One of the most highly-debated issues in health IT circles the past few years has been over privacy concerns when patients share their health information with third-party app developers that are not covered under the Health Insurance Portability and Accountability Act (HIPAA). These apprehensions only picked up steam when the federal government finalized regulations earlier this year that will require healthcare providers to send medical information to third-party apps at the patient’s request.
The idea behind the government’s mandates is that once software developers publish application programming interfaces (APIs) and integrate them into their electronic health records (EHRs), consumers will be able to access and download their medical data to third-party apps of their choosing more easily. “App ecosystems have helped transformed many industries such as travel and shopping, and they can do the same in healthcare,” Don Rucker, M.D., the National Coordinator for Health IT, has previously stated.
At the same time, however, some provider groups and privacy advocates believe that without federal restrictions in place, consumer apps would be free to share or sell sensitive details such as a patient’s prescription drug history. One study, published last year in the National Library of Medicine (NLM), found that 79 percent of healthcare apps resell or share data, and there is no regulation requiring patient approval of this downstream use. Those who have expressed consumer privacy concerns often point to the Facebook–Cambridge Analytica data breach disclosed in 2018, when millions of Facebook users' personal data was harvested without consent by the consulting firm, predominantly to be used for political advertising.
A key argument on this side is that smartphone apps created by third-party developers and not by providers or business associates covered under HIPAA are not subject to HIPAA rules, even if a breach occurs. But some folks will counter that point by noting that even without HIPAA laws in place, there are still other rules that stakeholders must follow. One of those people is Lucia Savage, JD, the chief privacy and regulatory officer at digital healthcare company Omada Health. Savage, who knows a thing or two about health data privacy—having served the Obama Administration as chief privacy officer at the Office of the National Coordinator for Health IT (ONC)—notes in a recent interview with Healthcare Innovation that even if a patient requests that an entity sends his or her data to a third-party app that might be outside of HIPAA, that recipient organization is still not “rule-free.”
Savage explains that if that data hand-off is between two entities or people covered by HIPAA, then the recipient of that information—not the sender—must comply with HIPAA law. But if that recipient is outside the confines of HIPAA, even though those rules don’t apply, there are others that do, Savage importantly points out. “The debate [should be] around if the rules are strong enough, but it’s not like there are no rules at all,” she says. Savage offers of an example of a third-party app company that’s based in Mountain View, Calif.; that entity, though not covered by HIPAA, is still covered by the Federal Trade Commission Act and the California Consumer Privacy Act. “So there are a lot of rules that apply to that company and your transactions with them,” she says.
Savage believes that the different regulations can be confusing to physicians, who “are reasonably comfortable with what they think their rules are,” but can become skittish about other non-HIPAA regulations if they don’t have enough knowledge about them, and because they don’t have an underpinning of the Hippocratic Oath and the ethical considerations involved there. “You cannot prevent someone from filing a lawsuit,” Savage says.
The strategic goal of getting more digital technology into healthcare via API development has been a multi-year, multi-administration policy effort. Savage notes that it became necessary to help educate stakeholders, not only on the ongoing debate in Congress—what to do about the non-HIPAA domain—but also to help people understand how data hand-offs across the domain impact legal liability. But regardless of what the hand-off situation is—whether it’s HIPAA-to-HIPAA or HIPAA to non-HIPAA— the theme across those handoffs is that if the person who is handing it off and disclosing information the way they are supposed to, “it should literally just be a handoff and legally you shouldn’t be left holding the bag for some downstream actor’s malfeasance,” she says.
This takeaway was a core point made in a recent article authored by Lucia Savage and her husband Mark Savage, who is the director of health policy at UCSF’s Center for Digital Health Innovation. In their piece, which recently was published in the Journal of Medical Internet Research, they noted that doctors and health systems have voiced concern about whether they may transmit patients’ data to the patient or the patient’s health app when the patient so directs. However, the authors argued, the narrative really should be shifted to the fact that providers routinely and legally share health data electronically under HIPAA, whether or not their organizations retains HIPAA responsibility. Sharing with patients and patients’ third-party apps is consistent and should be just as routine, they stated.
