The Trump administration's new interoperability and data blocking rules will give patients long-overdue access to their health information, but it could come at the expense of privacy since consumers will bear more responsibility for protecting their data under a "buyer beware" standard.
When Congress passed the 21st Century Cures Act in 2016, it directed HHS to force insurers and providers to adopt standardized application programming interfaces—APIs—to make it easier for doctors, hospitals, insurers and patients to share health information. HHS proposed rules, released in February 2019, meet with fierce resistance from some corners of the industry, especially on privacy.
The final rules, which came out March 9, haven't alleviated those concerns. The American Hospital Association, American Medical Association, technology groups and privacy advocates worry that sensitive patient information could be jeopardized because patients will be able to download their health data from both insurers and providers using smartphone apps.
HIPAA won't cover information downloaded into third-party apps and HHS can't directly regulate them since it doesn't have the power to regulate information held on a patient's behalf, that responsibility falls to the Federal Trade Commission.
HHS will rely significantly on patient education and disclosure to protect patient privacy. For example, insurers may require a third-party app developer to describe in its privacy policy how it uses clinical data. Providers and payers will also need to educate patients about how third-party apps could use their information.
"We are working with plans to educate patients about what they should look for in terms of privacy when they are selecting an app so they have the tools and information they need," CMS Administrator Seema Verma said when the rules were announced.
Many industry and privacy experts don't think these measures go far enough because people often don't read or understand privacy policies.
Patient information could be combined with other data such as location or social media posts to create profiles for credit scoring and other uses that people may not anticipate, said Michelle De Mooy, a privacy and data ethics consultant.
"Patient data is going to end up at lots of different third parties like banks or data brokers, not just app developers using the (Fast Healthcare Interoperability Resources) standard," she said.
Yet most people don't use the tools that are already available to gather their health information, often because they're concerned about their privacy. Less than half of people access their medical records online, and fewer than 25% manage chronic conditions, mental health or healthcare spending using the internet, a Kaiser Family Foundation survey found.
"This is not a situation where people are going to run out and pick any app off the shelf," said Deven McGraw, chief regulatory officer for Citizen Corporation, a consumer health tech company.
The FTC will regulate apps that use patient information under the FTC Act, which includes broad consumer protections that include protecting privacy when it constitutes a deceptive or unfair practice. Most states have similar laws enforced by their attorney general.
The agency can go after third parties if they misuse consumer data. If the FTC receives complaints or anticipates abusive behavior, it can issue warning letters, compel developers to agree to change their practices and fine them if they don't. The agency has experience regulating health information and other sensitive data like financial information, so it's not uncharted territory.
"(But) privacy standards are different in HIPAA and the world of apps," said Robert Belfort, a partner with law firm Manatt, Phelps & Phillips' healthcare practice. "When you go to the doctor, you don't worry about what the doctor's privacy notice says because, honestly, it's meaningless. Every doctor's privacy notice says the same thing because it's just reflecting what's in the HIPAA regulation."
There are no comparable standards under the FTC, so privacy policies become critical because that's where companies tell consumers how their data can be used and that generally determines whether the company is violating the law.
The FTC is, by and large, a reactionary agency that brings claims when it receives a complaint or an issue becomes publicly known. From a regulatory perspective, there isn't a framework for prospective verification, validation or certification of third-party apps in terms of how they plan to use data, said Joe Lynch, a senior research scientist for consulting firm Avalere Health.
But you need to compare the FTC approach to HIPAA, which isn't proactive either.
"HHS doesn't do random audits to enforce HIPAA. They basically respond to reported breaches and consumer complaints, and it takes a really long time to do both of those," Belfort said.
Still, more privacy issues will likely surface because health data will expand into a less regulated space with more players and products. The FTC has limited resources to deal with the additional responsibilities, including a relatively small staff and limited funding.
"The FTC is already struggling under the weight of all the enforcement that it's supposed to do," De Mooy said.
Experts say that Congress should give the agency more power to regulate health information and clarify the rules of the road for both consumers and app developers.
If the FTC were able to write clear rules about what app developers could do, consumers wouldn't have to read to privacy policies for apps just like don't read doctor's privacy policies. The regulations would serve as a backstop, said Lucia Savage, chief privacy and regulatory officer for Omada Health and former chief privacy officer for HHS' Office of the National Coordinator for Health Information Technology.
It would also make business planning easier for software companies. App developers can't read and understand the rules because there are none. Instead, they have to read tea leaves by sorting through a series of idiosyncratic, case-by-case settlement decisions, Savage said.
"It's very resource-intensive, and it's not the same as . . . reading the rules," she added.
Some industry insiders believe that updating HIPAA to expand who's a covered entity is a better way to safeguard patient privacy while giving people access to their health information and fostering innovation. For instance, doctors could prescribe apps to their patients like medication, De Mooy said.
Others view such efforts as overly paternalistic and point to the ways in which people already share health information on social media or financial data through third-party apps.
More to the point, HIPAA was designed in 1996 for insurers and providers when most health information was inside the traditional healthcare system. Now there's more health-related data outside of it and expanding HIPAA protections to apps, wearables, websites and other consumer-facing products and services could prove unworkable. Even the definition of interoperability has changed since 2004 when it was first discussed.
"Interoperability has taken on a new dimension by including . . . these third-party applications as part of the healthcare ecosystem," said Karen Mandelbaum, senior counsel for Epstein Becker Green. "We didn't have third-party apps (in 2004)."
A broad consumer data privacy law—something akin to the European Union's General Data Protection Regulation, or GDPR—is probably the best approach to regulating health information that's not covered by HIPAA.
Though Congress hasn't acted because, in part, health technology is a fast-moving area and "they don't want to create situations where they're hamstringing industry development or development of best practices that might actually be better than some of the things that they are standardizing from a federal perspective," said Chad Brooker, an associate principal for Avalere Health and former regulator.
States are taking the lead in the meantime. The California Consumer Privacy Act went into effect earlier this year, and it's intended to increase privacy rights and consumer protections for California residents, although some health data are exempt. Many people working in the tech space consider the law a "de facto national privacy law," because countless tech companies are based in California, and it's the largest consumer market in the country, De Mooy said.
There's a growing need for action at the federal level because it's difficult, if not impossible, to regain control of data once it's shared, especially if consumers don't know what information is out there.
"Leaving this up to privacy policies is not exactly the greatest situation for people here in the U.S.," McGraw said. "The more state laws that get passed, the more pressure it puts on Congress to act."
But that doesn't mean Congress will make a move anytime soon.
There's a consensus that Congress should do something, but there's no consensus about what it should do. Congress would need to pass a bill that's strong enough to preempt state law, but there's no bipartisan support, even for a weak one.
"So we're kind of stuck," McGraw said.
Until Congress passes a general privacy law, health plans and providers will do their best to arm consumers with information to protect themselves; the FTC will do its best to enforce current law, and states will take steps to protect consumer privacy.
"It really is a buyer beware situation," Lynch said.