Capitol Correspondence - 07.15.19

HIPAA and Privacy Concerns Emerging as HHS Starts Drafting Data-Sharing Rules

Share this page

ANCOR is sharing this article by Politico Pro because software applications are increasingly becoming relevant to supports for people with intellectual / developmental technologies, making data-sharing and the ensuing HIPAA concerns an important issue for the disability community. Readers interested in ANCOR’s work on HIPAA can learn more here.

As written by Politico Pro:

 “Hospital executives, with some support in Congress, are lobbying for more regulation to protect health information from unscrupulous data mongers. But HHS is pushing forward with rules that leave that responsibility in patients’ hands.

As federal rule-makers grapple with making patient data more easily shareable, some health leaders fear that their actions could lead to a proliferation of apps selling or exploiting medical data. They worry that patients are likely to sign away their rights to data — perhaps including detailed family histories — without realizing what they’re doing.


At the same time, it’s not reasonable to expect providers to vet health apps for patients, “as it is neither a priority, a mandate, nor an area where they are likely to have domain expertise,” [Steven] Lane said. [Steven Lane is a member of the Office of the National Coordinator on Health Information Technology (ONC HIT)]. EHR vendors often test apps before offering them in their app stores. But it will be hard for providers to do that on their own, especially when patients are sending data to apps they’ve discovered independently, he said.


HHS agencies haven’t finished making the information-block rule and others stemming from the 21st Century Cures Act that will set the guidelines for data sharing policies. However, they’ve clearly favored the view that patients have both the right to get their data and the responsibility to make sure it isn’t abused.

Patient data advocates generally agree and caution against too much paternalistic oversight that could delay data access. Patients regularly download apps outside of health care, and they can be trusted to read and agree to privacy policies on their own, they say.


The ONC rule and another at CMS require insurers and health care providers to adopt a common data standard known as FHIR, which could make it easier for patients to export their data into other apps. [ANCOR note: see CMS press release on ONC rule here.]


A CMS spokesperson said the agency is sorting through privacy-related comments on its draft rule.

CMS’ Blue Button 2.0 program, which lets Medicare beneficiaries download and share their own claims data, might serve as a model for oversight. CMS vets apps that access data through Blue Button and only authorizes those that use plain language to communicate risks, according to the agency.”