New Data Rules Could Empower Patients but Undermine Their Privacy
In a move intended to give Americans greater control over their medical information, the Trump administration announced broad new rules on Monday that will allow people for the first time to use apps of their choice to retrieve data like their blood test results directly from their health providers.
The Department of Health and Human Services said the new system was intended to make it as easy for people to manage their health care on smartphones as it is for them to use apps to manage their finances.
Giving people access to their medical records via mobile apps is a major milestone for patient rights, even as it may heighten risks to patient privacy.
Prominent organizations like the American Medical Association have warned that, without accompanying federal safeguards, the new rules could expose people who share their diagnoses and other intimate medical details with consumer apps to serious data abuses.
Although Americans have had the legal right to obtain a copy of their personal health information for two decades, many people face obstacles in getting that data from providers.
Some physicians still require patients to pick up computer disks — or even photocopies — of their records in person. Some medical centers use online portals that offer access to basic health data, like immunizations, but often do not include information like doctors’ consultation notes that might help patients better understand their conditions and track their progress.
The new rules are intended to shift that power imbalance toward the patient.
They will for first the time require doctors and medical centers to send a core set of medical data directly to third-party apps, like Apple’s Health Records, after a patient has authorized the information exchange. In addition to lab test results and vital signs, the data will include clinical notes about a patient’s surgeries, hospital stays, imaging tests and pathology results.
Dr. Don Rucker, the federal health department’s national coordinator for health information technology, said access to medical data through consumer apps would give people more detailed insights into their health and greater choices over their health care. He compared it to ride-hailing apps like Uber and Lyft that let consumers make pricing choices in advance.
“We as patients have not gotten really anywhere near the benefits from modern computing that we could or should get,” Dr. Rucker said. “The ability of smartphones to take the care with you, to be continuous, to be engaging, is going to allow totally different ways of thinking about chronic illness.”
Jackie Nelson, a retired police evidence officer in Ormond Beach, Fla., said she hoped the new rules would eliminate the kinds of obstacles she recently experienced. When she moved from Texas, she said, her doctor there asked her to pay an exorbitant fee — more than a thousand dollars — to provide her with a copy of her medical records.
“People like myself, I’m a senior, I’m on Social Security — I don’t have a thousand dollars to pay for my records,” said Ms. Nelson, who is managing multiple health conditions. She said she hoped the new data-access rules would “stop doctors from withholding” patients’ data and “make the doctor accountable for what they are doing.”
Health regulators are opening patient access to their medical records against a backdrop of a virtual gold rush for Americans’ health data by hundreds of companies. So many entities have access to Americans’ medical records — including identifiable medical data and pseudonymous files that track people by ID codes — that it can seem easier for third parties to acquire patient data than patients themselves.
Dozens of professional medical organizations and health industry groups have pushed back against the rules, warning that federal privacy protections, which limit how health providers and insurers may use and share medical records, no longer apply once patients transfer their data to consumer apps.
“Apps frequently do not provide patients with clear terms of how that data will be used — licensing patients’ data for marketing purposes, leasing or lending aggregated personal information to third parties, or outright selling it,” Dr. James L. Madara, the chief executive of the American Medical Association, wrote in public comments to health regulators last year. “These practices jeopardize patient privacy.”
Dr. Rucker, the health department’s technology coordinator, said the new rules take patient privacy into account. When patients initiate the data-sharing process with apps, he said, their providers will be able to inform them about privacy risks.
But even federal health regulators acknowledge the privacy risks. An infographic on patient data rights on the health agency’s website warns: “Be careful when sending your health information to a mobile application” because health providers are “no longer responsible for the security of your health information after it is sent to a third party.”
The rules introduced on Monday are part of a federal effort to centralize medical data online in the hopes of helping doctors get a fuller picture of patient health and enabling patients to make more informed treatment choices.
One of the rules requires vendors of electronic health records to adopt software — known as application programming interfaces, or A.P.I.s. — to enable providers to send medical record data directly to patient-authorized apps. Another rule similarly requires Medicare and Medicaid plans to adopt A.P.I.s. That software will enable people to use apps to get their insurance claims and benefit information.
Health providers and health record vendors will have two years to comply with the A.P.I. requirements. Electronic health record vendors that impede such data-sharing — a practice called “information blocking” — could be fined up to $1 million per violation. Doctors accused of information blocking could be subject to federal investigation.
Health technology executives welcomed the new requirements, but said the initial data set available to patients through apps would be limited to more basic information like prescription drug history — and not data like radiology images.
“It’s a decent amount of data if you’re relatively healthy and you just want to check on what your lab test results were,” said Deven McGraw, the chief regulatory officer at Ciitizen, a start-up that helps people obtain and centralize medical records from multiple providers. “But it’s not enough data if you’re really sick and you need that record.”
But people who choose to send their sensitive medical data to consumer apps will largely be left on their own as far as patient privacy is concerned. While Apple has said its Health Records app does not have access to users’ medical information because it is encrypted and stored locally on their iPhones, other apps may share or sell patient data.
Dr. Rucker, the health regulator, said people would choose the health data app brands they trusted.
“Just like with banks, just like with brokerage firms, people will go to organizations they trust with their data,” he said. “We don’t put our money into, you know, some guy running a bank out of a pickup truck on the corner. We go to someone who has a clear brand.”