Once an API touches protected health information (PHI), the Security Rule’s requirements for the security of electronic PHI come into effect. The use of APIs for interoperability, especially those used in electronic health records (EHR) systems, has to follow HIPAA standards to prevent unauthorized disclosures.
Federal policies offer an additional consideration with the 21st Century Cures Act applying to APIs used in EHRs. It requires vendors to provide API access to patient data without special effort, widening the grasp of what is accessible outside of traditional designated record sets.
As one study, ‘Updating HIPAA for the electronic medical record era’ puts it, “With advances in technology, patients increasingly expect to access their health information on their phones and computers seamlessly, whenever needed… The 1996 passage of HIPAA, modifications made by HITECH, and the recent 21st Century Cures Act promise to make patients’ health information available to them without special effort and at no cost.”
Another area where HIPAA applies to the use of APIs is when they are used to extend email security. APIs like Paubox HIPAA compliant email offering provide protection to ePHI but have to align with the standards set for compliance.
The uses of APIs in secure communications and EHRs
APIs are employed for secure email to allow controlled data exchanges that avoid risks like business email compromise (BEC) attacks. APIs augment email security by integrating multilayered validation, like embedding sender attributes like MAC addresses. The approach addresses vulnerabilities in standard antivirus and antimalware tools that struggle with emerging threats by providing an additional authentication layer tailored for resource-strapped environments.
For EHRs, APIs allow interoperability by supporting read and write capabilities. This allows for secure sharing of patient data from EHRs to external sites or software. The chapter ‘Hospital Use of APIs to Enable Data Sharing Between EHRs and Apps’ makes this expectation explicit: “The 2020 ONC Cures Act Final Rule implements provisions of the 21st Century Cures Act to require secure access to patient health information through application programming interfaces (APIs), with the goal that more patients would be able to access and engage with their health information through software applications (apps). These requirements include a new ONC Health IT Certification Program Standardized API criterion that went into effect at the end of 2022.”
FHIR-based APIs map native EHR data to standardized resources so that integrity remains during transmission and incorporation into clinical databases. Hospitals also widely adopt APIs for patient facing apps that grant access to EHR data or allow data submission.
See also: Unpacking the real threat behind business email compromise
Where and how HIPAA applies
Handling ePHI means that HIPAA applies to APIs. This means each safeguard has to apply to the transmission pathway of the data. Administrative safeguards require a documented risk analysis and workforce access controls before APIs expose functions to third-party tools. Physical safeguards extend to the facilities and servers hosting API gateways, and technical safeguards require encryption, audit logging, and integrity controls across every transaction.
FHIR based interoperability requires that covered entities must not create information blocking barriers under the Cures Act. API mediated exchanges also invoke HIPAA's boundary rules. When PHI is transmitted from a covered entity's EHR through a patient-facing app. A business associate agreement is required if the recipient handles ePHI on behalf of the covered entity.
The study ‘Privacy protections to encourage use of health-relevant digital data in a learning health system’ captures the broader tension driving these rules: “Moving toward a rapid learning system to solve intractable problems in health demands a balance between protecting patients and making data available to improve health and health care. Public concerns in the U.S. about privacy and the potential for unethical or harmful uses of this data, if not proactively addressed, could upset this balance.” The policy environment reflects this tension. As APIs become the default mechanism for transmitting health information, the legal responsibilities attached to them expand in parallel.
The study shows, “An analysis of 10 apps…found they transmitted data on user activities in the app to 70 different third parties,” This is how swiftly PHI leaves HIPAA’s protection once data goes into consumer tools. Any API vulnerability that results in an unauthorized disclosure triggers breach-notification duties, including notifying affected individuals and HHS within 60 days for large incidents.
Once the PHI enters a consumer app chosen solely by the patient, oversight goes to the FTC, but covered entities remain responsible for securing the transmission. Any vulnerabilities in the API layer that result in unauthorized disclosure trigger Breach Notification Rule obligations, including a 60-day reporting window to patients.
Common API-related HIPAA violations
API-related HIPAA violations surface most visibly when authentication, access governance, and endpoint security break down during ePHI exchange, and recent incidents show how quickly these weaknesses escalate. The July 2024 Life360 breach shows how exposed or poorly validated endpoints can leak sensitive, health-relevant information, with over 400,000 users affected due to improper API protections even outside a traditional clinical setting.
APIs, FHIR, and the Information Blocking Rules
APIs and FHIR sit at the center of the Information Blocking framework because the 21st Century Cures Act requires certified health IT to expose standardized, easily accessible API endpoints that give patients and apps uninterrupted access to their EHR data. Under the rule, healthcare providers, health IT developers, HIEs, and HINs cannot place obstacles in the way of accessing, exchanging, or using electronic health information.
Certified systems must provide SMART on FHIR–enabled interfaces for patient and population services, supporting granular read-write access to diagnoses, procedures, medication lists, and other EHI elements without demanding special effort from users or developers. Compliance has been mandatory since January 2023, closing the door on practices like non-standardized API designs, delayed response times, restrictive licensing terms, or discouraging third-party interoperability tools.
These behaviors qualify as information blocking unless a permitted exception applies, such as preventing harm, protecting privacy or security, or avoiding unreasonable costs. The result is a regulatory expectation that FHIR APIs function as open, consistent, and permissioned gateways that deliver EHI at the speed and completeness required for clinical care.
FAQs
Why do APIs require strong authentication controls?
APIs expose specific backend functions, which makes them targets for credential theft, token misuse, and endpoint probing. Strong authentication like OAuth 2.0, SMART on FHIR app launch, multi-factor controls, and short-lived access tokens, prevents unauthorized access to queryable PHI and stops attackers from harvesting data through automated calls.
How do rate limits protect API operations?
Rate limits restrict how many API requests a client can send within a time window.
Why is endpoint validation necessary?
APIs rely on endpoints to perform discrete actions. If endpoints are not validated, attackers can exploit undocumented or deprecated paths to access sensitive features.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Kirsten Peremore
