Chapter 8: Medical Privacy

Cures Act: API Portability and Other Privacy Provisions

The Cures Act requires certified health IT developers to publish APIs so patients can move EHI to apps of their choosing - raising the concern that data moving from HIPAA-covered providers to non-HIPAA apps loses protection. It also adds FOIA exemptions, remote PHI research review, NIH certificates of confidentiality, and compassionate-sharing guidance.

Certified health IT developers must publish API (Cures Act) so patients can move their EHI - for example, exporting data from a provider to a smartphone app of their choosing.

From HIPAA to no-HIPAA

Traditional providers are HIPAA covered entities; most smartphone apps are outside HIPAA and are instead subject to FTC unfair/deceptive-practice enforcement, often with weaker privacy notices. A proposed safeguard is clear notice when EHI leaves HIPAA protection.

Individual biomedical research information may be exempted from FOIA disclosure where it could reveal identity
Researchers may remotely view PHI with safeguards consistent with HIPAA
NIH must issue certificates of confidentiality for federally funded research (and may for non-federally funded)
HHS must issue guidance on compassionate sharing of mental health or substance abuse treatment with family or caregivers

Key terms - quick answers

What is “API (Cures Act)”?

Application programming interface that certified health IT developers must publish so patients can access, exchange, and use their EHI without special effort.

What is “Certificate of confidentiality”?

An NIH-issued protection ensuring research material cannot be used in legal or administrative proceedings without the participant's consent.

← 21st Century Cures Act and Information Blocking Medical Technology: FTC Act, FDCA, and State Laws →