Skip to main content

New Federal Patient Health Data Sharing Rules: The Tradeoffs Between Access and Privacy Protections

In response to the rapid spread of the coronavirus pandemic, countries are harnessing smartphone location data, social media postings, and credit card purchase records to help trace the recent movements of coronavirus patients and establish virus transmission chains. Health authorities are understandably eager to employ every tool at their disposal to try to hinder spread of the virus. But the surveillance efforts threaten to alter the precarious balance between public safety and personal health privacy on a global scale.

Increased surveillance and health data disclosures have decreased patients’ ability to keep their health status private. In response to President Trump’s declaration of a nationwide emergency concerning COVID-19, the Department of Health and Human Services (HHS) has waived and modified parts of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The new waivers in HIPAA, the main federal law that protects health data, allow patient information to be shared to assist in nationwide public health emergencies and to assist patients in receiving the care they need.

These modifications to HIPAA come less than two weeks after the administration released two widely anticipated federal rules on health data sharing intended to give patients easier electronic access to their medical records and fuel a freer exchange of health data. Following a year of intense lobbying over the hotly contested proposed rules, the final rules were issued by two different agencies within the Department of Health and Human Services (HHS), the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS).

Read Next

What the New Rules Entail

The broad new rules will allow people for the first time to use apps of their choice to retrieve data like their blood test results, blood pressure measurements, and a myriad of other personal health data results directly from their health providers. Per HHS, the new system was intended to make it as easy for people to manage their health care on smartphones as it is for them to use apps to manage their finances. The new rules on patient access are part of a general push to make it easier to move patient data from one setting to another, known in the health IT industry as interoperability.

Although Americans have had the legal right to obtain a copy of their personal health information for two decades, many people face obstacles in getting that data from providers. Oftentimes, patients still must pick up computer disks — or even photocopies — of their records in person. Online portals at medical centers offer access to basic health data, such as blood work results, but often do not include information like doctors’ consultation notes that might help patients better understand their conditions and track their progress.

The main rule from ONC requires vendors of electronic health records to adopt software, known as application programming interfaces (APIs), to enable providers to send medical record data directly to patient-authorized apps. Physicians and medical centers are required to send a core set of medical data to third-party apps after a patient has authorized the health data exchange. The data may include intimate patient information such as lab test results and vital signs in addition to clinical notes about a patient’s surgeries, hospital stays, imaging tests and pathology results. A rule from CMS similarly requires Medicare and Medicaid plans to adopt APIs. Use of API software will enable patients to use apps to get their insurance claims and benefit information.

Health providers and electronic health record vendors have two years (the rules go into effect by 2022) to comply with the API requirements. Physicians and electronic health vendors who hamper such data-sharing – a practice called information blocking – could be subject to federal investigation and face large fines.

Implications of Access

Prominent organizations like the American Medical Association have warned that, without accompanying federal safeguards, the new rules could expose people who share their diagnoses and other intimate medical details with consumer apps to serious data abuses. Hospitals have been particularly critical, arguing in a statement that the rule “fails to protect consumers’ most sensitive information about their personal health.”

HIPAA applies to health care providers, health insurers, and third parties that work with them. These days, large technology firms are the third parties with whom hospitals share data. In recent nationally publicized examples, patient health information has been shared, and used for big data algorithms with outside technology companies. Additionally, tech firms and smartphone app companies that receive health data directly from patients, physicians or hospitals that release it based on a patient’s authorization aren’t subject to HIPAA.

The existing gap in privacy laws may become exacerbated as the new rules boost patients’ – and third parties’ – ability to share data. Some groups comprised of health care and other stakeholders, such as the CARIN Alliance, have developed voluntary codes of conduct for entities not covered by HIPAA, such as third-party applications, when handling health care data accessed via APIs. What happens, though, when a voluntary code is broken by a member organization?