Added Language. Note that this is not “regulating” or constraining the app in any way or preventing an app user from obtaining their EHI (including in the instance that an app attests in the negative). Rather, it is simply asking the app to say “yes” or “no” regarding its privacy practices so that the responses can be passed along to the patient, providing transparency for the patient regarding how the app may use the patient’s health data. We are happy to provide additional information about this concept.

Proposed Wording:

14. It is strongly recommended that implementers coordinate utilization of UDAP dynamic client registration with their organization’s legal and compliance office. The use of third-party certification or endorsement does not guarantee Client Apps have provided sufficient notice to end users (e.g., patients) about the security or privacy utilized to protect their data. For instance, organizations may wish to establish processes where they notify a patient, call to a patient’s attention, or display in advance (as part of the app authorization process with certified API technology) whether the third-party developer of the app that the patient is about to authorize to receive their electronic health information (EHI) has attested in the positive or negative as to whether the third party’s privacy policy and practices (including security practices) meet certain “best practices” set by the market for privacy policies and practices. The Office of the National Coordinator for Health IT (ONC) recognizes this process as a recommended method to establish the privacy policies and practices of third-party apps.