The Department of Health and Human Services (DHS) has recently proposed rules on medical information sharing, intended to make it easier for patients receiving medical records and understand their treatment choices through their smartphone’s apps. The rules require health providers to send medical information to third-party apps after a patient has authorized the data exchange. The DHS had argued that people access their medical data would help them better manage their health, seek second opinions, and understand medical costs. However, this possibility of sharing medical information with third parties pose a more significant challenge as medical organizations in the US are warning. It’s simple: data-sharing with apps could facilitate (even more) invasions of privacy as people who authorized consumer apps to retrieve their medical records can expose themselves up to data abuses.
Health, Sensitive Data, and innovation
The central challenge in the use of sensitive data lies in striking a balance between protection and innovation. Most of the sensitive data, including health data, is disconnected and separated in the interest of keeping its integrity and security. However, this separation limits innovation opportunities. One way to maintain the balance is by creating decentralized data architecture through the application of programming interfaces (APIs), which basically simplifies the ability to obtain data “from many types of databases and applications, including those at remote locations.” If the “federated data system” is well designed, it will not only address both privacy and security concerns but will also facilitate the discovery of new data and enable the ability to analyze massive datasets.
Now, the first information-sharing rule proposed by the DHS, introduces APIs as part of the data structure, requiring from health providers to install APIs, which in turn allows patients to send their electronic medical information directly to apps from their health providers. As argued by DHS, this will let patients customize their information requirements, banishing previous bureaucratic processes to obtain their personal medical records. The second rule requires Medicare and Medicaid plans to adopt API, so people could use third-party apps to get their insurance claims and benefits information. According to Medicare and Medicaid Services, this particular rule bring the opportunity to make patient data more transferable through “open, secure, standardized, and machine-readable formats while reducing restrictive burdens on healthcare providers.”
Now, in Balancing Innovation and Trust in the Use of Sensitive Data, the World Economic Forum stated that when introducing federated data systems, “policy-makers should identify populations that need a higher level of protection and determine whether specific requirements should be codified within a data protection framework.” The previous means that even when introducing structured systems to treat sensitive data, there must be a clear recognition of the need to prioritize people’s privacy. The truth is, having federated data systems pose extra (but necessary) complexities to the decision-making process as regulators now have to define who has access to what types of data, under what circumstances, and for what purposes. Beyond the regulation needed to allow people to access their medical records through their apps, there must be a robust data governance system capable of achieving a better balance between data protection and data innovation.
First comes first
However, DHS proposed rules failed to give patients actual control over their health data as the possibility to get information from consumer apps is an “all-or-nothing choice.” Basically, people who authorized an app to collect their medication lists (like HIV or cancer medicines) would not be able to stop it from retrieving specific data if they prefer to keep it private later. Also, DHS rules could require health providers and doctors to share patients’ sensitive medical or even financial information with third apps and insurers. Federated data systems can only work correctly when specific requirements are asked from new members different from traditional dual system patient-doctor or patient-health care provider. Questions related to the background of the new actor, permissions, value, and quantity of data types, and whether the data can be queried without individual consent need to be addressed first; especially when features like “all-or-nothing” when acceding to use an app, are considered.
As the New York Times recently described, the new regulation appears just when big tech companies like Amazon, Apple, Google, and Microsoft increase their interest in the health care market, and in particular in health care information. The health care sector could indeed find handy the extensive technical infrastructure to support the health data that comes with including the tech sector in the equation. More if innovation efforts come along with technical assistance to the health sector to better manage health data, which is currently trapped as devices and systems are unable to exchange information with ease, creating a healthcare system that is fragmented and inefficient. However, even when big tech companies as Microsoft, Google and others had agreed in using especial protocols for data exchange with each other -interoperability rules-, when dealing when health information, regulators have to pose extra scrutiny when acceding tech companies to participate in the data-sharing system, especially if the mentioned companies have mainly been questioned for their poor use of sensitive data.
Any regulation enacted to generate more “patient control” and at the same time, facilitating innovation, allowing third parties to use of health data, must consider people’s right to privacy over their personal and sensitive information. As technological change takes its part in the health sector, medical associations, health care providers, and regulators must be aware of the risks. Before moving forward into app-sharing information, there must be prominent controls regarding patient records safety, health data storage systems by both health care providers and new consumer health tech facilitators, and stronger penalties for those who cannot guarantee proper sensitive data protections. Health data breaches are excellent examples of the necessary privacy and security rules for tech platforms that collect and use people’s medical information that needs to be addressed before yielding more “control” over patients. Just over halfway through 2019, the US healthcare sector saw 15 million patient records compromised in 503 breaches -about 11.3 million patient records were compromised by hacking incidents-, the numbers have risen steeply with potentially more than 25 million patient records breached, according to the Annual Breach Barometer Report. As it appears, even with the existence of the HIPAA, HITECH regulations, and the recent California Privacy Act, the US, the healthcare industry continued to be plagued by data breaches involving sensitive patient information. Even as the healthcare industry becomes increasingly aware of the importance of protecting patient data, the trend of health data breaches remains.
Signup for our mailing list and stay up to date on the latest happenings at The O’Neill Institute
Or sign up for our RSS Feed
The views reflected in this blog are those of the individual authors and do not necessarily represent those of the O’Neill Institute for National and Global Health Law or Georgetown University. This blog is solely informational in nature, and not intended as a substitute for competent legal advice from a licensed and retained attorney in your state or country.