By law, patients have a right to obtain electronic copies of their medical records, but should they also have a right to access those records by using software applications of their choosing?
It was a question Tuesday that divided two federal panels reviewing the use of application programming interfaces in healthcare. Their lack of consensus means the decision is still up for debate.
APIs are dollops of software that enable one computer program to connect with another.
HHS is encouraging their development and use to allow patients to extract data from their doctors' or hospitals' electronic medical record systems.
The goal is to empower patients to control their health by tracking their data, such as lab test results or prescriptions.
But some are worried that app developers aren't covered by the Health Insurance Portability and Accountability Act, the chief federal privacy rule, unless the developers sign business associate agreements with hospitals, physicians, insurance companies or other HIPAA-covered entities.
Without HIPAA protections, patients must know the privacy policies of the apps and the ONC and the Office for Civil Rights at HHS must help educate patients about the apps' privacy and security risks.
Paul Egerman, a health information technology entrepreneur, a longtime member of the policy committee, said all the fine print typical of these privacy policy statements mean “transparency and privacy notices help the vendor, not the consumer.”
Dr. Paul Tang, chief innovation and technology officer at the Palo Alto Medical Foundation, who also expressed concern about the recommendations, said he would like to see the ONC come up with a checklist of basic privacy protection criteria for app developers, such as what they'll do with patients' data if they go bankrupt.
Published promises made by app developers can be enforceable by the Federal Trade Commission, Tang said. The 2009 American Recovery and Reinvestment Act gave the agency a regulatory role over tech companies not covered by HIPAA.
Task force co-chair Dr. Josh Mandel agreed that a proposed ecosystem of app-empowered patients accessing and sharing their data would pose certain risks.
“We also think it will offer benefits and opportunities,” Mandel said.
Mandel is a research scientist at Harvard Medical School's Department of Biomedical Informatics. He's also the school's leader on the Synch for Science project, which aims to deploy patient-controlled mobile health IT in the service of President Barack Obama's Precision Medicine Initiative. It seeks to gather data from 1 million American volunteers for genetic and other forms of medical research.
Mandel said the task force document describes how a provider can “turn off access in a way that might proactively prevent data from being lost.” But, Mandel said, “We also stipulate that at the end of the day, it's a patient's right to turn it back on,” if that's his or her choice. Giving providers the last word on which apps are acceptable could leave it open to providers to block data, he said.
In March, the ONC issued a proposed rule to give itself authority to police healthcare data blocking.
ONC chief Dr. Karen DeSalvo has said blocking the free flow of patient information “frustrates” the national goal of creating an interoperable health IT ecosystem to help produce better, more cost-effective patient care.
In the end, those recommending freer patient access (PDF) through apps of their choice won the vote, 13-10.
But the division means the recommendations won't immediately go to the Office of the National Coordinator for Health Information Technology at HHS, as is customary after a favorable committee vote.
Instead, the chairs of both panels will seek consensus.