Privacy Leaders: Congress, Not ONC, Holds Onus for Health App Privacy

February 10, 2020 - Industry stakeholders are urging the Office of the National Coordinator to release its proposed interoperability and information blocking rules without delay, in response to a recent push from EHR giant Epic to delay the rules’ release given the potential risks they pose to patient privacy.

In a recent Health Affairs editorial led by former ONC Chief Privacy Officer, Lucia Savage, chief privacy officer and regulatory officer for Omada Health, four healthcare privacy leaders stress that a recent call to halt the release of these rules based on privacy concerns is without merit.

“We argue the opposite: Delaying release of the ONC’s rule will do nothing to improve consumer privacy protections, while delay could have potentially harmful impacts for patients and patient care,” they wrote.

In March 2019, the Department of Health and Human Services released the long-awaited interoperability proposals as part of the requirements of the 21st Century Cures Act. The proposals were met with a flurry of comments, which the agency has been assessing to develop the final rules.

Throughout that time, industry stakeholders have raised concerns around patient privacy given the rules rely heavily upon an API infrastructure to fuel patient access to their records through health apps of their choosing.

READ MORE: AHIP: CMS Price Transparency Proposal Poses Patient Privacy Risk

As there is no API standard in place and HIPAA does not regulate health apps chosen by patients, the argument is that patient data could be used, sold, or shared without patients’ permission. Even worse, the rule failed to include an app-vetting process to ensure the health apps are secure.

The American Medical Informatics Association was one of the first groups to share these concerns with Congress in May 2019.

“When this future is viewed alongside the current reality of scant consumer protections outside the HIPAA-regulated environment, the near-term goal espoused by the ‘without special effort’ clause in Cures [Act] has the real and significant potential to create privacy risks and opportunities for fraud,” AMIA wrote at the time.

However, the group stressed that the argument was not being made to advise Congress or HHS to delay the rule. Rather, AMIA recognized the patient privacy and security concerns posed by the rules were far greater than ONC could handle on its own.

The argument is similar to the response published in Health Affairs and written by Savage; Aaron Neinstein, MD, UC San Francisco, Division of Endocrinology associate professor; Mark Savage, director of health policy at UCSF’s Center for Digital Health Innovation; and Julia Adler-Milstein, director of the UCSF Center for Clinical Informatics and Improvement Research.

READ MORE: CCFH Urges Lawmakers, OCR to Uphold Patient Privacy Protections

ONC does not have the legal authority to change consumer protection rules that apply to consumer-facing health – Congress does, the stakeholders argued.

“ONC’s authority is limited to EHRs and related domains,” they wrote. “The ONC does have authority to require technical upgrades to EHRs that implement consumers’ right to access their health data in a usable, computable format, but not to regulate consumer apps.”

“Congress has the authority to improve consumer privacy protections and is well aware of the problem,” they added.

Congress has been steadily working to find a bipartisan compromise to develop a federal privacy bill that would tackle a host of concerns posed by the digital age, including transparent privacy practices, right of consent, and restrictions on how sensitive data collected by apps can be used.

While most agree that a federal privacy law is still a long way from coming to fruition, it demonstrates there are common interests in tackling these privacy issues argued by Epic, the stakeholders explained.

Further, ONC informed Congress in July 2016 that consumer health apps are already potentially collecting or storing health information and are not regulated by HIPAA and its privacy, security, and breach notification rules.

“It is true that in the two domains, HIPAA-covered and non-HIPAA-covered, privacy protections differ,” they wrote. “The ONC’s proposed regulations change none of this. Furthermore, the ONC’s proposed rule actually reinforces an important privacy principle: that the person whose data are collected has a right to a copy of it.”

“HITECH does not limit this right to particular end points with particular privacy policies, and the ONC’s proposed rule brings this right to life, even if the app the individual chooses has weaker privacy controls than HIPAA,” they added.

As a result, the proposed rules will not worsen patient privacy protections, but they will, however, increase access to health records. The stakeholders argued that patients can already obtain printed copies of their health records and enter it into an app of their own choosing. HIPAA does not apply to those apps, despite how secure or insecure.

The proposed rules will not change existing privacy laws.

Instead of delaying the rules, the stakeholders stressed that the issues should be taken to Congress and state governments that do have the authority to bolster those protections, instead of “delaying critical improvements to interoperability, access, innovation, and ending information blocking.”

“Policy makers have done their part and have promulgated policy to the extent possible (recognizing that policy can sometimes be a blunt, imperfect instrument) to make clear to stakeholders that they need to start sharing data (with appropriate protections and not doing so for only a specific list of approved reasons),” they wrote.

“Now stakeholders such as EHR vendors, providers, and app developers must do their part and act in the spirit of the new regulations, not lobby against them, and give Americans what they deserve: the ability to have their data move to where it is needed,” they added.