Patient Privacy News

AHIP: CMS Price Transparency Proposal Poses Patient Privacy Risk

The Trump Administration’s plan to increase transparency around healthcare costs through an online app leveraging APIs could increase the risk to patient privacy, AHIP argues.

HIPAA third-party apps APIs price transparency rule AHIP HHS CMS patient privacy

By Jessica Davis

- In November, the Trump Administration rolled out broad transparency rules designed to provide consumers with more insights into how much hospitals charge health insurers for both out-of- and in-network care. But according to AHIP, the proposal raises a host of concerns, including an increased risk to patient privacy.

The proposed changes require insurance plans and hospitals to reveal negotiated rates, which would allow patients to compare prices. Insurers would need to inform patients of costs in real-time through an online tool leveraging APIs.

In response, the Centers for Medicare and Medicaid Services received more than 23,000 comments.

For AHIP, the government may be overstepping its statutory authority. Further, mandatory disclosures would undermine competitive negotiations and actually increase costs. The rule would also not provide actionable information to consumers.

But the group also warned that the rule would also increase the risks to patient privacy.

READ MORE: Could Patient Privacy Awareness Drive Health IT Innovation in 2020?

“It will undermine competitive negotiations and push healthcare prices higher—not lower—for patients, consumers, and taxpayers,” AHIP writes. “Such disclosures would fail to deliver on what consumers need to make informed health care decisions, raise significant privacy concerns, distort health care markets by driving prices and premiums up for consumers and employers.”

“In short, the proposed rule is contrary to statute, effects a taking of health insurance providers’ trade secrets, unconstitutionally compels speech, and is arbitrary and capricious,” they add. “That is why AHIP strongly urges the Departments to withdraw the proposal to implement new machine-readable files.”

Much like with other recent HHS proposals around data sharing, AHIP explained that the rule relies on APIs to support patient access. And as other industry stakeholders and Congress have noted, the lack of an API standard poses several privacy risks.

AHIP stressed that the machine-readable component of the proposal, specifically the use of APIs, “appear more targeted at providing data to third party application developers than ensuring consumers have access to meaningful, personalized data.”

“In so doing, the federal government would require issuers to share both their trade secrets and their enrollees’ sensitive personally-identifiable information with app developers that are not bound by the same heightened level or privacy and security rules that apply to health insurance providers under federal privacy laws like HIPAA,” AHIP argues.

READ MORE: Consumer Adoption of Health Tech Slowed by Privacy, Security Concerns

“The federal government would drive consumers to obtain from third-party apps what is largely available in issuer apps but leave consumers vulnerable to the business interests of third-party app developers seeking to profit from selling consumers’ individually identifiable data without HIPAA protections,” they added.

The focus should instead be placed on increasing the availability and usability of issuer apps, rather than increasing the risk to patient health information and privacy, the group recommended. As a result, HHS should withdraw the machine-readable file provisions to avoid distorting healthcare markets and increasing privacy concerns, among other negative impacts.

A recent study performed on behalf of AHIP showed that while US patients want better access to healthcare and data, most would not use those apps if they feared their privacy was at risk. AHIP went on to explain that patients want accurate, personalized information, but also “highly value privacy protections for their healthcare information.”

Recently, CMS itself reported a coding error with the Blue Button 2.0 API impacted the privacy of more than 10,000 patients. AHIP explained the security incident highlights what could happen with the similar implementation of price transparency tools.

“A preponderance of issuers have automated consumer price transparency tools and are actively enhancing them based on consumer feedback and advancing technology,” AHIP wrote. “While we support increasing access to such tools and continuing to improve upon existing tools, we have concerns about pushing comparable information out through publicly available files that will be combined with other information to entice consumers to share sensitive personal information.”

“The machine-readable component of this rule, in addition to and in combination with several other transparency and interoperability rules recently released by HHS, are intended to fuel the ‘app economy,’ they continued.

What’s more, even if data shared with the machine-readable files are not combined with data obtained through the other related proposals like clinical and claims data, AHIP stressed that the government may be encouraging patients to divulge their medical conditions through a “venue where the information gleaned can be sold by third-party app developers to anyone for almost any purpose as long as the possibility is noted in the terms and conditions of the app.”

HHS should instead consider this proposal alongside the other data sharing rules and delay implementation until adequate privacy protections can be developed for third-party apps that deal with sensitive healthcare data not covered by HIPAA, AHIP recommended.

If HHS chooses to finalize the rule without those privacy protections, HHS and the Federal Trade Commission should pursue an educational campaign to make sure patients understand the risks of using third-party apps to estimate costs for enrollees.

“Otherwise, we risk eroding the public trust and derailing technological advancements by pushing enormous amounts of potentially erroneous data out into a gap in the national privacy framework,” AHIP argued.

AHIP joins a host of other industry stakeholders warning HHS and Congress that an API standard is crucial to ensure its interoperability and data sharing proposals aren’t putting patient data at risk, including the American Medical Association, the American Medical Informatics Association, and the American Academy of Neurology.