On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and secure access to their health data. Issued by two different agencies within HHS – the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) – the rules implement the interoperability and patient access provisions of the bipartisan 21st Century Cures Act.
The new rules are aimed at putting patients in charge of their own health records and allowing them to share their sensitive health data with others, including smartphone application developers. But with these new rules come growing concerns over the risk they pose to patient privacy.
Interoperability and Patient Access
The ONC final rule requires that health providers, developers of certified health information technology (IT) products, health information exchanges and other health information networks give patients secure, electronic access to their health records at no cost, and it creates new measures to prevent information-blocking practices and anti-competitive behavior. In addition, the rule establishes new provisions to ensure that providers have the ability to communicate about health IT usability, user experience, interoperability and security, including (with limitations) the ability to document issues using screenshots and video, which ONC says are critical forms of visual communication.
The rule also establishes secure, standards-based application programming interface (API) requirements to support patients’ free access to and control of their electronic health information using the smartphone app of their choice. This provision will allow patients to organize information from different healthcare providers and health insurers in applications on their smartphones. Building on the ONC’s final rule, the CMS final rule requires health plans in Medicare Advantage, Medicaid, the Children’s Health Insurance Program and through the federal exchanges to share claims and other health information with patients in a safe, secure, understandable, user-friendly electronic format through the Patient Access API. According to HHS, the Patient Access API will allow patients to access their data through any third-party application they choose and to take this information with them as they move from plan to plan and provider to provider. The idea is to create a world where patients have instant access to information so they can easily choose a doctor and get the best care at the lowest price.
The CMS final rule also establishes a new condition of participation (CoP) for all Medicare and Medicaid participating hospitals, requiring them to send electronic notification to another healthcare facility or community provider when a patient is admitted, discharged or transferred. The goal of this CoP is to foster innovation, facilitate better care coordination and improve patient outcomes by allowing a receiving provider to reach out to the patient and deliver appropriate follow-up care in a timely manner.
Privacy Concerns
Although applauded by many as putting patients in the “driver’s seat” with respect to coordinating their own care, the new rules also raise concerns regarding patient privacy and the potential for misuse of health data. These concerns are being amplified as healthcare systems are increasingly entering into data-sharing deals with tech companies such as Google and Microsoft.
The Health Insurance Portability and Accountability Act (HIPAA) generally applies to healthcare providers and insurers (covered entities) as well as third parties that work with them, such as tech companies, with which providers share health data (i.e., business associates). Entities that are subject to HIPAA must comply with certain national standards for protecting the confidentiality, integrity and availability of protected health information, which is a subset of health data. However, tech companies and application developers that receive health data directly from consumers – or from providers that release it with a patient’s authorization – generally are not subject to HIPAA. Rather, they are primarily regulated by the Federal Trade Commission, which focuses largely on whether companies abide by their own privacy policies. Thus, the health data that can be – and in many instances must be – shared under the new rules is not protected by the same standards as it would be in the hands of a covered entity or business associate under HIPAA; this includes the sale of health information. This raises legitimate concerns that patients will be sharing their sensitive health data with companies that can use and sell that information however they want. In fact, the only restriction on the use of the sensitive health data in many instances will be the company’s terms of service or privacy policy.
This is where the new rules arguably fall short. The CMS final rule provides that covered entities and business associates have the option to offer advice to patients on the potential risks involved with requesting data transfer to an application or entity not covered by HIPAA, “but such efforts generally must stop at education and awareness or advice regarding concerns related to a specific app.” In recent resolution agreements with covered entities, HHS has taken the position that patients should have nearly unfettered access to their health information in the possession of a healthcare provider.
Some hospital trade groups, including the Federation of American Hospitals and the American Hospital Association, have pointed out that these provisions are not adequate. HHS has responded by stating that patients will be able to select which particular data elements they want to share and that healthcare providers can advise patients when their data might be leaving the protection of HIPAA. But given that most patients are unfamiliar with specific HIPAA’s protections, and rarely – if ever – read through an app’s privacy policy, there is concern that the new rules do not go far enough to ensure the security and confidentiality of patients’ sensitive health data.
Ultimately, healthcare providers and health insurers should understand that patients’ sharing of health data with apps, other providers and other insurers will now be easier than ever. Therefore, they should begin to familiarize themselves with the new standards for sharing data and providing patients with digital access to health data while considering the privacy risks that should be communicated to patients in the process.
