Is patient privacy a thing of the past? It's a fair question after HHS issued the new data sharing rules required by the 21st Century Cures Act, a bipartisan bill passed in the final month of the Obama administration.
The new interoperability standard sets a two-year deadline for hospitals, physician practices, electronic health record vendors and insurers to begin sharing sensitive medical data with each other and with patients. They must also share it with third-party vendors.
The new rules will no doubt tantalize tech-savvy medical consumers. Corporate behemoths like Apple are already scrambling to bring individuals' entire health history into their smartphones. They promise to empower patients with price and quality information so they can shop for lower-cost providers or higher-quality services.
App developers are busy creating tools for uploading data on eating, exercise and other health-related habits. They claim this will create a feedback loop that encourages people to improve their own health while giving their physicians a tool for delivering more personalized care.
But what happens to that data once it leaves a provider's or insurer's hands, where it is protected by HIPAA? Once one hits the "I agree" button, there is nothing in the new rules that prevents third-party vendors from using or selling that data for marketing, fundraising or the other ways that profit-seeking ventures use personal information to intrude in peoples' lives.
How did that happen? The rule writers at HHS repeatedly told provider representatives on their advisory committee that the Cures Act prohibited them from extending the same penalties for HIPAA violations, which can range into the millions of dollars, to these new vendors. In the parlance of the health IT world, they are not covered entities.
It's a serious flaw that needs to be corrected by Congress. Should the inevitable privacy violations by unscrupulous vendors lead to a major backlash, the entire healthcare ecosystem could lose the substantial benefits that are expected to flow from the new rules.
Those benefits go well beyond having immediate access to one's personal health history. As things stand now, providers, insurers and EHR vendors write incompatible software programs that make it next to impossible to coordinate care. Some, like software developer Epic Systems Corp., set up roadblocks to information exchange with closed networks or patient-dependent sharing tools. They've spent the past decade deflecting the interoperability requirements in the law that funneled $30 billion to providers to adopt EHRs.
But the new rule signals that era is finally coming to a close. Once medical data is standardized and information blocking ends, a whole new world of medical possibilities open ups. Here's just one example.
Last year, as the president constantly reminds everyone, an estimated 37,000 people died from the flu. Wouldn't it be nice to know their demographics and how many of them received vaccinations to determine its effectiveness among various subgroups?
A national health information exchange that compiled everyone's de-identified medical records could generate those datapoints in a few days. Such information would be extremely useful to researchers searching for more effective vaccines and to public health officials trying to figure out who's most at risk.
Sadly, providers and EHR vendors opposed the new rules, even as they claimed to back interoperability. Their rallying cry was patient privacy. The patient advocate on the HHS advisory committee, a wealthy Republican donor who championed the new rules in the name of choice, gave short shrift to privacy.
Congress has a chance to fix the rules in its next must-pass spending bill. It should extend HIPAA's privacy protections and penalties to the app vendors. It should force vendors to offer consumers an easy way to opt out of sharing their private medical data.
