Providers and payers still grapple with privacy concerns under final interoperability rules
Senior Manager, Health Research Institute, PwC USMarch 13, 2020
Providers and payers say final rules released from CMS and the Office of the National Coordinator for Health Information Technology (ONC) this week do not settle their concerns about patient data privacy protections in a new environment where third-party app developers are accessing sensitive health data outside of the Health Insurance Portability and Accountability Act (HIPAA).
The new interoperability rules require healthcare organizations to make patient health information available through application programming interfaces, or APIs, so that patients can access their health data through smartphone apps and other tools.
While providers and payers are accustomed to operating in a world where patient data is protected by HIPAA, third-party app developers are not covered by HIPAA unless they are acting as business associates of a covered entity. In situations where a patient is giving an app developer permission to access personal health information kept by a provider or payer, the app developer is not acting as a business associate of the provider with the electronic health records but is acting on behalf of the consumer.
While the covered entity must protect the information in transit, “once these data are transmitted and no longer under the control of the covered entity or business associate, those entities no longer have any obligations under HIPAA for the privacy and security of the [personal health information], because these data are no longer subject to HIPAA,” CMS wrote in the final rule.
The rule allows payers and providers to educate consumers on their websites and elsewhere of the potential risks of data transfers with third parties outside of HIPAA. They can caution consumers to be sure they understand any secondary data use policies the app may have. But “such efforts generally must stop at education and awareness or advice regarding concerns related to a specific app,” the rule states.
HRI impact analysis
In this app-enabled landscape, the rule puts the onus on consumers to be educated and understand what they are agreeing to when they click yes to the terms and conditions of an app. Though the rule may say covered entities are not responsible once the data is transmitted to the third party, healthcare organizations still have an interest in protecting their relationships with patients and their reputations.
This raises questions of when, where and how payers and providers are to properly educate patients and inform them of the risks of sharing their data. It’s not clear that consumers would make the legal distinction about a provider or payer’s role should patients find their sensitive health information misused.
And in the wake of high-profile stories of healthcare data being shared with big technology companies, members of Congress have identified consumer data privacy as an area where they may take action.
As patient information is shared more widely with other providers, health plans and third parties, correctly identifying patients and matching them to the correct records becomes even more important. In the absence of a single, unique patient identifier in the US, healthcare entities have long struggled to match patients when different identifiers are used by other organizations with which they exchange data.
Healthcare organizations should review patient matching processes and develop different methods for crosswalking patient identifiers or demographic information, so they don’t inadvertently share the wrong patient information with an app developer when a patient requests data through an app.
While both payer and provider organizations say they generally support greater patient access, industry groups said the final rules do not do enough to protect consumers. “The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals,” Rick Pollack, president and CEO of the American Hospital Association, said in a statement. “This could lead to third party apps using personal health information in ways in which patients are unaware.”
Matt Eyles, president and CEO of America’s Health Insurance Plans, said patients want their information to be both clear and customized, but also to be protected. “We remain gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws,” he said in a statement. “Individually identifiable health care information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors.”