AMA: ONC proposed rule leaves patients’ data, privacy vulnerable
While the American Medical Association supports enabling patient access and sharing of their own electronic healthcare information, the physician group is concerned that a proposed federal rule will put sensitive data at risk.
AMA charges that the Office of the National Coordinator for Health IT is making a policy decision to “not prioritize patient privacy” and that—if the rule is finalized as proposed by the agency—patients’ health information will be vulnerable to inappropriate secondary uses and disclosures from third-party apps.
“The AMA supports and encourages the right of a patients to access their medical record—what we do not support is a policy that enables third parties to monetize patients’ data,” says Jesse M. Ehrenfeld, MD, chair of the AMA Board of Trustees. “ONC’s proposals will allow apps to use, package, and sell patient information—which could contain financial and family information—to the highest bidder. Patient privacy will be violated and could break the bonds of trust that exists between patients and their physician.”
In March, ONC issued a proposed rule requiring healthcare providers to offer patients’ access to their electronic health information through secure, standards-based application programming interfaces. Specifically, the agency’s proposed rule—for the first time—requires HL7’s Fast Healthcare Interoperability Resources as the standard to which health IT developers must certify their APIs.
However, AMA contends that ONC has not indicated that it will create policy to help ensure patient privacy protections through the API. “In other words, it is promoting API usage, but not requiring that the API technology include privacy and security controls,” according to an AMA briefing document on the subject.
Nonetheless, in response to AMA’s assertions, an ONC spokesman countered that “through the use of secure standards-based APIs, the transmission of data will be secure and—through the use of authentication like OAuth 2—individuals will be authorizing the sharing of their data through the apps,” adding that “we expect that individuals who use these apps will keep their data safe and secure like they already do with many of the apps they currently use—like those they use for their banking,”
In addition, the agency spokesman emphasized that HIPAA provides for the right of patient access to their electronic health information, which ONC’s proposed rule supports.
But, AMA executives point out that many third-party apps are not required to implement the protections of the HIPAA Privacy and Security Rules and that recent incidents reveal that third parties have used health data for marketing, selling data or using analytics to create new sources of revenue.
“Mobile apps typically require a consumer to consent to all terms or not use the app at all,” according to the AMA. “However, we’ve all read stories and studies about how smartphone apps share sensitive health information with third-parties, often without the knowledge of an individual.”
While the privacy and security of data applies to HIPAA covered entities and their business associates, AMA contends that once protected health information has been shared with a patient-designated app the HIPAA-covered entity or business associate is not liable for subsequent use or disclosure of that data—provided that the app developer is not itself a business associate of a covered entity, directly or through another business associate.
“Most patients will not be aware of who has access to their medical information, how and why they received it, and how it is being used (for example, an app may collect or use information for its own purposes, such as an insurer using health information to limit/exclude coverage for certain services, or may sell information to clients such as to an employer or a landlord),” AMA warns. “The downstream consequences of data being used in this way may ultimately erode a patient’s privacy and willingness to disclose information to his or her physician.”
It’s a regulatory reality that National Coordinator for Health IT Don Rucker, MD, openly acknowledges. During a Senate hearing in May, Rucker made the case that “deeply sensitive health facts about patients can be inferred from consumer data ‘exhaust’ such as accelerometers, location services, and a wide variety of app and social media usage patterns.”
Still, Rucker told lawmakers that patients “should have the ability to decide whether the potential benefit of an app to manage their healthcare information and medical conditions outweighs potential risks—this should be the patient’s choice.”
A patient “has to make a very conscious decision to download the data to the app—that offers an opportunity, certainly, for providers to give those warnings,” Rucker testified, adding that “individuals should balance their selection and use of a health app with the potential risk of having negative implications.”
However, AMA insists that “if patients access their and their family’s health data—some of which is likely sensitive—through a smartphone, a patient must have a clear understanding of the potential uses of that data by app developers.”
"ONC needs to ensure that its final rule includes a mechanism to promote transparency for consumers so they understand the information that apps are accessing, what the app is using it for, and with whom the app is sharing the information,” adds Ehrenfeld. “Ultimately, third parties must be transparent about who is seeing a patient’s data. Otherwise, you’re not really empowering the patient—you’re empowering data brokers.”
While ONC does not have the authority to directly require attestations from consumer-facing apps, AMA contends that the agency should require an electronic health record vendor’s API to check for the following three “yes or no” adoption and implementation attestations, as a part of its EHR certification requirements:
- Industry-recognized development guidance (for example, Xcertia’s Privacy Guidelines).
- Transparency statements and best practices (for example, Mobile Health App Developers: FTC Best Practices and CARIN Alliance Code of Conduct).
- A model notice to patients (for example, ONC’s Model Privacy Notice).
“This shouldn’t be a significant burden on EHR vendors, since it’s only requiring that an API check for an app developer’s attestation,” according to AMA. “We also recognize this wouldn’t ensure apps implement or conform to their attestations. However, we believe this will provide a needed level of assurance to patients and physicians, and would be greatly welcomed by users.”
In September, ONC’s proposed rule was sent to the Office of Management and Budget for OMB’s review. According to AMA, ONC is expected to release its final regulations in early 2020.
“Without much needed changes, these rules will encourage the monetization of patients’ health information and could lead to serious negative impacts on patient care,” concludes an AMA spokesman. “Proposed regulations suggest that ONC is attempting to expand the volume and velocity of health data sent outside privacy protections.”