ONC: Patients must balance benefits of third-party apps with risks
While the Office of the National Coordinator for Health IT is pushing to empower patients to access and share their electronic health information, ONC is warning about the inherent risks from third-party apps.
In March, ONC issued a proposed rule requiring healthcare providers to offer patients’ access to their electronic health information through secure, standards-based application programming interfaces. Specifically, the agency’s proposed rule—for the first time—requires HL7’s Fast Healthcare Interoperability Resources as the standard to which health IT developers must certify their APIs.
Yet by sharing that data with a third party API-based app, patients are potentially putting that health information at risk from inappropriate secondary uses and disclosures, according to National Coordinator for HIT Don Rucker, MD.
“Secondary use of data creates privacy challenges that extend beyond the healthcare industry,” Rucker testified on Tuesday before a Senate committee. “Across all business sectors, individuals often have little say with respect to the secondary use and disclosure of their personal data. However, the misuse of health information can have lifelong consequences for the patient.”
Nonetheless, Rucker made the case that patients “should have the ability to decide whether the potential benefit of an app to manage their health care information and medical conditions outweighs potential risks—this should be the patient’s choice.”
A patient “has to make a very conscious decision to download the data to the app—that offers an opportunity, certainly, for providers to give those warnings,” he added.
Although the HHS Office for Civil Rights has regulatory authority to ensure the privacy and security of data applies to HIPAA covered entities and their business associates, once protected health information has been shared with a patient-designated app the HIPAA-covered entity or business associate is not liable for subsequent use or disclosure of that data—provided that the app developer is not itself a business associate of a covered entity, directly or through another business associate.
“We are actively engaged with the Office for Civil Rights to inform patients about both their HIPAA rights and potential risks,” Rucker told lawmakers. “Individuals should balance their selection and use of a health app with the potential risk of having negative implications.”
In his testimony, Rucker pointed out that many third-party apps are not required to implement the privacy protections and patient rights of the HIPAA Privacy and Security Rules, but they may fall under the jurisdiction of the Federal Trade Commission, including the Health Breach Notification Rule.
The FTC issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there’s a breach of unsecured, individually identifiable electronic health information.
“Deeply sensitive health facts about patients can be inferred from consumer data ‘exhaust,’ such as accelerometers, location services and a wide variety of app and social media usage patterns,” according to Rucker’s testimony.
Rucker suggested that “as Congress thinks about secondary use of data” and how to safeguard that health information, the overall assessment by legislators “really should be a fairly broad consideration.”