Americans may soon be able to get their medical records through smartphone apps as easily as they order takeout food from Seamless or catch a ride from Lyft.
But prominent medical organizations are warning that patient data-sharing with apps could facilitate invasions of privacy — and they are fighting the change.
The battle stems from landmark medical information-sharing rules that the federal government is now working to complete. The rules will for the first time require health providers to send medical information to third-party apps, like Apple’s Health Records, after a patient has authorized the data exchange. The regulations, proposed this year by the Department of Health and Human Services, are intended to make it easier for people to see their medical records, manage their illnesses and understand their treatment choices.
Yet groups including the American Medical Association and the American College of Obstetricians and Gynecologists warned regulators in May that people who authorized consumer apps to retrieve their medical records could open themselves up to serious data abuses. Federal privacy protections, which limit how health providers and insurers may use and share medical records, no longer apply once patients transfer their data to consumer apps.
The American Medical Association, the American Hospital Association and other groups said they had recently met with health regulators to push for changes to the rules. Without federal restrictions in place, the groups argued, consumer apps would be free to share or sell sensitive details like a patient’s prescription drug history. And some warned that the spread of such personal medical information could lead to higher insurance rates or job discrimination.
“Patients simply may not realize that their genetic, reproductive health, substance abuse disorder, mental health information can be used in ways that could ultimately limit their access to health insurance, life insurance or even be disclosed to their employers,” said Dr. Jesse M. Ehrenfeld, an anesthesiologist who is the chair of the American Medical Association’s board. “Patient privacy can’t be retrieved once it’s lost.”
Enabling people to use third-party consumer apps to easily retrieve their medical data would be a milestone in patient rights.
Dr. Don Rucker, the federal health department’s national coordinator for health information technology, said that allowing people convenient access to their medical data would help them better manage their health, seek second opinions and understand medical costs. He said the idea was to treat medicine as a consumer service, so people can shop for doctors and insurers on their smartphones as easily as they pay bills, check bus schedules or buy plane tickets.
“This is major, major, major,” he said. “The provision of health care will be brought into the app economy and, through that, to a much, much higher degree of patient control.”
The new rules are emerging just as Amazon, Apple, Google and Microsoft are racing to capitalize on health data and capture a bigger slice of the health care market. Opening the floodgates on patient records now, Rucker said, could help tech giants and small app makers alike develop novel consumer health products.
The regulations are part of a government effort to push health providers to use and share electronic health records. Regulators have long hoped that centralizing medical data online would let doctors get a fuller, more accurate picture of patient health and help people make more informed medical choices, with the promise of better health outcomes.
Americans have had the right to obtain copies of their medical records since 2000 under the federal Health Insurance Portability and Accountability Act, known as HIPAA. But many health providers still send medical records by fax or require patients to pick up paper or DVD copies of their files.
The new regulations are intended to banish such bureaucratic hurdles.
Rucker said it was self-serving for physicians and hospitals, which may benefit financially from keeping patients and their data captive, to play up privacy concerns.
“All we’re saying is that patients have a right to choose as opposed to the right being denied them by the forces of paternalism,” he said.
The Department of Health and Human Services proposed two new data-sharing rules this year to carry out provisions in the 21st Century Cures Act, a 2016 law designed to speed medical innovation.
Rucker’s office developed the one that would allow patients to send their electronic medical information, including treatment pricing, directly to apps from their health providers. It will require vendors of electronic health records to adopt software known as application programming interfaces, or APIs. Once the software is in place, Rucker said, patients will be able to use smartphone apps “in an Uber-like fashion” to get their medical data.
To foster such data-sharing, a coalition of tech giants — including Amazon, Google and Microsoft — has committed to using common standards to categorize and format health information. Microsoft, for instance, has developed cloud services to help health providers, insurers and health record vendors make data available to patients.
“What that lets an individual consumer do is to connect an app or service of their own choice into their health care records and pull down data about their historical lab tests, about their medical problems or condition, about medication prescription,” said Josh Mandel, chief architect for Microsoft Healthcare.
The other proposed rule, developed by the Centers for Medicare and Medicaid Services, would require Medicare and Medicaid plans, and plans participating in the federal health insurance marketplace, to adopt APIs so people could use third-party apps to get their insurance claims and benefit information.
The regulations are expected to become final this year. Health providers and health record vendors will have two years to comply with the API requirements. Electronic health record vendors that impede data-sharing — a practice called “information blocking” — could be fined up to $1 million per violation. Doctors accused of information blocking could be subject to federal investigation.
Brett Meeks, vice president of policy and legal for the Center for Medical Interoperability, a nonprofit that works to advance data sharing among health care technologies, said it would be better for regulators to help foster a trustworthy data-sharing platform before requiring doctors to entrust patients’ medical records to consumer tech platforms.
“Facebook, Google and others are currently under scrutiny for being poor stewards of consumer data,” he said. “Why would you carte blanche hand them your health data on top of it so they could do whatever they want with it?”
Physicians’ organizations and others said the rules failed to give people granular control over their data. They added that the regulations could require them to share patients’ sensitive medical or financial information with apps and insurers against their better judgment.
The current protocols for exchanging patients’ data, for instance, would let people use consumer apps to get different types of information, like their prescription drug history. But it is an all-or-nothing choice. People who authorized an app to collect their medication lists would not be able to stop it from retrieving specific data — like the names of HIV or cancer drugs — they might prefer to keep private.
Rucker said that current information-sharing standards could not accommodate granular data controls and that privacy concerns needed to be balanced against the benefits of improved patient access to their medical information.
In any case, he said, many people are comfortable liberally sharing personal health details — enabling, say, fitness apps to collect their heart rate data — that are not covered by federal protections. Patients, he said, have the right to make similar choices about which apps to entrust with their medical data.
“A lot of this actually will be enforced by people picking apps they trust from brand names they trust in exactly the same way that people don’t let their banking data and their financial data just go out randomly,” he said.
Apple’s Health Records app, for instance, lets people send a subset of their medical data directly to their iPhones from more than 300 health care centers. Apple said it did not have access to that information because it was encrypted and stored locally on people’s personal devices.
But even proponents of the new regulations are calling for basic privacy and security rules for tech platforms that collect and use people’s medical information.
“The moment our data goes into a consumer health tech solution, we have no rights,” said Andrea Downing, a data rights advocate for people with hereditary cancers. “Without meaningful protections or transparency on how data is shared, it could be used by a recruiter to deny us jobs,” or by an insurer to deny coverage.