Groups raise alarm over lack of protection rules for third-party apps
In a letter to federal agencies, two industry organizations call for certification or other regulatory oversight to protect patient privacy.
Industry groups are raising concerns and seeking a federal-private approach to address privacy risks posed by third-party apps that use application programming interfaces to access patients’ information.
The apps will ease patients’ access to their health information, but critics say they need some degree of oversight to ensure that consumers have guidance in selecting which apps to use – otherwise, they likely will be ill-equipped to ascertain potential risks, according to a letter sent to federal agencies last week.
The letter – from the Confidentiality Coalition and the Workgroup for Electronic Data Interchange (WEDI) – support the seamless flow of healthcare information that apps can facilitate, but the groups want to ensure some form of data privacy and protection with their use, such as that afforded by the Healthcare Portability and Accountability Act (HIPAA). That law, in force for more than 20 years, extends only to traditional healthcare providers and their business associates but doesn’t apply to the third-party applications that consumers may use to access health information or manage their conditions.
“A vast amount of health-related information does not fall within the HIPAA regulatory framework and is large unprotected from misuse,” the organizations’ letter states. “We urge the Departments of Commerce and Health and Human Services (HHS) to take action to protect patients from inappropriate disclosures of their health information.” Copies of the letter also were sent to legislative committees with oversight over health and consumer protection.
The Confidentiality Coalition represents a group of hospitals, medical teaching colleges, health plans, pharmaceutical companies, health technology vendors, patient groups and others, with a mission to advance effective patient confidentiality protections. WEDI is a national organization focused on health information technology and an advisor to the government on IT issues, data standards for electronic transactions, and data and security.
Improving patient access
The use of API-enable apps is a cornerstone of the federal government’s strategy of giving consumers easier access to more of their health information. The Office of the National Coordinator for Health Information (ONC) sees potential for APIs to revolutionize healthcare data sharing and interoperability, and it believes they can “help redesign how healthcare providers and patients interact with health information through health information technology.”
Some API-enabled data sharing services are already being used, such as payer-to-payer data exchange and payers’ provider directory information. Patient access to information is also ensured under information blocking provisions of the 21st Century Cures Act.
In addition, enabling consumers to access their own health records, API-supported apps can help consumers organize their health information and use it to manage chronic healthcare conditions or achieve other health goals. But because the apps are not regulated under HIPAA, concerns have grown that consumers don’t fully understand that information released to third parties no longer is assured of privacy protections.
Rules are applied unevenly
There’s reason for confusion among consumers because HIPAA rules are applied unevenly on apps, says Robert Tennant, vice president of federal affairs for WEDI. For example, apps developed for and offered by provider organizations are covered under HIPAA, but “individually identifiable health information collected outside of a HIPAA (covered entity) or under a business associate agreement are not afforded HIPAA privacy and security protections.”
“We continue to be concerned that patients will not have adequate information to be educated consumers regarding third-party apps.”
The ONC appreciates this risk, Tennant says, and even has written a formal response in responding to a frequently asked question on this topic to say that providers aren’t liable if patient-identifiable information is exposed by a third-party app developer.
Indeed, guidance from HHS makes clear that “once health information is received from a covered entity, at the individual's direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules.”
While healthcare organizations can seek to educate consumers about the risks of third-party apps, federal agencies “are of the opinion that it’s caveat emptor, it’s on the head of the patient,” Tennant says.
Federal agencies do recommend “best practices” governing how third-party app developers are supposed to communicate privacy protections to consumers. For example, the Federal Trade Commission stated last year that apps and connected devices must comply with existing breach notification rules.
However, WEDI and the Confidentiality Coalition say consumers are not likely to fully understand potential uses for their health information. “We continue to be concerned that patients will not have adequate information to be educated consumers regarding third-party apps and may not fully comprehend that they are assuming the risk of the security practices implemented by their chosen app,” the letter indicates.
Potential federal role
The letter calls for federal agencies to put policies in place to ensure “a high level of trust among all participants,” bringing requirements for third-party apps in line with those already in place for third-party apps participating in the federal Blue Button 2.0 program for information access or the CMS Data at the Point of Care (DPC) API initiative, which allows a limited number of users to access Medicare fee-for-service claims data through vetted and pre-approved APIs.
The letter calls for the federal departments to:
- Create guidance on security and privacy for apps and permit healthcare organizations covered under HIPAA to review apps before allowing access to protected data.
- Require app developers to disclose clearly how they will use consumers’ identifiable health information.
- Work with the private sector to develop a privacy and security certification program for third-party app developers.
- Set security requirements equivalent to those for the Blue Button or DPC initiatives.
- Partner with industry groups on consumer education initiatives.
“Providers need more ammunition in their quest to educate and direct the patient."
Tennant says efforts are already underway within the industry to provide education to consumers. For example, an initiative by WEDI and the College of Healthcare Information Management Executives is expected to be announced this month. Additionally, industry groups are hoping to partner with large consumer groups, such as the AARP, to get the message out.
The current unregulated framework “sends to wrong message to both the provider and the patient,” Tennant says. “Providers need more ammunition in their quest to educate and direct the patient. We’re saying there are some potential arrows in the quiver (of federal agencies) such as certification.”
Such oversight would give confidence to physicians “in prescribing apps just like they prescribe a medication. Patients trust their physicians and we want to build on that,” he adds. Payers, which also must enable access to their information to consumer-designated third-party apps, “also have a stake in this.”
Providers need assurances of privacy and security practices by third-party apps, Tennant concludes. “Not all providers have robust IT departments that can segment records that API-enabled apps can access. We have to be concerned about misuse of (patient) data in the private sector.”