Healthcare Data-Sharing System May Create Privacy Risks

In a world where data is currency, the healthcare sector presents a distinct exception. Strict privacy rules have long governed who has access to what information, with important legislation protecting personal medical records from outsiders – while promoting accessibility for individuals. What was designed to be accessible, however, has often been anything but. A series of rule changes announced in March by the US Department of Health and Human Services (HHS) is making information more centralized and open to its owners, but prompting outcry from experts about potential data breaches and policy violations in the process.

A Brief History of Medical Record Access

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) set strong protections in place for individual health information. HIPAA guarantees an individual the right to obtain a copy of personal medical records; the right to “change any wrong information… or add information” if something is missing; the right to learn how your health information is used and shared by your doctor or health insurer; the right to let your providers or health insurance companies know if there is information you do not want to share; and the right to ask to be reached somewhere other than home. HIPAA’s comprehensive safeguards are reinforced by the Privacy Rule, which was designed to carry out HIPAA’s mandate that HHS establish Federal standards for safeguarding the privacy of individually identifiable health information.

Addressing Systemic Flaws

Unfortunately, the process of obtaining personal medical data from providers is not always straightforward. The New York Times’ Natasha Singer recently detailed how “some physicians still require patients to pick up computer disks — or even photocopies — of their records in person,” while other providers “use online portals that offer access to basic health data, like immunizations, but often do not include information like doctors’ consultation notes that might help patients better understand their conditions and track their progress.”

The new HHS system is meant to make vital information more readily accessible for individuals. The most extensive healthcare data sharing policies the federal government has implemented (to date) are intended to implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act, while supporting the Trump administration’s MyHealthEData plan, which is “designed to… [give] every American access to their medical information so they can make better decisions.”

Concerns

Technology is the fundamental driver of the rule changes – specifically, encouraging smartphone-driven, app-based access in the same way other sectors do. Information will be made available on a secure, standards-based central API that will be accessible via a “smartphone app of [the user’s] choice.” In theory, this will give patients the ability to manage their healthcare “the same way they manage their finances, travel and every other component of their lives,” says Don Rucker, M.D., national coordinator for health information technology in a press release.

But what seems like a boon for patients has raised alarms with some experts. Singer reports that dozens of professional medical organizations and health industry groups have pushed back against the rules because the robust privacy protections typical to health records no longer apply once patients transfer their data to consumer apps. Singer notes that the Office of the National Coordinator for Health Information Technology (ONC)’s website acknowledges as much: an infographic urges caution, clearly stating that healthcare providers are no longer responsible for the security of [individual] health information after it is sent to a third party.

The concerns echo common complaints regarding data security, levied against parties from US cellphone carriers, to Big Tech, to Ring and law enforcement, among others – enough to prompt action from the state of California, the European Union, and other legislative bodies. These worries were on the mind of Dr. James L. Madara of the American Medical Association, who Singer notes has called for additional transparency and protections for data use in his public comments on the topic. “Apps frequently do not provide patients with clear terms of how that data will be used — licensing patients’ data for marketing purposes, leasing or lending aggregated personal information to third parties, or outright selling it,” said Madara. “These practices jeopardize patient privacy.”

What Happens Now?

Singer reports that initial data will be less comprehensive, instead trending towards basics like test results or prescription drug history – perhaps a small comfort to critics. Some services may offer more generous data protections than others – Rucker equated the issue to consumer choice regarding who to bank with, or which brokerage firm to use. In a piecemeal regulatory environment, consumers will again bear the brunt of the responsibility for vetting any app they choose to give access to their medical information. How that information is protected will be the province of third parties – until legislated otherwise.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.