A Guide to HIPAA Compliance When Using Third-Party APIs

Hoss@Hossapp /

Data Privacy Compliance Series: What Engineering and IT Leaders Need to Know

A Guide to HIPAA Compliance When Using Third-Party APIs

If your business processes any kind of protected health information and uses third-party APIs, it’s important to be aware of the data privacy and compliance requirements you’ll need to meet under HIPAA. As an engineering or IT leader, understanding HIPAA will help you develop the right privacy and security protocols to keep your customers’ or patients’ data secure and stay compliant.


The Health Insurance Portability and Accountability Act (HIPAA) is designed to give patients more control over their own health data and enforces limits on how that data can be shared with others.

What It Protects

HIPAA covers “protected health information” (or “PHI”), which includes any health data that is attached to some kind of personal identifier like a name, contact information, social security number, photos, fingerprints or geographical identifiers. Anonymized health data with no personal identifiers attached to it does not have to be HIPAA compliant.

Why It Matters to You If You’re Consuming APIs

Any company that comes in contact with a person’s protected health information – like a health plan, healthcare provider or healthcare clearinghouse - is required to develop HIPAA-compliant policies to protect that data. Further, protected health information can only be shared between parties that are HIPAA compliant - this includes third parties like APIs that might store or transmit protected health information on a company’s behalf. So, if your company deals with health data, you’ll need to be HIPAA-compliant and if it shares any of that data with third parties, you’ll need to make sure those parties are HIPAA-compliant, too.

Fines for HIPAA violations can be up to $1.5 million per year depending on the level of negligence involved in the violation.

What You Need to Provide for Your Customers

Privacy. Under HIPAA, protected health information can only be shared with entities that are HIPAA-covered and necessary for providing patient care (like other healthcare providers, payers or pharmacies) or those specifically requested or authorized by the customer or patient. Patients or customers also have the right to request copies of their health information and make corrections.Security. HIPAA requires that you’re able to assure your customer or patients that data is confidential and protected against reasonably anticipated threats to security.

What HIPAA Requires of Your Business

According to HIPAA, protected health information can only be shared between HIPAA-covered entities (like between your healthcare provider and your health plan, for example) unless expressly requested or authorized by the patient. Any third-party services like consultants, apps or APIs need to be specifically classified as a HIPAA-covered “business associate” before any protected health information can be shared with them. So, you’ll need to put a business associate contract in place with any third-party APIs you may use before you’re able to share any protected health information with them.

HIPAA also requires that you provide customers or patients with copies of their health information and a record of where the information has been shared if they request it. You’re also required to implement security standards to safeguard protected health information and conduct regular risk assessments and audits to ensure security.

Finally, in the event of a data breach, you’re required to notify the Department of Health and Human services within 60 days of the breach discovery. If the breach affects more than 500 people in a certain area, you’ll also be required to notify a prominent media outlet that serves that area.

Three Things You’ll Need to (Easily) Comply with HIPAA

  1. Visibility. Make sure you’re aware of all the protected health information your company has collected and where it has been shared. Keeping this record will allow you to quickly provide records to patients or customers who request them and help you ensure that data is only being shared with HIPAA-covered entities (for example, third-party APIs that have been formally designated as “business associates”).
  2. Data Policy Controls. Keep track of which entities are authorized to receive which data under HIPAA and automatically prevent non-authorized entities from receiving HIPAA-covered data to avoid any violations.

3.Monitoring. Develop a system for real-time monitoring so you can be notified immediately if protected health information is shared with a third party that is not HIPAA-covered. This will both help you quickly rectify mistakes and notify health authorities if necessary.

Hoss lets you track, tag and monitor all of your data processing activities with third-party APIs to help you protect your customers’ privacy and stay compliant with the CCPA as simply as possible. Get in touch to learn more.

Subscribe to Hoss ModeA weekly newsletter with curated articles, community discussions, news and trends.

3 Things You Must Do When Calling Third-Party APIs

Read more
Many APIs enforce rate limits or quotas, which often go unnoticed while call volumes are low in development, but appear unexpectedly after going into production. Having visibility into the number of calls is also important to keep an eye on the health of the system. If calls drop to zero or suddenly spike, it could be an indication of a problem elsewhere that needs to be addressed.
If your business is using third-party APIs, you could face some unique data privacy and compliance challenges under the new CCPA law. As an engineering or IT leader, understanding those challenges is a critical first step to implementing proactive approaches to protect your customers’ privacy.
Back to blog

Copyright © Hoss Technologies, Inc. 2021 - All rights reserved. Terms of Service & Privacy Policy