HHS introduces new rules to give patients more control over their health data
The Department of Health and Human Services (HHS) introduced two new rules on Monday that are aimed at giving patients more secure access to and control over their health data.
The two rules, which HHS Secretary Alex Azar described in a statement as “the start of a new chapter in how patients experience American healthcare,” require public and private groups to share health data with patients while also ensuring the security of the data.
“President Trump is delivering on his vision for healthcare that is affordable, personalized and puts patients in control,” Azar said Monday. “From the start of our efforts to put patients and value at the center of our healthcare system, we’ve been clear: Patients should have control of their records, period. Now that’s becoming a reality.”
The finalized rules were issued by the department’s Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS).
The ONC rule, which implements certain portions of the 2016 21st Century Cures Act, requires health providers to allow patients to electronically access their health data for free, and requires certain steps to be taken to secure this data.
The CMS “Interoperability and Patient Access” rule also addresses security by ensuring the exchange of health information between providers is secure, and requires third-party groups to provide information on their data privacy policies before information is shared with them.
In response to potential concerns that increasing access to health data would lead to security issues, CMS Administrator Seema Verma told reporters Monday that she understood privacy concerns, but insisted that the new rules would ensure the security of patients’ medical records.
“Privacy and security are paramount,” Verma said, noting that the rules would ensure developers are able to build secure interfaces and apps to enable patients to view data.
“We are working with plans to educate patients [on] what to look for in terms of privacy,” Verma added.
Don Rucker, M.D., the national coordinator for Health Information Technology, said in a statement that new data interoperability options will modernize the health care industry and allow for more electronic access to data.
“A core part of the rule is patients’ control of their electronic health information, which will drive a growing patient-facing healthcare IT economy and allow apps to provide patient-specific price and product transparency,” Rucker said.
But at least one organization has pushed back against the new rules.
The American Hospital Association (AHA), which represents over 5,000 medical groups, said in a statement that the new ONC rule did not go far enough to protect patient data.
“Today’s final rule fails to protect consumers’ most sensitive information about their personal health,” AHA said. “The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals.”
AHA emphasized that “these guidelines are too important not to get right. We need to stand on the side of the patient by protecting patient privacy and strengthening security in this rule.”
The development of the new rules kicked off in 2018 when Jared Kushner, a senior adviser to President Trump, outlined a potential plan to ensure more data interoperability for patients. At the time, Kushner said that the goal was for the patient to be the primary person in charge of his or her data, and to kickstart innovation around sharing health data.
“The time is now to align every facet of the federal government and the private sector to ensure information is communicated and shared seamlessly,” Kushner said. “In short, interoperability is about our shared bottom line: saving lives.”