If federal agencies have their way, there's one new technology that health systems are going to be interacting with much more frequently: patient-facing apps.
Apps in many ways underpin the long-awaited companion interoperability proposals the Office of the National Coordinator for Health Information Technology and the CMS released early this year. The proposals would require healthcare providers and insurers to adopt standardized application programming interfaces, or APIs—protocols that connect IT systems like electronic health records with third-party apps.
In the wake of the ONC's release of the proposal, industry stakeholders voiced concerns about whether they would be held accountable for how patients, or the apps they request to share their medical records with, use their data—leading HHS' Office for Civil Rights to launch a webpage to address common questions about the use of third-party apps under HIPAA.
When a patient shares protected health information with a third-party app, the provider organization is not liable for subsequent use or disclosure of this data, as long as the app developer is not a business associate of the group, according to the OCR.
But while hospitals may not be liable for that data use, that might not be clear in the eyes of the patient, said Lawrence Hughes, assistant general counsel at the American Hospital Association.
"Patients don't necessarily understand that when they share their information with a third-party app developer, that it's subject not to HIPAA, but to the app developer's privacy policy," he said.
That's concerning, since patient privacy and secondary use of data have been core concerns in comments to the proposed rule.
"The fundamental challenge with the proposals is that patients won't be the only ones receiving health information," said Dr. Jesse M. Ehrenfeld, chair of the American Medical Association's board of trustees. Since many third-party apps won't be subject to HIPAA requirements, an app developer has "relatively free reign to do anything they want with that data," he said.
That could conceivably include selling it or using it to target advertisements.
The ONC has largely dismissed these concerns, suggesting the focus on curtailing patients' ability to select their own way to access health data is paternalistic.
ONC chief Dr. Donald Rucker said patients will have to give explicit consent before sharing their patient data with an app. "That alone is a massive protection," he said in an interview with Modern Healthcare.
Rucker noted public comments to the agency from healthcare consumers have tended to call for more transparency.
"We are working to balance the right of patients to control their medical care and control access to their data with appropriate protections for privacy," he said of the ONC's work.
There's arguably a "gap" in oversight now, where those third-party apps wouldn't be regulated as tightly as other organizations working with healthcare data, said Linda Malek, chair of law firm Moses & Singer's healthcare and privacy and cybersecurity practice groups.
One possible solution could involve establishing a framework under which hospitals could strike agreements with app developers, Malek said. They could then provide patients with a list of those apps, as a way to direct focus toward technologies that have been vetted.
Hospitals have struck agreements with individual app-based services in the past.
"Hospitals and health systems today are partnering with technology companies," said Samantha Burch, AHA's director of health IT policy, citing Apple's health records project, which allows patients who visit participating providers to aggregate data on the iPhone's Health app. But "that's a specific relationship that the hospital is choosing, and obviously a vetting process that takes place."
A patient bringing in their own app is "very uncharted territory," she said.
