In June 2019, CDT submitted comments on the Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS)’s proposed rule on interoperability and patient access. The rules would require covered entities to provide access to patient records through an application program interface (API) to third parties designated by the patient.
While CDT applauds the goal of giving patients better access to and ability to port their health information, we are concerned about the lack of privacy protections covering this sensitive information once it leaves the hands of an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
Health information, once outside of the possession of a HIPAA covered entity, is largely unregulated with respect to privacy protections, leaving people vulnerable to having their sensitive personal information repurposed, misused, and exploited or disclosed to their detriment. The proposed rules seek to give effect to patients’ choice and control over their information, but the commercial market for health data does not provide people with real choice or control. The consumer app ecosystem obfuscates people’s ability to understand how various apps will use and share their data and to compare among apps’ privacy practices. By requiring covered entities to provide access to EHI with no clear use or sharing limitations, the proposed rules shift the burden of protecting health information to patients and leaves them few legal tools to do so.
Rather than burdening patients with the impossible task of parsing apps’ data practices, the Department of Health and Human Services (HHS) should use this interoperability initiative as an opportunity to incentivize better protections for health information outside of HIPAA. HHS can employ tools such as developer privacy agreements, assertions, and reporting mechanisms to hold non-covered entities accountable for their data practices. While these tools can help increase accountability, patients will not be able to safely and confidently transfer their health records outside of HIPAA-covered entities until Congress enacts comprehensive consumer privacy protections.