Patient Controlled Health Data: Balancing Regulated Protections with Patient Autonomy


September 3, 2019

Cross Posted on The Health Care Blog

A patient can, under the Health Insurance Portability and Accountability Act (HIPAA), request a copy of her medical records in a “form and format” of her choice “if it is readily producible.” However, patient advocates have long complained about a process which is onerous, inefficient, at times expensive, and almost always on paper. The patient-driven healthcare movement advocates for turnkey electronic provisioning of medical record data to improve care and accelerate cures.

There is recent progress. The 21st Century Cures Act requires that certified health information technology provide access to all data elements of a patient’s record, via published digital connection points, known as application programming interfaces (APIs), that enable healthcare information “to be accessed, exchanged, and used without special effort.”  The Office of the National Coordinator of Health Information Technology (ONC) has proposed a rule that will facilitate a standard way for any patient to connect an app of her choice to her provider’s electronic health record (EHR).  With these easily added or deleted (“substitutable”) apps, she should be able to obtain a copy of her data, share it with health care providers and apps that help her make decisions and navigate her care journeys, or contribute data to research. Because the rule mandates the ”SMART on FHIR” API (an open standard for launching apps now part of the Fast Healthcare Interoperability Resources ANSI Standard), these apps will run anywhere in the health system.

Apple recently advanced an apps-based information economy, by connecting its native “Health app” via SMART on FHIR, to hundreds of health systems, so patients can download copies of their data to their iPhones. The impending rule will no doubt spark the development of a substantial number of additional apps.

Policymakers are grappling with concerns that data crossing the API and leaving a HIPAA covered entity are no longer governed by HIPAA. Instead, consumer apps and the data therein fall under oversight of the Federal Trade Commission (FTC). When a patient obtains her data via an app, she will likely have agreed to the terms and the privacy policy for that app, or at least clicked through an agreement no matter how lengthy or opaque the language.  For commercial apps in particular, these are often poorly protective. As with consumer behavior in the non-healthcare apps and services marketplace, we expect that many patients will broadly share their data with apps, unwittingly giving up control over the uses of those data by third parties.

Some patients may wish to explore the nascent emerging marketplace offering options to monetize their data. “Information altruists” and self-assembling patient groups will donate data to speed social and direct benefit through innovation and research. Notably, the monetary value of an individual record is generally low, with exceptions for patients having rare or complex conditions and histories.

How do we support a patient’s autonomy to use tools of her choice to improve her health and contribute to research, provide her with options to share in the monetary value from downstream uses of her data, while also protecting her from predatory practices?

HIPAA does not adequately address the issue. While it does allow an app developer to become a business associate of a covered entity (such as a provider or healthcare institution) this arrangement only applies when an app is managing health information on behalf of the covered entity — whereas in a consumer-centric ecosystem, many apps will choose to have a relationship with a consumer directly.  Importantly, the covered entity itself may be a conflicted party when the patient wishes to use an app that either (1) shares data with a competing health care provider or (2) competes with the functionality of the entity’s EHR. These conflicts could limit data flow across institutions, and raise the barrier to entry for new, innovative apps.

Further, the HIPAA business associate framework does not prevent commercial use of patient’s data without consent. Patient data in de-identified format are already shared widely in healthcare on hundreds of millions of patients, generally in ways that are opaque and not reported to the patients whose data have oft times been aggregated sold, and used for profit, and sometimes in ways that enable downstream re-identification.

A federal taskforce recognized that enabling patient autonomy to share data comes with inherent risk, and largely left these trade-offs in the patient’s hands. We propose strengthening the federal role in protecting health data under patient-mediated data exchange, while maintaining patient choice.

  • Require the EHR, upon exposing data across the API to a patient, to provide a standardized summary, at a sixth-grade reading level, of an app’s privacy policy and terms of service, highlighting risks for consumers (such as the ONC model privacy notice), and summarizing with an indication of whether they meet some specific bar (such as the CARIN code of conduct or a professional society or patient organization endorsement).
  • Establish best practices and federal standards for privacy policies and terms and conditions, relying on user-centered design as in large-scale federally funded research studies. Consider multimedia and semi-structured questionnaires (quizzes) to promote and confirm comprehension. Methods used to de-identify or aggregate data and their re-identification risk should be transparent, as should be intentions to commercialize the data.
  • Define a robust auditing process with oversight authority by either the Department of Health and Human Office for Civil Rights (OCR) or the FTC regardless of how the data are obtained.
  • Define penalties for violation of the terms of service and demonstrate strong and public federal enforcement.
  • Develop a consumer hotline and website for complaints to the OCR or the FTC, and publicize those complaints.
  • Introduce legislation to protect patients from predatory uses of their health data. Consider as model the Genetic Information Nondiscrimination Act of 2008, which prevents discrimination on the basis of genetic information in both health insurance and employment.

There are promising approaches available to protect a patient’s health data without limiting choice or creating a bottleneck to innovation by new and smaller entrants into the Health IT ecosystem. Now is the time to consider these carefully.

Kenneth D. Mandl, MD, MPH is director of the Computational Health Informatics Program at Boston Children’s Hospital and the Donald A.B. Lindberg Professor of Pediatrics and Professor of Biomedical Informatics at Harvard Medical School. He can be found on Twitter @mandl

Dan Gottlieb, MPAis a clinical informaticist and software consultant working with the Harvard Medical School Department of Biomedical Informatics and Boston Children’s Hospital Computational Health Informatics Program on tools to empower patients and researchers. He can be found on Twitter @gotdan

Joshua C. Mandel, MDis a physician and software developer working to fuel an ecosystem of health apps with access to clinical and research data. He can be found on Twitter @joshcmandel