Long-Awaited HHS Data Sharing Rules Raise Privacy WorriesEHR Vendor Epic Among Critics Raising Many Concerns About Pending Rules
As the wait continues for federal regulators to issue final rules for health IT interoperability and information blocking prevention, some industry stakeholders are raising serious concerns about the privacy of patient data accessed and shared using application programming interfaces and mobile consumer apps.
The use of standardized APIs is a key component in the Department of Health and Human Service's proposals aimed at providing patients with the ability to securely access and share their health data contained in electronic medical records and related health IT systems using smartphones and other consumer devices.
HHS' proposed rules on interoperability and information blocking prevention, which were released in February 2019, have been under review by the Office of Management and Budget since last fall and are expected to be issued soon (see: Deciphering HHS' Proposed Information Blocking Rules).
Accessing Patient Data
The HHS Office of the National Coordinator for Health IT said in a statement last year that its proposed interoperability rule "is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment."
The proposed rule "calls on the healthcare industry to adopt standardized application programming interfaces, which will help allow individuals to securely and easily access structured electronic health information using smartphone applications," ONC said.
Critics Voice Concerns
Both of the HHS rules generated thousands of public comments, including many critical of the proposals.
But in recent days, some critics of ONC's heavy focus on standardized APIs and apps have voiced serious concerns.
Among the harshest critics is EHR vendor Epic Systems Corp. The privately held Wisconsin-based vendor, which has long been a dominant supplier of EHR software to major healthcare provider organizations and hospitals throughout the U.S., has usually been reluctant to express views on controversial subjects.
But in an uncharacteristic public statement issued on Monday, Epic called for changes in the ONC rule "to prevent serious risks to patient privacy."
Last week, Politico reported that Epic threatened to sue HHS if the final rules issued contain certain provisions the company opposes.
Meanwhile, CNBC reported that Epic is urging some of its largest customers to oppose HHS' upcoming final rules over potential privacy concerns.
While Epic did not immediately respond to an Information Security Media Group request for comment, the company's public statement describes some of its privacy concerns.
"By requiring health systems to send patient data to any app requested by the patient, the ONC rule inadvertently creates new privacy risks," the company notes. Epic also refers to a 2019 study that found 79 percent of healthcare apps resell or share data. "There is no regulation requiring patient approval of this downstream use," which creates patient privacy risks, the company writes.
While some skeptics suspect that some of the concerns expressed by Epic could be driven, in part, by competitive fears involving providing consumer app vendors access to patient health records, others say Epic's privacy worries are also legitimate.
"The privacy issues and the introduction of potentially insecure endpoint access are more of what concerns these vendors," notes Keith Fricke, principal consultant at tw-Security.
Privacy attorney Kirk Nahra of the law firm WilmerHale says that "there is clearly an important set of privacy and security challenges" involving APIs and consumer apps used to access patient health data.
"Many of the apps that will be receiving data will not be regulated by HIPAA," he notes.
"We are seeing an increased importance being placed on the ability of patients to get access to their own data. The rules should ensure some relevant standard for privacy and security, but our policy preference at this point generally seems to be putting the patients in charge of their own data. That places some burden on patients to be thoughtful, but puts them in a better place for their health by having better access to their data."
Privacy attorney Deven McGraw, chief regulatory officer at Ciitizen, a California-based company that helps provide consumers collect and share their health data, notes that mobile apps are not regulated by HIPAA but instead by the Federal Trade Commission, "which means apps can be held accountable for whether or not they are transparent to users about their data practices, and whether they are upholding commitments they are making to users with respect to data - but many perceive that to be pretty 'weak tea' from a regulatory standpoint."
McGraw says she agrees "that greater transparency of app practices is needed, and that is why I participated in helping to create a code of conduct [the CARIN code of conduct] that apps can attest to - which can be enforced by the FTC and which also can provide consumers with some assistance in choosing apps that meet their needs."
Whether this kind of transparency can be mandated by ONC "is a legal question for HHS/ONC to answer," she adds.
"In my experience, most people are very cautious when they consider using an app or service to collect information in a provider medical record, so even voluntary transparency efforts could make a big difference in helping consumers make informed choices," she adds.
Citing privacy concerns as a reason to halt or slow the finalization of the proposed rules "ignores that access to data is a component of fair information practices, the foundation for all privacy law," McGraw says. "So is transparency of data practices. Consumers deserve both."
Attorney Marti Arvin, executive adviser at security consultancy CynergisTek, says the "lack of informed consent" is a concern when it comes to consumer health apps.
Fricke says he has similar concerns about the privacy and security of consumer apps when they access and share sensitive health data.
"Mobile apps that are not programmed with security in mind are of concern. Additionally, some mobile apps are written to harvest information for reuse or sale," he notes.
"End user license agreements can be worded so that someone clicking to agree to it has given away their rights on how the data can be used. There is no guarantee the applications are written to protect the data appropriately."
Many users of smartphones may have few or no security controls on their devices, Fricke says. "A lost or stolen phone with no access controls may offer opportunities for unauthorized people to access any information on the device, including the mobile apps to access health information. Poorly written mobile apps may not clean up cached data after a person ends their session."
Jon Moore, senior vice president and chief risk officer at privacy and security consulting firm Clearwater, expresses similar concerns.
"Assuming the app was not provided by a covered entity or business associate, one should assume that any information sent to the health app will be treated by the health app provider as their information and will be monetized solely for their benefit," he notes. "By using the app, a user is essentially waiving any right to privacy surrounding that information."
A growing number of state laws require software vendors to implement at least some level of security controls to protect personal information and require notification of a data breach, Moore notes.
"Nevertheless, it would be foolish to assume that any particular health app vendor has adequate controls in place to protect electronic protected health information."