New Federal Patient Health Data Sharing Rules: The Tradeoffs Between Access and Privacy Protections

The broad new rules will allow people for the first time to use apps of their choice to retrieve data like their blood test results, blood pressure measurements, and a myriad of other personal health data results directly from their health providers. Per HHS, the new system was intended to make it as easy for people to manage their health care on smartphones as it is for them to use apps to manage their finances. The new rules on patient access are part of a general push to make it easier to move patient data from one setting to another, known in the health IT industry as interoperability.

Although Americans have had the legal right to obtain a copy of their personal health information for two decades, many people face obstacles in getting that data from providers. Oftentimes, patients still must pick up computer disks — or even photocopies — of their records in person. Online portals at medical centers offer access to basic health data, such as blood work results, but often do not include information like doctors’ consultation notes that might help patients better understand their conditions and track their progress.

The main rule from ONC requires vendors of electronic health records to adopt software, known as application programming interfaces (APIs), to enable providers to send medical record data directly to patient-authorized apps. Physicians and medical centers are required to send a core set of medical data to third-party apps after a patient has authorized the health data exchange. The data may include intimate patient information such as lab test results and vital signs in addition to clinical notes about a patient’s surgeries, hospital stays, imaging tests and pathology results. A rule from CMS similarly requires Medicare and Medicaid plans to adopt APIs. Use of API software will enable patients to use apps to get their insurance claims and benefit information.

Health providers and electronic health record vendors have two years (the rules go into effect by 2022) to comply with the API requirements. Physicians and electronic health vendors who hamper such data-sharing – a practice called information blocking – could be subject to federal investigation and face large fines.

Prominent organizations like the American Medical Association have warned that, without accompanying federal safeguards, the new rules could expose people who share their diagnoses and other intimate medical details with consumer apps to serious data abuses. Hospitals have been particularly critical, arguing in a statement that the rule “fails to protect consumers’ most sensitive information about their personal health.”

HIPAA applies to health care providers, health insurers, and third parties that work with them. These days, large technology firms are the third parties with whom hospitals share data. In recent nationally publicized examples, patient health information has been shared, and used for big data algorithms with outside technology companies. Additionally, tech firms and smartphone app companies that receive health data directly from patients, physicians or hospitals that release it based on a patient’s authorization aren’t subject to HIPAA.

The existing gap in privacy laws may become exacerbated as the new rules boost patients’ – and third parties’ – ability to share data. Some groups comprised of health care and other stakeholders, such as the CARIN Alliance, have developed voluntary codes of conduct for entities not covered by HIPAA, such as third-party applications, when handling health care data accessed via APIs. What happens, though, when a voluntary code is broken by a member organization?

Tech companies and health apps are overseen primarily by the Federal Trade Commission (FTC), which focuses mostly on whether companies adhere to their own privacy policies. Terms of service agreement in tech sites and health apps, even when read by patients, are often lengthy, opaque and poorly understood by patients, not realizing that their personal health information may be shared with advertisers and marketers. The FTC’s enforcement capacity is only indirect, and as some argue, inadequate: the FTC must prove after a data privacy abuse that tech companies and app developers have mispresented their privacy practices for any legal recourse to occur.

Even federal health regulators acknowledge the privacy risks posed by new data sharing capabilities. An infographic on patient data rights on the ONC’s website warns: “Be careful when sending your health information to a mobile application” because health providers are “no longer responsible for the security of your health information after it is sent to a third party.”

The Trump administration added provisions to the new rules enabling hospitals, physicians, and health insurers to check apps’ privacy policies and share information about the policies with patients. In best-case scenarios, health-care providers and entities who have the time resources and care to do so, can warn patients when their data might be leaving the protections of HIPAA. Patients will also be able to select which data elements they want to share. However, patients will be aware of risks to sharing their health data only if they are cautioned about unintended consequences of using apps to obtain and share their data.

Some lawmakers already introduced bills to protect against the issue of unregulated health data sharing by consumer tech companies. For example, Sens. Amy Klobuchar’s (D-MN) and Lisa Murkowski’s (R-AK), Protecting Personal Health Data Act (S.1842), would require the HHS secretary to issue privacy and security regulations relating to the privacy and security of health-related consumer devices, services, applications, and software. These new regulations would also cover how a new category of personal health data – such as that from fitness trackers and direct-to-consumer genetic tests – can be gathered and used.

The impact of the Trump administration’s data sharing rules on patients will not be clear until the rules are implemented over the next two years. It is clear, though, that the debate over patient privacy will continue and likely sharpen under the new rules. Data sharing rules will likely create a dynamic in which access to patient data will be a positive step in improving patient care and health. However, Congress will need to address patient data privacy with new legislation to ensure ethical and transparency for patients into companies’ data use and data handling practices. The Bipartisan Policy Center supports legislation to update the Health Insurance Portability and Accountability Act (HIPAA) to cover gaps in patient health privacy.