IT experts urge stronger oversight of patient data in the Wild West of consumer apps

A leading organization for chief information officers in healthcare is urging Congress to take action to protect patients' data privacy as proposed federal rules aim to open up medical data to third-party apps.

In a letter sent to Reps. Fred Upton, R-Michigan, and Diana DeGette, D-Colorado, on Monday, the College of Healthcare Information Management Executives (CHIME) warned a proposed interoperability rule does not provide sufficient safeguards to prevent patients' sensitive information from being misused by consumer apps, the organization said. 

The lines between health data and consumer data in the proposal from the Office of the National Coordinator for Health IT (ONC) are too blurred, CHIME said.

"It is imperative that Congress continue its oversight of privacy and security issues that fall outside of the Health Insurance Portability and Accountability Act (HIPAA) regulatory framework," the organization said.

CHIME represents more than 3,200 CIOs and other senior healthcare IT leaders. The letter was in response to calls from Upton and DeGette for feedback on "Cures 2.0," a second iteration of the 21st Century Cures Act.

RELATED: Health IT stakeholders calling for ONC, CMS to 'go back to the drawing board' on interoperability rules

Smartphone apps collect data on patients' visits to doctors' offices and cancer specialists by recording location and payment data, according to CHIME. "That data is then aggregated and sold to third-party data brokers, making (a patient's) extremely sensitive illness known to faceless companies and people."

ONC's interoperability and information blocking rule is now under review at the Office of Management and Budget (OMB), the last step before publication. The rule, which was mandated by the 21st Century Cures Act, outlines seven exceptions to the prohibition against information blocking and provides standardized criteria for application programming interface development.

Under ONC's proposed rule, in its current form, technology companies that manage apps and third-party apps are not required to comply with data blocking polices, according to CHIME.

"Unless these policies are changed, a big chunk of the healthcare sector like providers and EHR (electronic health record) vendors will have to abide by one set of rules governing promoting the sharing of patient information, and third-party apps and those managing the app ecosystem will not. This will create an unlevel playing field and further perpetuate the notion that healthcare apps are the Wild West," CHIME said.

Despite calls by many industry groups to slow down and issue a supplemental notice of rule-making instead, ONC appears to be moving ahead with finalizing the rule. The rules were submitted to OMB as final rules, not interim final rules.

"Given the speed with which CMS and ONC are moving to further facilitate patient access to their data via APIs, we worry that appropriate oversight must be in place to govern how patient data is not just accessed by third parties but also how it is being used," CHIME said.

RELATED: AMA, CHIME call for ONC to make major changes to data blocking regulation

The organization also is concerned that many patients have the false impression that data released to third-party apps are still protected under the HIPAA rules. HIPAA only applies if the app is sponsored by a HIPAA-covered entity. 

The organization urged congressional leaders to ramp up oversight on how healthcare data are collected and used by consumer apps.

"We are particularly concerned that as more citizens share their healthcare data with third parties, that data could be mishandled, including being sold to data aggregators and used to discriminate against consumers in the future. Given the volume of data in question and the fact that this is sensitive healthcare data, this is cause for concern," CHIME wrote.

Calls to modernize HIPAA

A number of other health IT leaders and organizations are calling for legislators to address healthcare data privacy. 

In a blog post in Health Affairs, health IT policy experts Lisa Bari and Daniel O'Neill proposed that Congress should modernize HIPAA, extending the law to include any companies that handle consumers' sensitive information. Bari served as the health IT and interoperability lead at the Centers for Medicare & Medicaid Services’ Innovation Center. O’Neill recently served as a policy fellow on the professional staff of the Senate HELP committee,

Social media platforms, wearable fitness trackers and apps to manage pregnancy and mental health all collect health data that can be shared for advertising purposes and appended to medical records and other consumer information, Bari and O'Neill wrote.

"With rapid growth in the range and volume of patient data, which is available in digital form, the limits of the HIPAA framework—now almost a quarter-century old—merit legislative attention. Without clear guardrails, public trust may crumble in the face of repeated scandals and so undermine the potential for digital health to facilitate an era of more accessible, coordinated, and personalized care," they wrote.