The Trump administration’s top health IT official told lawmakers his agency is acutely focused on ensuring that privacy and security remain pillars of future rulemaking as the healthcare industry transitions to an app-based economy.
Lawmakers in the House Energy and Commerce Subcommittee on Health pressed Donald Rucker, M.D., who leads the Office of the National Coordinator for Health IT (ONC) at the Department of Health and Human Services (HHS) to explain how the agency plans to protect consumers from rogue actors stealing their health data. Rucker acknowledged that the agency must walk the line between privacy and accessibility, but said he was “extremely optimistic” that provisions of the 21st Century Cures Act would improve interoperability and allow patients to access health data on their smartphone.
Tuesday’s hearing came as the industry awaits a proposed rule from ONC on information blocking. That rule is currently under review at the Office of Management and Budget (OMB), which left Rucker constrained in many of his answers.
He said he didn’t have a specific date for the release of the rules, adding that he’s “optimistic it will be soon, but these are folks that aren’t under my control.”
A big part of those rules will be the agency’s approach to open APIs, outlined in the Cures Act as a way to exchange and access health data through the used of apps “without special effort.” Rucker joked that the term “open APIs” should be changed to “very secure APIs” to avoid confusion that apps won’t integrate security.
He said the proposed rule will include specific API security requirements for both providers and EHR vendors.
“It’s the difference between the door that is open and the door on a bank vault,” Rucker said. “We’re talking about the door on the bank vault.”
But he also added that ONC is focused on not creating healthcare-specific privacy standards that prevent health IT from keeping pace with modern technology. Authentication through cell phones, for example, has become a widely used and highly effective practice for financial institutions.
“We’re very conscious on having the best security tools out there and not inadvertently do any policies that prevent that,” he added.
He also praised HIPAA, calling it a "very powerful and very straightforward rule that sets a very nice boundary on privacy." He said ONC doesn't need any changes to the health privacy law in order to move forward with Cures mandates.
The agency is also ensuring that authentication process is very “conscientious” so users understand what they are approving, what specific information is being transferred, and who has access to it, rather than “accidentally clicking through” consent agreements on most consumer apps.
While the proposed rules might set the stage for broader usage and availability of healthcare apps, it doesn’t ensure consumers will use them. Rucker said he knows from his past experience as a software developer that “the only thing that counts is how easy it is to use.”
The proposed rules, he added, are geared towards giving the private sector the latitude to make meet those usability demands. But the first step—aligning healthcare with the modern tech the rest of the world uses—will open up new possibilities for consumers and providers.
“That allows healthcare to ride the development of the rest of the app economy,” he said.
Editor's Note: The original version of this story incorrectly stated the number of rules under review by OMB from ONC.