When was the last time you recall seeing your health information recorded on paper? Probably not recently. As stressed in an earlier blog post, electronic health record (EHR) adoption is becoming commonplace for a majority of healthcare providers. Your personal information that was once stored on stagnant paper records is now being captured in dynamic EHRs. While EHR-based storage comes with the benefit of increased accessibility (for both patients and providers), this benefit is simultaneously associated with an increased risk to the security of your health data–your privacy.
Further heightening the privacy risk is the value of your information. For instance, just think about how many companies want your personal information. Then, think about how many companies (such as Facebook) who have gotten in trouble for being bad stewards of their users’ data. The value and sensitivity of your data ring especially true when it comes to your healthcare information (i.e., your diagnoses or what medications you’re taking). This is information is powerful, not only from the insights that can be derived from it but also from how it could be misused.
What places your data at risk?
Under the Health Insurance Portability and Accountability Act (HIPAA), it’s an individual’s right to access or obtain a copy of their health information, but this may be easier said than done. A recent New York Times article discusses the fine line between ensuring patients have access to their medical records and trying to avoid that data from ending up in the wrong hands. The author presents two relatively recent federal pushes to encourage the sharing of data. First, the Office of the National Coordinator’s (ONCs) Notice of Proposed Rulemaking to Improve the Interoperability of Health Information, and second, the Centers for Medicare and Medicaid (CMS) proposed rule. Both rules are meant to foster data sharing by using software known as application programming interfaces (APIs). Use of APIs allows patients to access their data (i.e., medical records, insurance claims, or benefit information) through third-party applications (apps) with a simple click on their smartphones.
While third-party consumer-facing apps are convenient and increasingly becoming more available, the use of these apps intensifies the difficulty in ensuring and maintaining users’ privacy. There are cautionary groups, such as the American Medical Association and the American College of Obstetricians and Gynecologists, who are warning regulators of how the use of third-party apps could place patients at increased risk for data abuses. As stressed in the NY Times article, the federal privacy protections currently in place for medical records are no longer applicable when data is transferred to a third-party app. This means those apps receiving health data could then share or sell users’ data.
Further, in a May 2019 letter to CMS from the American Academy of Neurology (AAN), the AAN expressed concern around the use of third-party apps and the need for a security framework. Acknowledging that data would only be sent to third-party apps upon the patient’s request, they stressed the need for guidelines to ensure apps act responsibly. Misuse of data could potentially harm providers and shift the responsibility data security to providers (as opposed to the app developers).
What’s being done to address the risk?
Despite the dangers third-party apps present, it’s important to remember the urgency of the issue at hand. A lack of interoperability and information blocking are critical problems that continue to burden both healthcare providers and patients. To help address the concern of trust and potential misuse of third-party apps, the ONC released the most recent draft of the Trusted Exchange Framework and Common Agreement (TEFCA) [pdf] in April of 2019. This framework offers a “single on-ramp to nationwide connectivity” and describes a set of principles to facilitate trust between health information networks. While the most recent version of TEFCA states third parties (such as apps) using this “on-ramp” will need to align with HIPAA rules and safeguards, these principles only apply to participating apps. Third-party apps that choose not to use the ONC-created “on-ramp” don’t have to follow the TEFCA principles.
Another effort working toward secure use of third-party apps is the CARIN Alliance (a non-partisan, multi-sector alliance of provider, payers, consumers, and companies). The CARIN alliance created a code of conduct in November 2018, specifically for third-party apps. This allows app developers to self-attest to following a specific code of conduct before accessing consumer’s health information. An app developer who violates the CARIN code of conduct after pledging to follow it could potentially face consequences from the Federal Trade Commission.
This is a tricky situation that doesn’t have a clear fix. Easier access to medical records can help improve continuity of care, decrease repetitive diagnostic tests, and allow patients to participate in research. However, how do you achieve those goals without letting patients’ personal health information be misused? Efforts such as TEFCA and the CARIN code of conduct are certainly a step in the right direction, but we still have a long way to go.