With interoperability push, what does freer flow of patient health data mean for privacy?

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Crystal Yednak Senior Manager, Health Research Institute, PwC US January 29, 2020

A federal regulatory push toward interoperability aims for a healthcare system where patients can access their health information through easy-to-use apps. Meanwhile, healthcare organizations would share patient data with other entities as patients move from provider to provider and from health plan to health plan. But this enhanced flow of data would make patient health data more available to tech companies and third-party developers who could step in to help create the apps and tools to make the data more usable. While an interoperable system presents opportunities for the healthcare ecosystem to reduce duplicative tests and costs while improving patient care, the increased presence of third-party actors does raise concerns about how patient data may be used.

HIPAA questions raised

While healthcare entities are acting to protect health information under the 1996 Health Insurance Portability and Accountability Act (HIPAA), consumer app developers are not necessarily covered by that law and related regulations. When using an app, consumers may not understand that when they click OK to an app’s terms and conditions, they may not realize the extent of the health information they are sharing. 

The HHS Office of Civil Rights issued guidance in April to clarify the HIPAA-related responsibilities in sharing data with third-party apps, with the agency stating “once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.” This puts the onus on the patient to understand that the application they select may not provide adequate security protections.

Industry groups also are trying to develop consensus for how third parties will use, store and manage consumer health data to prevent it from being used for other purposes, such as marketing or even being sold, without their consent. The CARIN Alliance, a nonpartisan organization that brings together payers, providers, pharma, technology companies and consumer groups, has drafted a code of conduct for companies handling health data outside of HIPAA to make sure consumers can consent to how it is used.

The challenges of greater access

Healthcare organizations already should be seeking assurances from partners and third parties that they have the adequate cybersecurity and privacy protections in place, but in this environment, it may be even more crucial to make sure partners are following the best practices, and asking for reports that prove it. Business associate agreements may need review or to be extended to more entities. Although tech company business associate agreements that provide access to consumer health data are not unheard of, news reports about large tech companies gaining access to health system data to try to develop insights and tools has provoked consumer uproar and renewed interest in Congress to revisit the issue of health data privacy, which could collide with CMS’ push to force data sharing.

What success could look like

HRI research has shown that together, payers and providers can develop a more accurate view of the patient that can help improve the patient care experience. For their part, consumers appear open to healthcare providers sharing their electronic health record with other providers, with 68% indicating they were comfortable with it in HRI’s 2019 survey of American consumers.

If patients can walk into their preferred venue with their entire medical history, the care venue choice becomes more fluid,  more personal and more convenient. Patients benefit from not being asked for the same information multiple times or being subject to multiple versions of the same test because one location does not have access to a previous result.

Questions remain in the industry about how much patients themselves want to interact with their data and if they will use it to change behaviors or make health decisions. In 2018, roughly 3 in 10 individuals were offered access to their online medical record, and also viewed their record at least once within the past year, according to a May 2019 data brief from the Office of the National Coordinator for Health Information Technology. Of those who didn’t view their record, a top reason was wanting to speak to their provider directly.

Technology companies are betting that consumers do want the data access, and some are interjecting themselves into the picture to take the information and help make it more usable for patients, forming partnerships to make patient records available through apps on their phone. 

A more robust exchange of patient data could help efforts to solve for the social determinants of health, the social, economic and environmental factors that can have a bigger influence on health than clinical care. By combining data from throughout the healthcare system and community organizations, providers and payers can identify the behaviors and social challenges impacting health and develop intervention strategies to target those social determinants of health in powerful ways that have yet to be fully explored. 

For citations, implications and insights, please read our full report, Beyond IT: Why the regulatory push toward interoperability requires whole organizational responses from providers, payers.

For more of HRI’s insights and content, visit our Regulatory Center and report library.

Read our research

Contact us

Trine K. Tsouderos

HRI Regulatory Center Leader, PwC US

Tel: +1 (312) 241 3824

Crystal Yednak

Senior Manager, Health Research Institute, PwC US

Follow us