Mark Savage, who works at a provider organization—one of the nation’s leading academic medical centers, in fact—says that leaders at UCSF Health recognize the importance in doctors sharing information with patients, as it makes for better care coordination, and results in better outcomes. However, knowing that some providers don’t seem to understand as much as they should when it comes to the rules and regulations around health data privacy, Savage began working with his wife to figure out a way to help explain that these kinds of exchanges are just the same as doctors have always been doing. Importantly, they write in their piece, “Sharing with patients and patients’ third-party apps is consistent and should be just as routine, just as banks routinely transmit account information to customers and their smartphone and third-party apps, such as Venmo. To be precise, there is one difference. Doctors’ sharing with others for purposes of treatment, payment, and operations is permitted under the [HIPAA] Privacy Rule, but doctors’ sharing with patients and patients’ third-party apps upon patients’ request is required by law.”
Indeed, the rules from ONC and the Centers for Medicare & Medicaid Services (CMS) are designed to promote a patient-centric environment, one in which consumers control their data and can more easily manage their health. One means to achieving that end is to require health systems, via their EHRs, to send patient data to any app requested by the patient. Some industry stakeholders have urged the government to delay the date that providers must start complying with these rules—particularly with the pandemic overburdening patient care organizations—but UCSF’s Savage says that his health system’s CEO has told Health and Human Services Secretary Alex Azar that delays would be detrimental to the cause.
“One of the nation’s leading health systems is saying we need to be creating the interoperability that FHIR-based APIs provide, and we need to set it up so that providers and patients have access to data,” UCSF’s Savage says. When asked his thoughts on ONC’s Rucker commenting that it’s self-serving for providers, which may benefit financially from keeping patients and their data captive, to play up privacy concerns, Savage says that Rucker “was speaking to the ecosystem, and there are people resisting the exchange. But we’re not one of them; we’re trying to enable that exchange.”
Lucia Savage notes that if anything, the pandemic “has taught us that there is so much care we can supply if we can get the data to where the patient is instead of making the patient come to the data. That’s hard for hospital executives to wrap their heads around, but there are effective, collaborative, value-based ways to supply good care, get paid for it fairly, and satisfy your consumer using digital tools. And that means you need to let the data go.”
What the future has in store
One key question going forward is if third-party apps are clear enough in how they provide patients with unambiguous terms of how their data will be used. Folks have previously expressed concerns over apps’ lengthy agreements that few people actually read, meaning it’s easy for patients to unknowingly give permission to the app, leading to the possibility their health data could be sold.
UCSF’s Savage previously served on ONC’s Consumer Task Force as well as the department’s Health IT Policy Committee, and notes that work has been done to design a Model Privacy Notice, designed to help developers clearly convey information about their privacy and security policies to their users. “There was significant room for improvement about the standardization of terms, making sure everyone is disclosing the core things that patients really do want to know, and disclosing them in a way that patients do understand,” he says, acknowledging that privacy agreements can often be complex for users to understand. “There’s a [running] joke that patients are supposed to look at 11 pages of the [agreement] in about 10 seconds before seeing their doctor.”
Health literacy, referring to the level of competency an individual has in terms of being able to understand basic healthcare concepts, is another important element, the Savages say. Lucia Savage notes that there have now been up to 13 bills in Congress about the non-HIPAA privacy space. “Consistently found in those bills is plain language accounting for peoples’ likely literacy levels, and you also found more authority and more money for the FTC to do that work. They are the federal consumer protection agency, so the resources for education on this issue would rightfully go there,” she says, adding that historically, the FTC, Office for Civil Rights (OCR), and ONC have collaborated really well.
Indeed, every transaction between a healthcare professional and their patients involves explaining things that patients need to do to maintain or improve their health, and this is the core motivation behind needing a digital; health app ecosystem to succeed. “We know this is a challenge,” Lucia Savage admits. “People who are profoundly sick or are taking care of profoundly sick people are the ones who [have] the most [knowledge]. They are also the ones who need their data the most. If you have cancer, you need all your records. If you are a parent [of a sick child], you need this data for second opinions and to travel with you in case of medical emergencies. For those people, data [access] is crucial, and we’re seeing that already.”
