The Office of the National Coordinator is the country's health information technology regulator, and, under Donald Rucker's leadership, has set off some waves.
ONC kicked off a nationwide push towards unfettered electronic data sharing with a proposed rule in February that would penalize healthcare companies for siloing data and give patients free electronic access to their healthcare data in a few short years.
Unsurprisingly, industry had a lot to say on the initiative, blasting ONC as trying to do too much too quickly. But the health IT agency is moving ahead. This week Rucker said ONC is in talks with Congress and the White House on further regulation of third-party health apps cropping up to help consumers make sense of reams of their own medical data, once it's back in their hands.
Healthcare Dive sat down with Rucker, a former Chief Medical Officer at Siemens, at ONC's third annual Interoperability Forum in Washington, D.C. on Wednesday to talk about that future could look like for health data and its owners — the patients.
This interview has been lightly edited for brevity and clarity.
HEALTHCARE DIVE: Break down the current state of health data for me.
DON RUCKER: The first thing you have to realize is there are two global issues here. One is health data. Most of our health data is actually not in the medical record or in HIPAA or even generated by providers, right? Most of the available inference on health is sitting in things like the GPS of our phone. Like, where have we been? How fast are we moving there? If I'm going to the HIV clinic every week, you can infer things. If I'm going to McDonald's four times a day, if I'm going to the bar, if I'm sitting in the bar for eight hours every night...
There's vast amounts of stuff that is highly predictive, probably more predictive than, you know, I went to the doctor for my office visit and told him or her some story. 'Oh, no, I don't drink. I don't smoke.' Every doctor knows you look at somebody who's clearly full of nicotine and and they say, 'I don't smoke'. And I mean, you do a physical exam and you say, 'Did you ever smoke? When did you quit?' And they say, 'Yesterday'. It's always better to have quit, but that's a misleading fact. But whatever those facts are often dwarfed by outside information — sensor information, accelerometer information, credit card information of what you're eating, what you're buying.
We're worried about secondary uses of that data that are inappropriate. People who want to do that already have access to a vast amount of highly inferential data, and the inferable data about health is vastly larger outside of what is in EHRs than what is in EHRs.
HEALTHCARE DIVE: What's the second thing?
DON RUCKER: The second thing is, there's just a very, very broad national and international discussion in progress on the terms of engagement in secondary uses of data. So the General Data Protection Regulation in the EU, the California Consumer Privacy Act, and I'm told there are a number of state legislatures that have bills passing, though I'm not sure on their status. But there's both global data and global issues with secondary use of data. Obviously a lot of this is most recently crystallized around Facebook, and that's all before we even get to healthcare, specifically to the EHRs, or the stuff that ONC would classically be involved in.
HEALTHCARE DIVE: A common industry concern with releasing health data back to the patient is that it will no longer be protected under HIPAA.
DON RUCKER: I think there's a couple threads there and a lot of them definitely do hinge around the narrative of HIPAA. The reason I say narrative because I think HIPAA is actually a perfectly fine law, but it's been so heavily misinterpreted by so many people. If you're in a clinical environment anywhere in America and you don't want to do something, you just say, 'Well, we can't do that under HIPAA'. And nobody knows exactly what the provisions in HIPAA are and nobody knows how to even find out what the provisions are.
HIPAA's also used a weapon against economic competitors — the language of HIPAA, not the actual HIPAA. So for example, if you don't want to share information with somebody, you can require that they become your business associate and then you deny them access to the information.
So the narrative, and a number of the comments, is, 'We want the apps covered under HIPAA'. But what that typically means is that we would require the apps to be a business associate. But don't forget, these apps are setting themselves up in many cases to be competitors with the covered entities. So you can say, 'Oh, we want to protect the public by making apps business associates'. But actually in the end, operationally, that means they then can't compete.
HIPAA has very broad data sharing provisions. Covered entities and business associates can share a wide range of data as long as it is for one of three permitted purposes: treatment, payment and operations. Most of the data that is moved in healthcare is moved without any further consent under a blanket initial authorization from the patient. So all of the treatment, the payment and all of the operations data can be shared under HIPAA.
HEALTHCARE DIVE: How will that change once the interoperability regulations are finalized?
What we're talking about now with interoperability is a totally different provision of HIPAA called the individual right of access. Now under [the 21st Century Cures Act], we're requiring providers to provide patients access to their data in a standards-based secure API that Congress termed an API without special effort. Under that, once you get your data, it has nothing to do with the rest of HIPAA. It is your data. You can do with it as you desire.
Outside apps can't get anything from any provider without you specifically logging into your provider portal and saying, this app can get my data. So there is no blanket discovery. A number of the public commenters totally either misinterpreted or intentionally misinterpreted that piece of information to say, Oh, you know, the data's just flowing out there. That's just absolutely wrong. That's just misleadingly wrong.
So you've a couple of apps and said they can download your data. That app is not the covered entity that provided your care or a business associate chosen by the covered entity to facilitate the treatment payment or operations around your care. It's just an app you use. And so then the question is, is that app regulated in any way. Deceptive business practices, such as lying to you about what they do with your data, are regulated by the Federal Trade Commission. But if the app discloses they're going to sell your data and then does so, there's no material regulation at the moment. That's secondary use of data.
What the discussion comes down to is, what are allowable secondary uses of data and how should apps be going about that.
HEALTHCARE DIVE: What are the potential regulations Washington is considering?
DON RUCKER: There could be a number of regulations. For example, we could make apps give a notice of disclosure telling consumers they're giving the health data to X, Y, or X third party. That's one thing I think would actually solve a lot of this yet still make it appealing enough for the app developer to still build the app to empower the patients.
Or, we could make apps get explicit patient consent for every entity that's going to get the secondary information. But you run into issues here. If you require apps get written patient consent, how's that going to work in the app world? You could inadvertently put in conditions that essentially shut down the app economy. So the public policy question here is, how do you bring the consumer empowerment to shop and to engage in behaviors that select winners or losers in the healthcare space — how do you preserve that, and the patient's fundamental right to knowledge about their body, within the broader national debate around secondary use of data and privacy.
HEALTHCARE DIVE: What would you say to industry arguments that actors will misuse consumer data?
DON RUCKER: Most people are smart. Each of these things is a very conscious act. So it's not some sneaky end-user licensing agreement where your data are screened and scraped off. This is a very explicit act where the consumer goes to their provider, their doctor, their hospital's portal and authorizes the app. There's nothing random, sneaky or silent about this.
HEALTHCARE DIVE: How do you think these apps will be structured, and what will they do?
DON RUCKER: There are different business models. Obviously Facebook and Google don't charge users for their service, and therefore have to monetize their data through secondary use. That is intrinsic to their business model. On the other hand, Apple's CEO Tim Cook has said their Apple strategy is a very pro-privacy strategy, but they then charge you, right? They charge the apps for the App Store, and the iPhone's not free. They're charging you a lot of money for that. They're charging you for these things so they can preserve privacy because they have a different business model.
So I think we're going to see these various sorts of business models with the third-party health apps. The most common ones are going to be providers trying to keep their patients in the fold and make it a more consumer-friendly experience. I mean, if you are a big delivery system, wouldn't you build or use a white label app that your EHR vendor already sold you?
I also think most of these apps will help consumers shop for the best place to get care. Some of the biggest apps are shopping apps, right? ebay, Amazon, the Monster shopping app. You're going to see a better experience for consumers, more price transparency and shopping.
It'll take time, but I think it'll happen. And some people will want to hold their data absolutely tight and not share it at all and not use any of these new apps. And that's their right, and their decision.