Maintaining HIPAA and PHIPA compliance while building an integration with OnCall Health's API

HIPAA and PHIPA compliance are major features of OnCall Health. Our platform uses a variety of technical processes (including end-to-end encryption, which you can read about here) for this purpose.

When building an integration, it's important that you take steps to avoid exposing protected health information (PHI) in non-compliant ways while extracting it through our public application programming interface (API).

Keep reading for some best practices in this regard.

Using your OnCall Health private API key securely

OnCall Health's API uses private keys for authentication. Each private key is unique to a healthcare organization. Anyone with access to your organization's private key can make GET requests that retrieve potentially sensitive data.

It's therefore imperative that you be selective regarding how you share this private key – and with him you share it.

Tip #1: Use environment variables

Never place your organization's private key directly in source code. Instead, use environment variables.

For example, here's how you might form an API request to retrieve appointments from OnCall Health using environment variables.

url = "https://api.oncallhealth.ca/appointments/"

headers = {
    "Accept": "application/json",
    "Authorization": os.environ.get('ONCALL_KEY')
}

When your application executes this code and encounters os.environ.get('ONCALL_KEY') it will look for an environment variable named ONCALL_KEY to replace os.environ.get('ONCALL_KEY') with.

Importantly, anyone reading your source code would see os.environ.get('ONCALL_KEY') rather than your organization's actual private key.

Only users capable of accessing environment variables would be able to see your private key. This is much easier and more practical to control.

Environment variables exist in most development frameworks.

Tip #2: Share your private key using healthcare compliant methods

While environment variables are very useful, you may still occasionally need to share your organization's private key with colleagues.

You can maintain healthcare compliance by ensuring this exchange happens over a secure means of communication (i.e. OnCall Health's instant messaging feature). Some password management tools also claim HIPAA and PHIPA compliance for the purpose of sharing credentials that grant access to protected healthcare information (PHI).

Tip #3: Vet platforms thoroughly to ensure healthcare compliance before placing your OnCall Health private key in them

Before using your OnCall Health private key, ensure the platform you're entering it on is HIPAA compliant. Many workflow automation tools (i.e. Zapier) do not claim HIPAA or PHIPA compliance and consequently aren't suitable places to store your OnCall Health private key.

Tip #4: Notify your Customer Success Manager immediately if your private key is exposed

If you suspect your OnCall Health private key has been exposed on a non-HIPAA or PHIPA compliant platform, contact your Customer Success Manager immediately. They can verify a new private key for you and loop in our technical team to check OnCall Health's logs and determine whether any PHI was accessed.

Ensuring healthcare compliance while using data retrieved from OnCall Health's API

Tip #1: Only store PHI in compliant applications

You should never transfer PHI from OnCall Health to applications that do not explicitly claim HIPAA compliance (which includes Google Suite applications unless specific precautions are taken). Rather, our API is intended to facilitate integrations between OnCall Health and healthcare compliant applications such as electronic medical record (EMR) and electronic health record (EHR) systems.

Tip #2: Audit your systems regularly to ensure they maintain healthcare compliance

HIPAA and PHIPA compliance are not static. They need to be maintained through regular third-party audits. Ensure each software vendor you integrate with OnCall Health maintains compliance.

Tip #3: Maintain a single source of truth when possible

As part of an integration, data will inevitably live in multiple systems. You can greatly reduce compliance risk, however, by reducing surface area as much as possible. In other words, maintain a single source of truth and limit the amount of data that lives in multiple systems.

For example, OnCall Health doesn't need to store exact copies of all data in your EMR (and vice versa). Being strategic about which data gets transferred will benefit you both from a compliance standpoint and from the standpoint of ensuring your integration stays scalable.

Conclusion

Healthcare compliance is a big part of what we do at OnCall Health. We hope this guide has been helpful in providing you some best practices for building an integration between OnCall Health and other systems in your tech stack.