It was fascinating to read an article in the New York Times earlier this month on the disconnect in ideologies between the federal government and healthcare providers as it relates to patients’ medical data and having the ability to share it with third-party apps.
The piece, written by technology reporter Natasha Singer, outlined each of the two perspectives on the issue: on one side, the Department of Health and Human Services (HHS)—via proposed rules on interoperability and patient data access that dropped earlier this year—wanting to require healthcare providers to send medical information to third-party apps, like Apple’s Health Records, after a patient has approved the data exchange; and on the other side, various industry association groups representing providers, cautioning regulators that “people who authorized consumer apps to retrieve their medical records could open themselves up to serious data abuses.”
Indeed, in the government’s proposals, federal healthcare officials believe that by requiring software developers to publish application programming interfaces (APIs) and integrate them into their electronic health records (EHRs), consumers can more easily access and download their medical data to third-party apps of their choosing. “App ecosystems have helped transformed many industries such as travel and shopping, and they can do the same in healthcare,” Don Rucker, M.D., the National Coordinator for Health IT, has previously stated.
As Singer wrote in her piece, the American Medical Association (AMA), the American Hospital Association (AHA), and other groups “said they had recently met with health regulators to push for changes to the rules. Without federal restrictions in place, the groups argued, consumer apps would be free to share or sell sensitive details like a patient’s prescription drug history. And some warned that the spread of such personal medical information could lead to higher insurance rates or job discrimination.”
Singer spoke to Jesse M. Ehrenfeld, M.D., an anesthesiologist who is the chair of the AMA’s board, who said, “Patients simply may not realize that their genetic, reproductive health, substance abuse disorder, mental health information can be used in ways that could ultimately limit their access to health insurance, life insurance or even be disclosed to their employers.”
But on the other side is the federal government, which believes that by enabling people with convenient access to their medical data, they can in turn more easily “manage their health, seek second opinions and understand medical costs,” as Singer wrote.
Rucker further told Singer that the idea was to treat medicine as a consumer service, so people can shop for doctors and insurers on their smartphones as easily as they pay bills, check bus schedules or buy plane tickets. “This is major, major, major,” Rucker said to the NYT. “The provision of healthcare will be brought into the app economy and, through that, to a much, much higher degree of patient control.”
But many providers feel differently, with concerns over privacy of the data as the core reason why. Importantly, smartphone apps created by third-party developers and not by providers or business associates covered under the Health Insurance Portability and Accountability Act (HIPAA) are not subject to HIPAA rules, even if a breach occurs.
In its comments to the government on the proposed rules, the AMA said it has “serious concerns with apps being provided equal protections and benefits with those of patients. Concerningly, apps frequently do not provide patients with clear terms of how that data will be used—licensing patients’ data for marketing purposes, leasing or lending aggregated personal information to third parties, or outright selling it.”
The AMA referred to a Wall Street Journal report that the association believed “exposed just how much is at stake when patients share their personal health information with apps. Several apps were sharing users’ personal health information using Facebook’s technology.” The group further noted a study published in the Journal of the American Medical Association (JAMA) which found that many health apps created to track a user’s progress in battling depression or quitting smoking are sharing the personal details they collect about an individual with third parties—like Google and Facebook—without the individual’s knowledge or informed consent.
In short, “The AMA believes that patients who trust their health systems to protect their data will likely receive better outcomes,” the association wrote in its comments, additionally stating that there’s a lack of user awareness and education about privacy and security protections. “What is ONC’s plan to educate patients about health data privacy and address this key gap?” the AMA asked.
To this point, Brett Meeks, vice president of policy and legal for the Center for Medical Interoperability, told the NYT that “it would be better for regulators to help foster a trustworthy data-sharing platform before requiring doctors to entrust patients’ medical records to consumer tech platforms.” Meeks continued, “Facebook, Google and others are currently under scrutiny for being poor stewards of consumer data. Why would you carte blanche hand them your health data on top of it so they could do whatever they want with it?”
Rucker, however, told the NYT that it’s “self-serving for physicians and hospitals, which may benefit financially from keeping patients and their data captive, to play up privacy concerns.” He added, “All we’re saying is that patients have a right to choose as opposed to the right being denied them by the forces of paternalism.”
One third-party app patients could turn to is Apple’s Health Records platform, which launched in January 2018 and is already live at hundreds of hospitals and clinics. The tool allows patients who visit participating providers to access their health data on the iPhone Health app. Apple is not known as a healthcare company, though it certainly knows consumers as well as anybody and has earned their trust as a result.
Ideally, Rucker told the NYT, patients will pick apps “they trust from brand names they trust in exactly the same way that people don’t let their banking data and their financial data just go out randomly.” Recently, a group of healthcare and technology organizations announced it was leading a similar initiative that will aim to create an open-source system so that Android phone users can access and share their digital health data.
Rucker, despite being steadfast in his belief that modern APIs will transform healthcare just as it has business after business before it, has acknowledged that because third-party developers are not HIPAA-regulated, patients who offer up their data to these companies don’t have protections. “It’s a real and major issue, and patients have to make conscious decisions on if they want their data to be downloaded to the [third-party] app,” he said at a Congressional hearing earlier this year.
So, how will all this play out going forward? To be frank, Rucker is probably right in that providers’ outcries are a bit self-serving, but that doesn’t mean they don’t have a point. The privacy issues here are very much real, even if they aren’t expressed with the most authentic intent.
But, ultimately, similar to how we make choices with many other technology platforms, I feel that individuals ought to be the ones who decide if the upside of sharing their data with a third-party app outweighs the potential risks. At the same time, there’s no reason why there can’t be stricter regulation of those companies that commercialize consumer data, especially given how healthcare information is uniquely sensitive.
In the end, it appears likely that HHS’ proposed rules will get finalized in the coming months, meaning it’s quite possible this back-and-forth with stakeholders and the feds will only ramp up.