3rd Party App Vetting
For customers where we are handing the developer registration process for Patient Access APIs, we will review and vet apps as described below

1upHealth Vetting

For our Patient Access customers we review and vet 3rd party apps as a centrally managed service. 1upHealth has years of in depth experience working with hundreds of healthcare 3rd party apps directly, and through its participation in the CARIN Alliance, Da Vinci, and other industry initiatives. The vetting criteria presented below is common across all our customers, and we will review requests for additional criteria on a case by case basis.
Apps that present active security threads, misuse, or abuse our APIs will have their access revoked and be blocked from API access until a thorough review is completed.
We will only approve apps for production access that have demonstrated their ability to interact with and consume R4 FHIR APIs in our independent sandbox environment, and who fill out the privacy and security questions below.

CMS Guidance for App Vetting

    All State and Federal laws take precedence
    Covered entities are not responsible under the HIPAA Rules for the security of PHI once it has been received by a third-party application chosen by an individual (84 FR 7621 through 7622)
    If an app has a written privacy policy and does not follow the policies as written, the FTC has authority to intervene
    The only reason a payer can deny an app access to their API is if they determine that app would pose security threat to the PHI on their system (per HIPAA related security protocols, see automated monitoring on next slide, and 45 CFR Part 164, sub part c)
    Payers can request security and privacy attestations from the app (including provisions like easy to find and readable policy, clear definition of secondary uses of data, clear policy on how to end a relationship between patient and app, etc.)
    If the app doesn't attest, the payer can inform the patient and he or she can choose to change their mind. Ultimately it’s the patient’s decision to make
    It’s up to the health plan to enable members to make informed decisions

3rd Party App Registration Process

1upHealth provides the following app registration and vetting process on behalf of our customers. This process is used uniformly across our customer base, and across apps requesting access to our CMS Patient Access Payer APIs.

App Vetting Information

App Information

Criteria
Required?
Type
App Name Displayed to User
Yes
Text
Company Name
Yes
Text
Support Email
Yes
Text
Contact Email for 1up Coordination
Yes
Text
Link to App
Yes
Hyperlink
Link to Company Website
Yes
Hyperlink
Short App Description (max 150 characters)
Yes
Text
Long Description (350 to 1000 characters)
Yes
Text
CARIN Code of Conduct
No
File Upload
Square App Logo
Yes
File upload
Screenshots of App
No
File upload
FHIR Versions Supported (DSTU2, STU3, R4)
Yes
Multi-select
Selected Audience (Payers, Developers, Patient, Pharma, Provider)
Yes
Multi-select
App Categories (Clinical Trials, Care Coordination, Research, PopHealth Analytics, etc.)
Yes
Multi-select
Type of App (Payer R4 Claims Data, EHR Clinical Data Only)
Yes
Multi-select

Privacy and Security Attestations

Criteria
Required
Type
Do your Privacy Notices comply with the ONC Model Privacy Notice (MPN) including your app's uses of consumer data, how you handle a data breach, etc.*
Yes
Yes/No
Do you ask users for their permission before sharing or selling their data with other entities?
Yes
Yes/No
If your application updates its privacy and data sharing policies, will you inform the user?
Yes
Yes/No
After a user revokes your access to their data, do you delete the user’s historical data from your systems?
Yes
Yes/No
Will you inform users if there is a security breach of their data?
Yes
Yes/No
Will user data reside in the United States?
Yes
Yes/No
Do you use strong encryption at rest and in-transit?
Yes
Yes/No
Do you perform regular security testing of your application and remediate discovered issues?
Yes
Yes/No
Does your application require the creation of strong passwords and/or multi-factor authentication?
Yes
Yes/No
Do you store the users’ password/login credentials?
Yes
Yes/No
Has your application received third-party information security certifications (i.e. SOC 2/3, ISO 27001, PCI AOC, HITRUST, etc.)?
Yes
Yes/No
Do you secure your applications in accordance with OWASP top 10 Web Application Security Risks?
Yes
Yes/No
Please provide your company's privacy policy for review. The key items we look for is how you handle data breaches, and notify your users should that happen. Review our Privacy Policy and HIPPA Compliance requirements for details on the language, including security incident handling and notification to all parties involved.
Yes
Hyperlink
Please provide your company's terms of service for review. You can also review our terms of service and HIPAA Compliance requirements.
Yes
Hyperlink
Last modified 4mo ago