Hospital executives, with some support in Congress, are lobbying for more regulation to protect health information from unscrupulous data mongers. But HHS is pushing forward with rules that leave that responsibility in patients’ hands.

As federal rule-makers grapple with making patient data more easily shareable, some health leaders fear that their actions could lead to a proliferation of apps selling or exploiting medical data. They worry that patients are likely to sign away their rights to data — perhaps including detailed family histories — without realizing what they're doing.

“There’s going to be new apps coming online every single day,” said Steven Lane, clinical informatics director of Sutter Health and a member of ONC's HIT Advisory Committee. Patients should be able to access their data, but "most patients who are using these tools don’t fully understand the privacy implications.”

At the same time, it's not reasonable to expect providers to vet health apps for patients, "as it is neither a priority, a mandate, nor an area where they are likely to have domain expertise," Lane said. EHR vendors often test apps before offering them in their app stores. But it will be hard for providers to do that on their own, especially when patients are sending data to apps they've discovered independently, he said.

Federal guidelines establishing exactly what health apps can do with patient data, and how they should obtain consent from patients, could be helpful, argue Lane and other advocates for more privacy oversight. When they export their data into an outside app, patients need to know that it will no longer be protected by HIPAA, and that the data "could be sold, and could be re-purposed, and could be aggregated and disaggregated," Lane said.

Patients may not understand the boundaries of HIPAA, said Leslie Krigstein, a vice president of the College of Healthcare Information Management Executives. CHIME backs a section of the Lower Health Care Costs Acts of 2019 calling for a GAO report on privacy protections for health data, and has urged Congress to ensure that health data shared with third-party apps is secure and private.

Epic Systems founder Judy Faulkner told POLITICO in an interview earlier this year that she worries data flowing from EHRs into such apps could get into the wrong hands. The EHR Association commented to ONC that "puzzling" parts of its information-blocking proposal could confuse "average clinicians, working in independent physician practices without budgets to hire advanced legal guidance to help them understand."

HHS agencies haven't finished making the information-block rule and others stemming from the 21st Century Cures Act that will set the guidelines for data sharing policies. However, they've clearly favored the view that patients have both the right to get their data and the responsibility to make sure it isn't abused.

Patient data advocates generally agree and caution against too much paternalistic oversight that could delay data access. Patients regularly download apps outside of health care, and they can be trusted to read and agree to privacy policies on their own, they say.

“These concerns cannot be allowed to stand in the way of patients easily getting their health information, which is their right,” said Deven McGraw, a former HHS Office for Civil Rights official who is now chief regulatory officer at Ciitizen, a company that helps patients collect and organize health data.

The Office for Civil Rights, which enforces HIPAA, has stated that providers aren't responsible for what third-party apps do with patient data if the patient agrees to share it, McGraw noted. Under FTC rules, apps are required to abide by clear privacy policies and to report security breaches, she said. “It is not the case that there is no cop on the block."

One Senate bill could ease some pressure on providers who feel an ethical obligation to ensure that patients aren't sharing their data irresponsibly. Last month Sens. Amy Klobuchar and Lisa Murkowski introduced the Protecting Personal Health Data Act which would require HHS to establish regulations for consumer apps and genetic testing kits to protect patient data privacy and security.

But it will could be years before this results in enforceable regulations, so providers concerned about privacy should support comprehensive federal legislation, McGraw said.

The ONC rule and another at CMS require insurers and health care providers to adopt a common data standard known as FHIR, which could make it easier for patients to export their data into other apps.

ONC's proposal, which clarifies when groups are allowed to restrict data sharing, affords the patient "agency over their own health information that is often absent in health care,” ONC head Donald Rucker said in written testimony to the Senate HELP committee in May. Patients "should have the ability to decide whether the potential benefit of an app to manage their health care information and medical conditions outweighs potential risks."

A CMS spokesperson said the agency is sorting through privacy-related comments on its draft rule.

CMS' Blue Button 2.0 program, which lets Medicare beneficiaries download and share their own claims data, might serve as a model for oversight. CMS vets apps that access data through Blue Button and only authorizes those that use plain language to communicate risks, according to the agency.

Industry is taking some action to establish privacy guidelines. The CARIN Alliance, which includes health care providers, has developed a voluntary privacy code of conduct for developers not covered of HIPAA.

For the time being, some providers are doing their own vetting. UT Health Austin, for instance, did "extensive deep compliance and privacy assessments" of Apple before rolling out the Apple HealthKit, which lets users share certain data with developers, said Aaron Miri, UT Health's chief information officer. "It’s incumbent on all health care delivery organizations to be good 'sherpas.'"

Health systems can try to educate patients about the risks of sharing downloaded data, said Cedars-Sinai CIO Darren Dworkin. “At the end of the day we’re entering a brave new world in which patients will choose what they want to do with their information and how they want to share it," he said.