Proposed federal interoperability rules would weaken patient data protection
Patients shouldn’t have to worry about the security and handling of their personal health information.
Do you trust mobile apps to protect your privacy? Would you trust them with your medical information?
How would you feel if Facebook had access to all of your medical records?
Proposed federal regulations, designed to guarantee you unrestricted access to your medical records, would require health systems to share your records with any vendor you choose.
Sounds good – you get to choose who gets your medical information. What could go wrong?
The short answer is: A lot!
Two proposed rules put sensitive medical information at risk
Under a rule proposed by the Centers for Medicare and Medicaid Services, payers (insurers) would be required to make your claim data accessible to the app of your choosing. Meanwhile, the Office of the National Coordinator for Health Information Technology’s rule would, among other things, prohibit electronic health record vendors from creating unnecessary barriers to accessing personal health information – and would require EHRs to make data more readily available.
If ONC’s rule is finalized, healthcare providers would be required to send medical data whenever and wherever the patient requests, even if the method of transmission is not secure. The security and privacy of the transmitted PHI is left to the patient and his or her chosen app vendor, with no HIPAA or certification criteria or protections.
The bottom line? Your “protected” health information would in fact no longer be protected!
Still not concerned? Let’s look at a current real-world example that represents just the tip of the iceberg.
Real-world healthcare consumers face data privacy questions
A grade school child with Type 2 diabetes had been prescribed a continuous glucose monitor and an insulin pump. Both devices, attached to him at all times, collect data. The child’s parents, acquaintances of mine, can use a mobile app to monitor his glucose levels in real time.
This real-time information provides wonderful peace of mind for these parents. However, in addition to monitoring their child’s condition, they must also now try and figure out the various privacy policies and data uses of their child’s medical devices and the third-party companion apps.
The FDA regulates CGMs and pumps, so these devices are theoretically safe. However, the FDA recently issued a warning about using devices that have not been FDA-approved.
“. . .the agency noted that the use of unapproved or unauthorized devices could result in inaccurate blood glucose (sugar) measurements or unsafe insulin dosing, which can lead to injury requiring medical intervention or even death.”
I reviewed the privacy policies of two of these apps that provide remote monitoring, Nightscout and Sugarmate. Neither are covered by HIPAA privacy protections. Despite my best efforts, I could not confirm for the parents whether they appropriately protect personal, private data.
Essentially, we don’t know what is happening with their son’s medical information – and we can’t guarantee where in the future it will be used, or by whom. Scary!
If you take a look at the current protection of data in the non-medical environment, you’ll see why it may be wise to be leery of medical data coming into the hands of big technology vendors.
Entrusting patient data to the whims of big tech is risky
Apple claims it has patient data walled off and that app vendors are not allowed to misuse these data, but reports have found it has not even protected personal data from apps in its own store!
Several recent studies have found existing health-related apps frequently share private information with big tech and do so without informing the consumer. 
Yet now, ONC and CMS propose to release records to any vendor a patient selects. With no national privacy regulations to fall back on and HIPAA not covering these vendors, these apps would be under the same privacy “standards” as Facebook, Google, Apple and others whose privacy encroachments we already see on a regular basis.
The debate in Washington continues – and HANYS weighs in
HANYS submitted comments on the proposed rules to encourage both a delay in enactment and a certification process for apps that manage healthcare data.
It is an admirable goal to allow patients complete unfettered access to their records, but it’s doubtful this access provides consumers “control” of their records. Data sharing must start with an industry-backed, third-party vetting process to ensure the privacy and security of healthcare data.
We should not rush this process or cave to a perceived consumer demand for unfettered access to medical records. Patients have had access to PHI via secure portals for years now, but these portals are rarely used and have not significantly changed healthcare operations.
Patients have enough things to worry about. The security of their personal health information and who might have access to it or how it may be used shouldn’t be among those worries.
-  A JAMA Network-published study showed mobile apps almost always share data, and one out of every three failed to disclose they were sharing data with Google or Facebook.
- A Wall Street Journal investigation found that the menstrual cycle-tracking app Flo shared cycle dates and pregnancy plans with Facebook, and the app Instant Heart Rate: HR Monitor shared a user’s heart rate. This information was provided to Facebook whether or not the app user was also a Facebook user.
- A BMJ-published study also found “sharing of user data is routine, yet far from transparent.”