How to stay PHIPA and HIPAA compliant throughout your API integration

How to stay PHIPA and HIPAA compliant throughout your API integration

HIPAA and PHIPA compliance are major features of OnCall Health. Our platform uses a variety of technical processes (including end-to-end encryption, which you can read about here) for this purpose.

When building an integration, it’s important that you take steps to avoid exposing protected health information (PHI) in non-compliant ways while extracting it through our public application programming interface (API).

Keep reading for some best practices.

Tip #1: Use environment variables

Never place your organization’s private key directly in source code. Instead, use environment variables.

See here for an example on how you might form an API request to retrieve appointments from OnCall Health using environment variables. Only users capable of accessing environment variables would be able to see your private key. This is much easier and more practical to control.

Tip #2: Share your private key using healthcare compliant methods

While environment variables are very useful, you may still occasionally need to share your organization’s private key with colleagues.

You can maintain healthcare compliance by ensuring this exchange happens over a secure means of communication (i.e. OnCall Health’s instant messaging feature). Some password management tools also claim HIPAA and PHIPA compliance for the purpose of sharing credentials that grant access to protected healthcare information (PHI).

Tip #3: Vet platforms thoroughly to ensure healthcare compliance before placing your OnCall Health private key in them

Before using your OnCall Health private key, ensure the platform you’re entering it on is HIPAA compliant. Many workflow automation tools (i.e. Zapier) do not claim HIPAA or PHIPA compliance and consequently aren’t suitable places to store your OnCall Health private key.

Tip #4: Notify your Customer Success Manager immediately if your private key is exposed

If you suspect your OnCall Health private key has been exposed on a non-HIPAA or PHIPA compliant platform, contact your Customer Success Manager immediately. They can verify a new private key for you and loop in our technical team to check OnCall Health’s logs and determine whether any PHI was accessed.

Tip #5: Only store PHI in compliant applications

You should never transfer PHI from OnCall Health to applications that do not explicitly claim HIPAA compliance (which includes Google Suite applications unless specific precautions are taken). Rather, our API is intended to facilitate integrations between OnCall Health and healthcare compliant applications such as electronic medical record (EMR) and electronic health record (EHR) systems.

Tip #6: Audit your systems regularly to ensure they maintain healthcare compliance

HIPAA and PHIPA compliance are not static. They need to be maintained through regular third-party audits. Ensure each software vendor you integrate with OnCall Health maintains compliance.

 

Healthcare compliance is a big part of what we do at OnCall Health. We hope this guide has been helpful in providing you some best practices for building an integration between OnCall Health and other systems in your tech stack.