Critics are sounding the alarm over new rules introduced by the Department of Health and Human Services (HHS) this week to give Americans more control over their health data.
They warn that while more access to health data for patients and small, consumer-focused companies, could be hugely beneficial, there are not enough protections in the rules to safeguard sensitive information or stop big tech companies from acquiring the data.
The two new rules were issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS).
The ONC rule, which implements certain portions of the 2016 21st Century Cures Act, requires health providers to allow patients to electronically access their health data for free.
The CMS “Interoperability and Patient Access” rule focuses on securing the exchange of health information and requires third-party groups to provide information on their data privacy policies before information is shared with them.
Moving health data from hospitals and electronic health record companies — also known as EHRs — to patients is a significant shift in how America treats medical information.
Supporters of the new rules say they will empower patients, allowing them to use their health data to access better or different treatments more easily. Patients have always been able to request data from their providers, but the process can be time-consuming and come with potentially prohibitive fees.
“[The rules are] particularly helpful for complicated patients, patients that have chronic disease that have to see a lot of specialists, if they have to transfer their records from one system to another, the way the system is set up really segments care, making data more interoperable will fix a lot of those existing problems,” Olivia Webb, a policy analyst at the newly formed anti-monopoly organization the American Economic Liberties Project, told The Hill.
Once control of health data is transferred over to citizens, they can choose to use it how they wish.
That has experts worried that without more safeguards, the biggest technology companies will accumulate vast amounts of sensitive data as consumers share it with Silicon Valley via apps and other products.
“These rules devolve power from hospitals and EHR companies to the patient, my concern with the big tech companies is that they will just accumulate all the data and we’re back where we started just with new people in charge,” Webb said.
Health data is one of the only kinds of data protected by a federal law: the 1996 Health Insurance Portability and Accountability Act (HIPPA).
HIPPA requires health care organizations to follow best practices on the handling and transfer of health data. With the HHS rules, health data could finally leave the protection of the privacy rule.
“HIPPA applies when you are transferring data between doctors, or insurance companies, but as soon as you give that information to a third party it is jailbroken from HIPPA... once it’s out, it’s out,” Emily Peterson-Cassin, an attorney at consumer advocacy organization Public Citizen, told The Hill.
People will likely start sharing data with third-party apps and companies offering health services under the new rules, according to Kevin Lancaster, a security expert at IT management firm Kaseya.
“However, it’s unclear who will ultimately be responsible for any PHI [protected health information] data security vulnerabilities under these rules — the provider, the patient, the third-party apps they’re sharing their data with, or a mixture of all three,” he told The Hill.
CMS Administrator Seema Verma told reporters this week privacy and security were “paramount” in developing the rules, but experts have expressed concern about the way they were written.
“The protections here are very minimal and pretty outdated especially when it comes to third parties,” Peterson-Cassin said.
The American Hospital Association (AHA), which represents over 5,000 medical groups, said in a statement that the ONC rule “fails to protect consumers’ most sensitive information about their personal health.”
“The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals.”
In the wrong hands, private healthcare data could be used for damaging practices like price discrimination or to expose health conditions like HIV.
Even if data given to third parties is secure, concerns remain about the third parties themselves.
Major tech companies like Google, Apple, Microsoft and Amazon have all made aggressive moves into the health care space in recent years.
Google recently acquired fitness tracking company Fitbit, while Apple’s watch is a wearables giant. Microsoft has been active in cloud services for health-care providers and working with hospitals on artificial intelligence. Amazon’s purchase of online pharmacy PillPack last year is just part of its effort to break into the prescriptions markets.
All of these efforts would be greatly aided by increased access to more health data, which could also be used in the companies' other business areas.
“Their business model is to collect these huge stores of data, and previously they have not had access to the kinds of health data that they are not potentially going to have access to,” Peterson-Cassin said.
“That’s massively valuable for them, especially when you think about the way health data can interact with buying data and advertising data, it’s really a bonanza for companies to get access
Google, Apple and Microsoft participated in meetings during the HHS rulemaking process, according to Office of Information and Regulatory Affairs records. The Hill reached out to each company for information on their role in the development of the rules.
Microsoft declined to comment for this story.
While the new rules announced by the HHS this week offer new opportunities for innovation and patient mobility, the nature of health-care data is enough to cause concern, Peterson-Cassin said.
“This data is extremely sensitive, without limitations on where it could go, it will go to any place it legally can.”