The Department of Health and Human Services (DHS) has recently proposed rules on medical information sharing, intended to make it easier for patients receiving medical records and understand their treatment choices through their smartphone’s apps. The rules require health providers to send medical information to third-party apps after a patient has authorized the data exchange. The DHS had argued that people access their medical data would help them better manage their health, seek second opinions, and understand medical costs. However, this possibility of sharing medical information with third parties pose a more significant challenge as medical organizations in the US are warning. It’s simple: data-sharing with apps could facilitate (even more) invasions of privacy as people who authorized consumer apps to retrieve their medical records can expose themselves up to data abuses.
Health, Sensitive Data, and innovation
The central challenge in the use of sensitive data lies in striking a balance between protection and innovation. Most of the sensitive data, including health data, is disconnected and separated in the interest of keeping its integrity and security. However, this separation limits innovation opportunities. One way to maintain the balance is by creating decentralized data architecture through the application of programming interfaces (APIs), which basically simplifies the ability to obtain data “from many types of databases and applications, including those at remote locations.” If the “federated data system” is well designed, it will not only address both privacy and security concerns but will also facilitate the discovery of new data and enable the ability to analyze massive datasets.
Taken from: https://www.theverge.com/2019/12/3/20993447/iphone-health-app-how-to-use-fitness-tracking-monitoring
Now, in Balancing Innovation and Trust in the Use of Sensitive Data, the World Economic Forum stated that when introducing federated data systems, “policy-makers should identify populations that need a higher level of protection and determine whether specific requirements should be codified within a data protection framework.” The previous means that even when introducing structured systems to treat sensitive data, there must be a clear recognition of the need to prioritize people’s privacy. The truth is, having federated data systems pose extra (but necessary) complexities to the decision-making process as regulators now have to define who has access to what types of data, under what circumstances, and for what purposes. Beyond the regulation needed to allow people to access their medical records through their apps, there must be a robust data governance system capable of achieving a better balance between data protection and data innovation.
First comes first
However, DHS proposed rules failed to give patients actual control over their health data as the possibility to get information from consumer apps is an “all-or-nothing choice.” Basically, people who authorized an app to collect their medication lists (like HIV or cancer medicines) would not be able to stop it from retrieving specific data if they prefer to keep it private later. Also, DHS rules could require health providers and doctors to share patients’ sensitive medical or even financial information with third apps and insurers. Federated data systems can only work correctly when specific requirements are asked from new members different from traditional dual system patient-doctor or patient-health care provider. Questions related to the background of the new actor, permissions, value, and quantity of data types, and whether the data can be queried without individual consent need to be addressed first; especially when features like “all-or-nothing” when acceding to use an app, are considered.
Any regulation enacted to generate more “patient control” and at the same time, facilitating innovation, allowing third parties to use of health data, must consider people’s right to privacy over their personal and sensitive information. As technological change takes its part in the health sector, medical associations, health care providers, and regulators must be aware of the risks. Before moving forward into app-sharing information, there must be prominent controls regarding patient records safety, health data storage systems by both health care providers and new consumer health tech facilitators, and stronger penalties for those who cannot guarantee proper sensitive data protections. Health data breaches are excellent examples of the necessary privacy and security rules for tech platforms that collect and use people’s medical information that needs to be addressed before yielding more “control” over patients. Just over halfway through 2019, the US healthcare sector saw 15 million patient records compromised in 503 breaches -about 11.3 million patient records were compromised by hacking incidents-, the numbers have risen steeply with potentially more than 25 million patient records breached, according to the Annual Breach Barometer Report. As it appears, even with the existence of the HIPAA, HITECH regulations, and the recent California Privacy Act, the US, the healthcare industry continued to be plagued by data breaches involving sensitive patient information. Even as the healthcare industry becomes increasingly aware of the importance of protecting patient data, the trend of health data breaches remains.
The views reflected in this expert column are those of the individual authors and do not necessarily represent those of the O’Neill Institute for National and Global Health Law or Georgetown University. This blog is solely informational in nature, and not intended as a substitute for competent legal advice from a licensed and retained attorney in your state or country.