Federal lawmakers are taking a hard look at how the VA protects patient data shared with VA-approved health apps.
As more health data is shared with technology companies and mobile apps, it raises concerns about potential privacy and security risks for veterans, according to federal lawmakers charged with oversight of the Department of Veterans Affairs' IT modernization efforts.
The VA's App Store includes close to 50 smartphone apps designed to help veterans manage their healthcare.
Many of these apps required "significant elevated permissions" and request access to a user's contacts, calendars, photos, and other files, and that raises questions around privacy, said Susie Lee, D-Nevada, chairwoman of House Veterans' Affairs Subcommittee on Technology Modernization during an oversight hearing Wednesday.
Lee said she's concerned that smartphone apps could access users' sensitive health information, such as a post-traumatic stress disorder (PTSD) diagnosis, that could be shared or sold by third-party companies and lead to workforce discrimination or other negative consequences for veterans.
Ranking Member Phil Roe, R-Tenn., said one VA-recommended app designed to provide support to veterans with PTSD requests permission to access the smartphone user's contacts and microphone. "That's disturbing to me. You might inadvertently hit that," he said.
He added, "I look at a risk-benefit ratio. Is this information shared? Is it accessible? Is it sold?"
Paul Cunningham, the VA's deputy assistant secretary and chief information security officer (CISO), testified that the department has to make "risk-based decisions" over the value of the app while balancing security and privacy.
"We’re trying to solve this problem around access to data. If we go strictly by compliance and zero tolerance, we miss out on opportunities that technology brings if we're not able to share information with third parties that are trusted," he said.
Health systems are grappling with the same issues around app privacy, as the Department of Health and Human Services (HHS) will soon finalize a regulation that will allow patients to download their health data using third-party apps.
The VA is the process of implementing a multi-billion dollar IT modernization project, including a new electronic health record (EHR) system from health IT vendor Cerner.
The Mission Act also is expanding the number of VA patients seeking treatment from community care providers which requires more data sharing. The VA needs to ensure that privacy and security policies keep pace with new technology, Lee said.
"As we assess the data landscape at the VA and the larger health IT space, we need to look at where protections exist or don't exist and whether we need more guardrails," Lee said.
Cunningham said the VA has policies and practices to ensure that access to veterans' information is strictly controlled. Apps that connect to an application programming interface (API) from the VA and are part of VA's App Store must sign a "comprehensive and strict' user agreement that sets limits to how health data can be used, he said.
The VA's acceptable use agreement includes a commitment not to sell patient data.
Cunningham told lawmakers that VA does not "police" the networks of third parties, but the department would take "swift action' to investigate if a breach was discovered.
Like many in the healthcare industry, Cunningham acknowledged that he has concerns about how third-party companies not regulated by the Health Insurance Portability and Accountability Act (HIPAA) use health data and the potential privacy risks for veterans.
"It's difficult to make sure that people really understand when they accept an app that they understand the full access they are granting and how that information will be used downstream," he said.
Privacy policies used by apps can be thousands of words long and many consumers do not read them, Lee noted.
Key lawmakers are considering whether federal laws like HIPAA need to be updated to better protect veterans' sensitive health information.
Rep. Jim Banks, R-Indiana, ranking member of the committee, wants to see the HIPAA privacy rule updated to prevent health data from being monetized.
"Today some of the HIPAA-permitted purposes to asses patient records when applied in a new context, could become loopholes," he said. "The health technology landscape is evolving quickly. Mobile apps already have taken over the software marketplace. In a few years, most health records will be stored in the cloud. Privacy safeguards have to evolve as well."