New AMA Privacy Principles Seek to Build Public Trust

By Myrle Croasdale

Physicians expect to field patients’ medical questions. Nowadays, however, they also can expect questions on what health-related apps and websites are safe to use.

“I see it all the time in my own practice,” Dr. Jesse Ehrenfeld, an anesthesiologist at the Medical College of Wisconsin in Milwaukee and American Medical Association (AMA) board member, told Digital Privacy News. “I get lots of questions from my patients on how safe it is.

“Like the hospital patient portal or the pharmacy app to manage their own prescriptions,” Ehrenfeld posed. “Right now, it’s hard to provide good guidance to patients about what the apps are and are not doing, because there’s no transparency.”

“Our primary purpose is to boost and build public trust, not to inhibit data exchange.”

Dr. Jesse Ehrenfeld, AMA board member.

Patients remain wary of giving their health information, Ehrenfeld said, because they don’t know when it may end up with a technology company or data broker.

That doubt is starting to taint the physician-patient relationship, he said.

In response, the AMA released privacy principles last month backing an individual’s right to control, access and delete their personal health care data collected by companies not regulated under the Health Insurance Portability and Accountability Act (HIPAA).

The association, based in Chicago, is sharing these principles with industry and government officials in hopes that they will help shape future regulatory guidelines and strengthen data privacy laws.

“This is by far one of the more robust frameworks that I’ve seen,” Michelle De Mooy, a privacy and data ethics consultant based in Washington, told Digital Privacy News.

In the absence of governmental guidance, the AMA privacy principles provide a framework on health data-privacy policies for software developers and tech companies, she explained.

“I can tell it is very thoughtful and trying to cover all the bases.”

HIPAA Regulates Providers, Not Data

The privacy of health data shared by a hospital, physician’s office or health plan is regulated under HIPAA.

If that same data is shared with a software developer’s app, it may not be protected, said Anna Slomovic, a data-management and policy consultant, also in Washington.

“When data is shared between organizations, the data is copied and the copy is handed over,” she told Digital Privacy News. “One copy may be covered by HIPAA and the other copy may not be.

“This could include data from the devices you track activity with, like a Fitbit, where the data is covered only by Fitbit’s privacy policy.”

“I can tell it is very thoughtful and trying to cover all the bases.”

Michelle De Mooy, privacy and data ethics consultant.

The need to protect the privacy of individual’s medical data is more urgent than ever, privacy advocates say.

HHS Move Intensifies Privacy Fears

In March, the U.S. Department of Health and Human Services (HHS) released rules that make it easier for hospitals, physicians, insurers and patients to share health information through standardized application programming interfaces (APIs).

Patients now can download their detailed medical data from providers and insurers through third-party apps not regulated by HIPAA, which puts patient privacy at risk, critics say.

The rule, issued by HHS’ Office of the National Coordinator for Health Information Technology (ONC), places the responsibility on patients to read and understand software applications’ privacy policies, then determine whether it’s worth the risk of sharing their information in exchange for using the app.

“Unfortunately, the notion that patients are in a position to make an informed decision on the tradeoff between the costs and benefits of using apps is a fallacy,” Slomovic said.

Studies have shown that people often have no way of knowing how apps use and disclose their information, she said, or what they are agreeing to when they grant permissions to an app.

The use of apps may not be a sound tradeoff between cost and benefit, Slomovic argued, but instead a resignation that it is impossible to live in a modern society without using apps and devices that violate one’s privacy.

“The notion that patients [can] make an informed decision on the tradeoff between the costs and benefits of using apps is a fallacy.”

Anna Slomovic, data-management and policy consultant.

De Mooy, the D.C. privacy consultant, told Digital Privacy News that some language in the AMA’s new privacy principles could be clarified further.

She cited, for instance, the guidelines regarding waivers on privacy if information was appropriately de-identified to not give specifics on individual patients.

“How do you de-identify DNA?” De Mooy asked. “The developers in this space may not have the resources or the knowledge to de-identify something that complex.”

Equity Statements Critical

Other statements struck her as particularly important, however, such as those that focused on equity.

In one example, the AMA guidelines say that it “would not support a policy in which paid apps provided greater privacy protections than free apps.” 

Another recommendation called for barring health data from being used to discriminate against individuals, “including creation of ‘risk scores’ that could hinder patients and their families from receiving health, disability or life insurance; housing; employment, or access to other social services.”

Ehrenfeld, the AMA board member, noted that the new guidelines called for technology companies to be similarly responsible for protecting the privacy of patient data.

The HHS rule change in March puts that burden on patients.

“Our primary purpose is to boost and build public trust, not to inhibit data exchange,” he told Digital Privacy News. “We want people to have confidence and understand what they are getting into when they use this (software) technology.”  

So far, tech companies are listening, he said.

“We’ve gotten a lot of interest,” Ehrenfeld said. “Tech companies and developers are looking for guidance on how to do this (health data privacy) right.”

Myrle Croasdale is a Minnesota writer.

Sources (external links):