I spent some time last night working through the American Hospital Association response to the CMS Inpatient prospective patient system proposed rule for the fiscal year 2019. My interest was piqued by this article from healthitsecurity.com discussing how companies such as Amazon are ill prepared for the regulation of HIPAA and generally raising the flag about the need for patients to be vigilant when dealing with third party medical applications.
To say the AHA is wary would be an understatement. They have a multitude of concerns ranging from security and privacy of patient data to the legal implications of what may be perceived as accidental data blocking when an app does not meet security requirements and is forcibly disconnected from a hospital’s network.
There’s a lot more in the response than that and it’s worth taking the time to riffle through it.
The one area I would like to focus on today is the need to educate patients on how their privacy may be affected when working with medical apps. In their response, the AHA states that:
“While we understand that patients have the right to share their data as they see fit, and may be willing to take the risk of less privacy when using commercial apps, we believe that significant consumer education efforts are needed to help individuals understand the vastly different, and less stringent, federal privacy requirements for entities not covered by HIPAA.”
It’s good that the AHA understands that my data is my data to share with whomever I choose and that I, as an educated consumer, can pick applications that I feel meet my needs. It’s also good that they understand that there is a whole morass of less educated consumers who do not necessarily have share my insider knowledge of the regulations and may not fully understand the risks they are taking on when they choose to use a medical app that uses their healthcare data.
Before we go on, something about my last statement feels a little bit off, and it’s the words “less educated consumers” which somehow imply that the vast majority of app users won’t be able to make an intelligent decision. Surely that’s just being elitist – choosing an app isn’t that complex?
Unfortunately, as the AHA points out, once you step outside the confines of HIPAA things get squirrely pretty fast, and I do believe many people will be caught flat-footed. In some jurisdictions companies are not required to have health information privacy policies of any form and the uses of your data may vary. It’s going to be the wild west out there with little or no regulation until governments federal and or local step in to set a playing field.
As we have seen recently, even companies that should know better because they have an established regulatory program (think FaceBook or Uber) can do some pretty remarkable things with their user’s private data. The healthitsecurity.com article went into some detail about a medic alert bracelet purchased on Amazon.com that ended up in site advertisements with the patient’s demographics and medical diagnosis clearly displayed for all to see.
So, the fifty million dollar question is, “would I trust any of these app makers with my, or my family’s, medical data at this point in time?”.
The short answer – it depends on the nature of the information being stored or used by the app maker. If the app is storing blood pressure, or spirometry readings, for example, it would be reasonable to be less concerned than if it was storing behavioral health information.
Obviously, I would be very wary at this point in time of any third party app that isn’t part of an established EMR. MyChart, while old and somewhat primitive, is at least part of an Epic implementation that’s been certified by my providers hospital, so I’m prepared to trust it for now. Other, more modern apps that exist outside that ecosystem would require careful thought before I’d store my data there.
At a bare minimum, I suggest that we look for the simple safeguards that the AHA is calling for. Specifically, I want to know if there are well-defined privacy and preferably security practices at the company, and I would like to be notified about what might happen with my data in advance of any sharing. This should be presented to me in a way that I can easily digest so that I can make an informed decision, not as multiple pages of legalese hidden behind a link.
I also like the AHA suggestion that the industry should adopt a certification program similar to the one offered by CMS for Blue Button developers where apps are vetted before they are allowed to connect to the network. This could be established in the form of an industry consortium who issue a certification mark that allows consumers to make easier decisions about which apps they want to use.
Finally, I’d like to see some regulations added at a federal level that will protect patients when more sensitive information, such as behavioral health or substance abuse data is involved, preferably with civil and criminal penalties.