- The Office of the National Coordinator is in talks with Congress and the White House on how to regulate secondary uses of healthcare data. ONC doesn't have statutory authority to vet third-party apps and what they do with consumer data, agency chief Don Rucker told Healthcare Dive, but the agency is looking into a variety of solutions including legislative language on privacy and security provisions or voluntary attestation standards for the apps themselves.
- Any potential regulation of third-party health apps and what they do with consumer data would likely require legislation and come after HHS' twin interoperability rules go into effect at the earliest in late 2021 or early 2022.
- Experts are concerned privacy and security have been an afterthought for the agency as it continues to push interoperability into the healthcare industry. But Rucker said there are a "number of people interested on both sides of the aisle and both sides of the Hill" in addressing the issue.
ONC's butted up against privacy concerns for a while now in its push to promote nationwide interoperability, with a number of stakeholders commenting a lack of security could derail its efforts to foster patient access to their own health data.
"We're pleased to hear Dr. Rucker acknowledge some of the issues that have been raised around secondary and tertiary uses of data," Mari Savickis, vice president of federal affairs for health IT exec group CHIME, told Healthcare Dive.
As it currently stands, if a patient shares their health information with a third-party app, their provider isn't liable for what that third party does with the data as long as the app isn't a business associate of the provider. Such apps often don't have business associate agreements with payers, meaning they're not covered under existing HIPAA liability provisions.
Current HHS rules don't include a certification process for apps, though the Federal Trade Commission does regulate deceptive business practices online and on mobile. Once a patient downloads their data from an EHR, it's their decision what to do with it — and what gets done with it.
"I think it would be operationally quite hard and very detrimental to have heavy-handed regulation of apps, but that's a very different thing from working on [patient] consent," Rucker said, noting ONC is currently working with a "number of folks" on better ways to inform patients about potential secondary uses of their data.
Potential solutions the government is debating include forcing apps to explicitly disclose to the patient every single entity that will receive their secondary information, or having patients give the apps explicit consent to do so, Rucker said. That's "one thing, I think, that would solve a lot of this but still make it appealing enough [for the developer] to build the app to empower the patient."
Increasingly, consumer advocates are calling upon policymakers to look at tighter regulation of third parties that commercialize user data. Facebook is currently in hot water for its practice of selling members' information to businesses, apps and other groups.
The issue intensifies when it comes to highly sensitive medical data, stakeholders say. But Rucker's words Wednesday are a hint Washington is listening.
"Medical data is different from a banking transaction in that medical data, if it gets out, it's permanent," Rucker said. "It's forever."
As it currently stands, almost 80% of health apps share data with third and even fourth parties for a variety of reasons including infrastructure-related services, data collection and advertising, according to a BMJ analysis. This is concerning, especially as tech giants and startups alike churn out more offerings to meet consumer demand for digital helpers to manage and make sense of their health.
Though developers say app users' personal identities are kept hidden through data sharing, companies involved in infrastructure, analytics and advertising could easily identify users.
"Regulators should reconsider whether sharing user data for purposes unrelated to the use of a health app, for example, is indeed a legitimate business practice," the researchers from the University of Sydney and the University of California said.
Despite HHS attempts to assuage industry concern, including a FAQ webpage launched in April, healthcare companies continue to lobby against mainstream adoption of the tech, citing privacy concerns.
"A number of the public commentators have either totally misinterpreted or intentionally misinterpreted that piece of information to say, 'Oh, the data's just flowing out there'," Rucker said.
ONC is banking on consumers being as protective of their health information on apps as they are on social media or when accessing their finances online.
"We think most patients are going to be as protective of their medical information as they are with their banking information," Rucker said, but ultimately "the markets will decide."