API PORTABILITY OF EHI Sample Clauses

API PORTABILITY OF EHI. 1. Contractor agrees that it has implemented the ability to export EHI data elements found in the current version of the U.S. Core Data for Interoperability (USCDI) using current API technology as required by applicable federal laws to participate in health information exchanges (HIEs) or health information networks (HINs). Vendor further agrees that API technology meets the following privacy and security considerations. a. KEY PRIVACY CONSIDERATIONS The following are key areas for privacy consideration when implementing APIs in healthcare: 1. Enable technology to provide for and respect individuals’ choices and/or preferences about the specific types of health information (e.g., medication lists, allergies) shared with the third-party. 2. Provide methods for individuals to revoke permissions for sharing health information about them in a manner that is clear and easily accessible. 3. Develop organizational privacy policies that are consistent with the Privacy Principles and adequately address privacy risks. b. KEY SECURITY CONSIDERATIONS The following are key areas for security consideration when implementing APIs in healthcare: 1. Use Transport Layer Security (TLS) Version 1.27 or higher with strong cipher suites (such as the Advanced Encryption Standard [AES] or higher) to protect health information in transit via the API from the electronic system to the third-party. 2. Ensure that the API cannot be manipulated to unintentionally expose health information or system vulnerability information. 3. Develop technical and administrative policies to ensure verification of the identity of users and contributors, prior to granting credentials for access to or contribution of health information. 4. Develop technical and administrative policies that describe how to issue credentials to individuals that will permit them to access health information about themselves. 5. Consider implementing risk-based authentication controls that flow from the organization’s security risk assessment, and are commensurate with the type of data, level of sensitivity of the information, and user type. 6. Develop systems with technical authorization controls flexible enough to support individual privacy preferences that are capable of limiting API access, use, or disclosure based on what is necessary to satisfy a particular purpose or carry out a function. 7. Evaluate any service provider’s infrastructure, security practices, and technical capabilities for hosting implementations of A...