Experts worry that API-enabled apps will endanger patient data
The healthcare industry is rapidly moving towards an approach using third-party apps designed to dramatically increase consumer access to their electronic health records through application programming interfaces.
However, some prominent health IT leaders are concerned that API-enabled apps will put patient privacy at risk. To address these vulnerabilities, they contend that providers need to be proactive in serving as advocates for patients to protect their interests.
At the center of the controversy is the API task force, co-chaired by Harvard Medical School’s Josh Mandel, MD, which has been charged with providing recommendations to the Office of the National Coordinator for Health IT to help consumers leverage APIs to access EHR data, while ensuring an appropriate level of privacy and security protection.
Last month, the Health IT Policy and Standards Committees narrowly approved the task force’s final recommendations by a vote of 13-10, but only after an amendment was added by members. According to Mandel, the purpose of the amendment was to “clarify our position that a provider organization may attempt to dissuade a patient from using an app, even if they cannot prohibit it.”
For Mandel, what is at stake in the API debate is the issue of patient choice and access. What he worries about when it comes to the use of third-party apps by patients to view, download, and transmit their EHRs is that providers might engage in information blocking by prohibiting patients from using certain apps.
But, Paul Egerman, a member of the HIT Policy Committee who voted against the API task force recommendations, argues that while patient choice and access is being touted as the fundamental principle, it’s really about access by app vendors and risks to patient privacy.
“Most consumer apps are provided at little or no cost to the consumer. So, for their business model, it is likely that app vendors will try to monetize patient data,” observes Egerman, who asserts that mere warnings to patients from providers about the inherent risks to their data are not enough.
“The API task force made transparency recommendations, which are similar to the types of ‘terms and conditions’ and warnings that are currently used for financial data. However, I think that the recommended approach is inadequate when sensitive patient data is involved,” he says. “Basically, standard terms and warnings do not really protect patients or consumers. They protect the vendor or provider. If something goes wrong, the vendor (and provider) blame the patient, saying it was his or her fault for not carefully reading the fine print.”
In addition, Egerman complains that under the terms of the API task force recommendations, providers are forced to work with vendors that they may dislike.
“The API task force recommendations restrict a provider’s ability to block access from an app vendor. As a result, the provider is forced to have an ongoing relationship with an entity that might be giving patients advice that the provider thinks is harmful,” he says. “For example, the app vendor might calculate dosages wrong or use astrology to interpret laboratory results. A physician is supposed to ‘do no harm,’ and as a result, a provider should be able to block any app that is thought to be harmful.”
Likewise, Paul Tang, MD, co-chair of the HIT Policy Committee, says although consumers have the right access to their health data, with the advent of APIs it’s also critical to ensure that consumers are making “fully informed” decisions on who they are providing their information to and other parties they might be sharing it with.
“You get a real-time connection through an API, and it’s not just a snapshot of your record. They now have ongoing connections to your data—now and in the future, until you cut it off,” says Tang, who calls himself a long-time patient advocate. “If you make that voluntary, and that was the approach recommended by the task force, then I’m nervous that not every company that’s going to patients to connect them through the API to their data will be forthcoming about what they intend to do with it.”
He also points out that only one in 20 health IT start-ups are financially viable and survive.
“What happens to the consumer data if a company goes bankrupt, gets acquired, or merges with another company?” asks Tang, who believes that the amendment included in the HIT Policy-Standards Committees’ approval of the API task force final recommendations did not address his concerns. “Every consumer needs to have protection about the confidentiality of their data. Without this kind of declaration, then all bets are off.”
“A lot of providers see that as their duty,” adds Micky Tripathi, CEO of the Massachusetts eHealth Collaborative. “When it comes to the doctor-patient relationship, some folks are cynical about whether physicians have the patient’s best interests at heart. But, all the providers I know, that’s the reason they got into the field to begin with and this is a natural extension of the kind of responsibility they feel.”
At the same time, Tripathi contends that providers should be given some type of liability protection in cases where patients might want to sue them in the future for whatever harm they claim may have incurred as a result of sharing their data.
“Someone somewhere is going to sue because something bad happened with what they did with an app. And, they need to understand that the provider organization really has no responsibility to vet it,” he concludes.