register and connect. While this self-attestation is a step in the right direction, payers are still left without validated assurance the member data being accessed by any particular app is protected. Furthermore, by making the attestation responses available to members, consumers will need to make an informed decision based on responses provided by the various app developers.
The CARIN app registration guide, by reference to the CARIN Code of Conduct, touches on the voluntary solution for these manual, unverified attestations—an independent third-party accreditation program for both apps and endpoints which audits both the organization and the API solution for meeting industry standard privacy and security operating and technical criteria. One such program, ENHAC’s TDRAAP accreditation, is a robust way for app developers and payers to voluntarily signal a strong security posture and protection of member privacy.
Accreditation is also required to support a trusted healthcare interoperability ecosystem that is both secure and dynamic. If both the app and endpoint are accredited, trust has already been established in advance, eliminating the need for every FHIR endpoint to independently verify and manually register every client application. With TDRAAP, healthcare organizations and app developers can use trusted digital certificates for endpoint identity, registration authentication, and attribute discovery for electronic healthcare transactions in real time. Endpoints can be registered and authenticated efficiently while maintaining a high level of technical standards and establishing trust and transparency for organizations and individuals to access data. The alternative is a lot less desirable: without TDRAAP, app developers and payers are left with the administrative overhead, lack of validation, and delays in app registration due to the lack of a trusted framework. Compare that to TDRAAP-accredited apps and endpoints: these have already been independently vetted for security and privacy. Third-party accreditation streamlines reproducible connections, making interoperability processes scalable and opening opportunities to automate.
Adding EHNAC’s CARIN Code of Conduct Accreditation Program "CCCAP" complements the implementations of interoperability with independent, third-party accreditation for the attestation to the governing principles of the CARIN Code of Conduct. While accreditation is not a regulatory requirement, having a voluntary accreditation program provides experience that can make for more realistically achievable compliance at a time that regulators deem appropriate to include accreditation in regulation. With accreditation at both the policy and implementation levels, participants in the interoperability landscape have a validated and efficient glidepath to trusted consumer health information exchange.
How ZeOmega Can Help
ZeOmega stands ready to support our payer clients in meeting the aggressive time frames specified by interoperability regulations. HealthUnity is the first interoperability solution to achieve TDRAAP accreditation and Drummond certification. Having both these credentials coupled with HITRUST certification separates HealthUnity from all other platforms on the market—proving it to be a leader for interoperability, security, functionality, and value.
To learn more, contact us at firstname.lastname@example.org or 214.618.9880.