Administration Finalizes Rule on Freeing Up Patient Data

As a follow-up on this previous article, we are sharing Politico Pro’s reporting on the Department of Health and Human Services’ (HHS) new guidelines on sharing medical records with patients. While this is mostly aimed at medical practitioners, we are sharing this update because our members are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which contains provisions protecting individual health data – including medical records. While it is unclear how the proposal reported on by Politico Pro will interact with HIPAA, it is important for our members to be aware of this policy conversation, particularly as the use of electronic health records is likely to become more widespread in various sectors over time.

As reported by Politico Pro:

“The Trump administration on Monday unveiled its plan to make it easier for patients to download their own health and insurance records to their smartphones — an effort that’s triggered privacy concerns and intense lobbying from the tech industry.

The rules force insurers and hospitals to make patients’ information easily shareable using common data standards.

[…]

Both rules appeared to incorporate new privacy and security measures requiring developers to attest to responsible data practices and directing apps to get patient consent.

In one instance of the Trump administration heeding industry requests, it will allow six months before it begins enforcing information blocking rules. Multiple hospital groups had requested more time to comply.

The rules also require electronic health record vendors to use common standards to be federally certified. Hospitals will be required to send electronic notifications to primary care providers when patients are admitted, discharged or transferred.

One of the rules, from the Office of the National Coordinator for Health Information Technology, outlines several situations in which blocking data transfer is allowable, including instances when releasing that information would harm the patient. The other, from CMS, sets standards for insurers.

Draft versions of the rules published last year drew fierce opposition from health IT vendors such as Epic, who said they were too burdensome and lacked adequate patient privacy protections. Lobbying groups such as the Health Innovation Alliance urged HHS to scrap the rules and start over.

Some providers also warned of privacy risks to patients, pointing out that records are no longer protected by HIPAA, the landmark medical privacy law, as soon as they leave the software system of the doctor or hospital. Apps developed by outside groups would be free to sell sensitive health information or use it for marketing and advertising purposes, they say.

But key health industry players were divided over the rules. Hospitals like the University of California, San Francisco and some EHR vendors expressed support for the rules. On Friday, Cerner CEO Brent Shafer wrote in a blog post that ‘the passage of these rules has become needlessly controversial, opposition stemming largely by businesses that have financial interests at stake,’ and said polling indicated doctors anticipated positive effects from the rules.

Patient advocates had called for swifter action, saying that withholding data could deprive them of life-saving information about their own care. They also argued that patients are savvy enough to make their own decisions about health data sharing.

Nevertheless, a gap still remains in privacy laws, leaving health data much more loosely regulated as soon as it leaves hospitals’ control. Privacy hawks worry that those risks could become exacerbated as the new rules boost patients’ data-sharing.

HHS officials have floated the possibility that the Federal Trade Commission could enforce certain privacy violations. But the FTC’s enforcement capacity is only indirect: if app developers misrepresent their privacy practices, they could be on the hook for their deceptive practices.”