Health-Data Rules Still Under Fire Months After HHS Decision

By David Tobenkin

Data stakeholders in the health care industry continue to express privacy concerns over two new U.S. Department of Health and Human Services (HHS) rules for sharing sensitive, private patient information by providers.

“We remain gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws,” said Matt Eyles, president and CEO of America’s Health Insurance Plans (AHIP), after the rules were issued in March.

“Individually identifiable health care information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors.

“Consumers will ultimately have no control over what data the app developers sell, to whom or for how long,” Eyles said.

“We remain gravely concerned that patient privacy will still be at risk.”

Matt Eyles, America’s Health Insurance Plans.

The rules were issued by two HHS divisions, the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS).

They execute interoperability and patient-access provisions of a recent federal statute, the bipartisan 21st Century Cures Act (Cures Act), which was signed into law in December 2016.

The rules were designed to support President Donald Trump’s MyHealthEData initiative and to give Americans and authorized providers and payers access to their medical information.

The objective is to help citizens make better decisions and promote more efficient medical care.

HIPPA Protections

Health data is protected by several federal laws, primarily the Health Insurance Portability and Accountability Act (HIPAA), though such protections are removed if a patient voluntarily shares or consents to providing confidential data, said Robert Belfort, a partner at the New York office of the Manatt, Phelps & Phillips law firm.

“The concern of privacy advocates is that the health data that could be shared outside of HIPAA protections includes highly sensitive data that could be used to modify consumer behavior,” Belfort told Digital Privacy News. 

“Once a company knows that you have been treated for depression, for example, it opens up a window into how to tailor messages to you to in order to play on the emotions and conditions you have and manipulate you in a way that might not be good for you.”

Yearlong Process

During the yearlong rulemaking process, privacy and consumer advocates argued that the proposed rules could make sharing patient data too easy, while challenging whether the average patient could intelligently determine what data should be shared.

“Once a company knows that you have been treated for depression … it opens up a window into how to tailor messages to you.”

Robert Belfort, Manatt, Phelps & Phillips law firm.

“ONC’s proposed rule could negatively affect patients and health care organizations,” Judy Faulkner, CEO of industry software giant Epic Systems Corp., wrote in a January email to hospital executives that was obtained by CNBC urging them to oppose the draft rule.

“We are concerned that health care costs will rise, that care will suffer and that patients and their family members will lose control of their confidential health information.”

But modifications to the draft rules allayed some concerns, advocates told Digital Privacy News.

“We support the goal of putting Americans in control of their health information,” Stirling Martin, Epic Systems’ senior vice president, said after the rules came out in March.

“We believe the final interoperability rules … include many of the changes requested in support of this goal.”

He added that federal agencies and the White House “listened carefully” to groups “working on behalf of patients and health care providers and created final rules with many material improvements.”

“We are concerned that health care costs will rise, that care will suffer … .”

Judy Faulkner, Epic Systems Corp.

These included, Martin said, “greater flexibility for health care organizations to educate patients on how apps will use their data — and an emphasis on the use of common-data standards whenever possible, so that information sent from one system can more easily be understood by another.

“The rules remain complex,” he cautioned, “and will require substantial operational changes and significant time investment by health systems and health plans to implement those changes.”

Other Issues Arise

However, AHIP and other groups continued to raise concerns after the rules were issued. 

“It is likely the HHS rules will lead to better health apps and products for consumers,” Manatt, Phelps’ Belfort said, “but I think it would be naïve to think that companies that don’t charge consumers a lot for these health apps … will not want to commercialize patient health data in way that allows them to get a return on the money and time they invested in the apps.” 

Twila Brase, president and co-founder of Citizens’ Council for Health Freedom, a consumer group in St. Paul, Minn., told Digital Privacy News: “The rules only give patients the power to choose which data in their electronic health records a smartphone app can receive.

“But that is as far as their authority over their personal medical information goes.

“The administration claims the rules give patients control over their medical records, but it doesn’t stop their hospitals or doctors from sharing those records with untold numbers of business associates,” Brase said.

“The rules only give patients the power to choose which data in their electronic health records a smartphone app can receive.”

Twila Brase, Citizens’ Council for Health Freedom.

The American Medical Association (AMA) earlier had expressed concerns over the draft rules, but it did not oppose the final versions.

AMA President Patrice A. Harris said the association would continue to examine areas of particular concern, including “privacy controls that require apps to be transparent about what data is being collected and how the app developers intend to use it.”

Other issues coming under the AMA’s microscope include “security safeguards for patients using apps to access health information,” Harris said in a statement, and limiting “unnecessary and inappropriate access to (electronic health record) data from insurers and other non-clinical entities.”

David Tobenkin is a writer in the Washington area.

The New Rules

Here are highlights of the new HHS rules:

The 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.

  • Prevents “information-blocking” practices by entities holding patient data that otherwise would impede health care data sharing.
  • Facilitates data-sharing through updated certification requirements for health IT developers and ensures that providers using certified health IT be able to communicate about health IT functionality.
  • Requires electronic health records to provide sufficient clinical data necessary to encourage new health care business models.
  • Increases patient access to and control of their electronic health information by establishing standards-based application programming interface (API) requirements. APIs are the foundation of smartphone apps — and their use could allow patients to obtain and use their electronic health information via smartphones more securely and easily.

CMS Patient Access and Interoperability Final Rule.

  • Requires certain health plans with ties to the federal government to share claims data electronically with patients, including through APIs.

— David Tobenkin

Sources (external links):