Apple to facilitate health data transfer between apps

Apple will soon allow third-party apps to access the health data stored in its Health app.

The company already lets patients of 500 hospitals and clinics pull their health information from electronic health records into the Apple Health app. Now, those patients will be able to move that data from the Health app into third-party apps if developers have used the Apple Health Records application programming interface.

For instance, Health app users will be able to import medication data from Apple into Medisafe, a medication management app. The Health Records API "will be an enabler of better healthcare connectivity," said Medisafe founder and CEO Omri Shor.

Apps with this kind of capability will become available this fall, when Apple will release its new iPhone operating system, iOS 12.

The private-industry push to give patients more control over their data mirrors a similar push from federal agencies with initiatives like MyHealthEData and the 21st Century Cures Act, which calls on vendors to use open APIs for data exchange.

"We are encouraged by efforts in the industry to create app ecosystems using modern APIs that give consumers access and control of their health information," said an ONC spokesperson.

But those efforts also come with security concerns.

"This is about as personal information as you could have about yourself," said Mark Nathan, CEO of software firm Zipari. "You're going to want to make sure the appropriate controls are in place."

Apple has assured users their health data are secure and that it's not storing those health data on Apple servers. Instead, when a patient pulls their data from an EHR, that information is stored in an encrypted form directly on the patient's iPhone. And when the patient sends data from the Health app to other apps, those data still do not travel through Apple servers.

Those logistics could help keep HIPAA out of play for Apple. Since Apple itself is not storing the data or using it for healthcare purposes, the company isn't considered a business associate subject to HIPAA. Apple didn't mention HIPAA at all during its Health Records API announcement.

"If you call your internist right now and ask for all the readings from your last blood draw, it is protected health information coming from the doctor and as you receive it," said Daniel Farris, partner and chair of the technology practice at Fox Rothschild. "If you email the results to me, I have no obligation whatsoever to comply with HIPAA."

Similarly, if a patient pulls health data from an EHR into the Health app for personal use only, that use case doesn't mean that Apple or other app developers must comply with HIPAA.

But an app's purpose could ultimately entangle it in HIPAA. If a patient transfers health data from the Health app into a wellness platform app for an employer's rewards-based health challenge, the health data becomes subject to HIPAA because it's an employee benefit related to the adminsitration of a health plan.

Even if an app vendor is not subject to HIPAA, the vendor would be wise to act as if it were. "I would absolutely want these third parties to be required to notify consumers of a breach and to prevent the likelihood of a breach," Nathan said.

Shor and his team consider it "critical" to understand the privacy and security implications of HIPAA regulations, he said. "People in the healthcare space really do need to take it upon themselves to have a higher level of scrutiny in regards to security and privacy," he said.

Even if their apps are secure, app vendors could run into trouble in other ways. "If you move your diabetes diagnosis in from an EHR and also have, let's say, blood sugar readings that were collected independently, it will be very difficult to distinguish those and call one PHI while the other is not PHI," Farris said.

"As you can imagine," he said, "this gets complicated in practice."