rvlsoft - Fotolia

Patient privacy at heart of new debate for data sharing rules

EHR vendor Epic is stirring the privacy and data access debate once again as proposed rules from ONC and CMS are under review at the Office of Management and Budget.

The debate on patient privacy versus data access has reared its head once again as finalization of data sharing rules from the U.S. Department of Health and Human Services stretches on.

At the start of the Office of the National Coordinator for Health IT's annual meeting, one of the largest EHR vendors in the U.S. raised questions about how the data sharing rules will protect patient privacy.

Epic said it "strongly agrees" with federal regulators that patients should have better access to their health data, but it believes the proposed rules introduce new risks to patient privacy that need to be addressed, according to a statement posted on its website.

But a prominent coalition of high-profile tech companies, health systems, EHR vendors and health plans, as well as more than 100 patients and caregivers, are insisting the rules be finalized as soon as possible. In a letter to ONC, patient advocates say Epic is responsible for making patient data accessible and that patient privacy should be left to the patient.

Epic's privacy concerns

There are two rules currently under review by the Office of Management and Budget (OMB). The first is an interoperability and patient access rule from the Centers for Medicare and Medicaid Services. The second is an interoperability and information blocking rule from ONC. Drafts of both rules were released last March and were expected to be finalized by November.

ONC's interoperability rule would require healthcare systems to use APIs to make sharing patient data easier.

But Epic claims that "requiring health systems to send patient data to any app requested by a patient" creates new privacy risks that haven't been addressed, according to its statement. The vendor cited a study that found 79% of healthcare apps resell or share data; it also believes the rules could lead to the misuse of patient data such as apps taking more data than a patient intended.

The rules include no regulation that requires patients to approve how apps use their data. Before the rule is finalized, Epic said ONC needs to revisit the transparency requirements, and establish privacy protections for apps that gather patient data.

In response, the Society for Participatory Medicine, a nonprofit organization that wants to help patients become more engaged, collaborative participants in their care, sent a letter to ONC signed by more than 100 patients that suggested Epic is not responsible for defining who can access patient data. Instead, the EHR vendor's job is to make data accessible.

"They have built prosperous businesses, in part with our hard-earned taxpayer billions, and they need to be required to at least give us our data, using modern technology, in modern, simple fashion, and let us, the person whose care it enables, decide where the information needs to be sent," the letter stated. 

Matthew Fisher, partner, Mirick O'Connell Attorneys at LawMatthew Fisher

Matthew Fisher, partner at Mirick O'Connell Attorneys at Law and chairman of its health law group, agreed, saying that while healthcare companies might be concerned about the privacy component of the rules, ultimately it's an individual's responsibility to understand how the tools they're using will make use of their data.

Other industry stakeholders also voiced support to move the health data sharing rules forward. The CARIN Alliance is a group of 85 industry stakeholders including Google, Apple, Microsoft, Cerner and NewYork-Presbyterian that advocate for patient data access.

It may disagree with how the rules should be implemented, but in a statement said that "it will be to the benefit of all stakeholders to finalize the rules so the industry can work on implementation while continuing to work with the public sector to improve the rules over time."

Jeffery Smith, vice president of public policy, AMIAJeffery Smith

Jeffery Smith, vice president of public policy for the American Medical Informatics Association, described the newly sparked debate as last-minute jockeying and positioning.

Smith believes Epic's stance is a last-ditch effort to sway opinions, but likely won't make much of a difference.

HHS is behind the main thrust of what the rule would do and presumably is supportive of a lot of the way that ONC wants to do it.
Jeffery SmithVice president of public policy, AMIA

"HHS is behind the main thrust of what the rule would do and presumably is supportive of a lot of the way that ONC wants to do it," Smith said.

What will happen next

Fisher said it's difficult to assess when the rules could be finalized but that he wouldn't be surprised if ONC pulled them back for modification.

"What I would expect, and what it feels like the movement from all the open debate that's occurred over the past week, would be to try and get it pulled back from OMB so that way ONC or others within HHS would reconsider and update or modify what's going to be the final rule and then resubmit to OMB," Fisher said.

Once they are finalized, amendments and modifications will have to go through the same process for approval. If there is dissatisfaction with the rules, ONC may temporarily delay enforcement, but otherwise, industry players will be expected to follow them.  

Dig Deeper on Federal healthcare regulations and compliance

Cloud Computing
Mobile Computing