Privacy group issues warning about danger to patient information

Allowing unregulated apps to access patient health information could expose patient information to those it wasn’t intended for

The Confidentiality Coalition and the Workgroup for Electronic Data Interchange sent a letter to the Commerce and HHS Secretaries outlining their concerns with allowing unregulated third-party apps to get access to patient health information.

The Confidentiality Coalition is composed of a broad group of hospitals, medical teaching colleges, health plans, pharmaceutical companies, medical device manufacturers, vendors of electronic health records, biotech firms, employers, health product distributors, pharmacies, pharmacy benefit managers, health information and research organizations, patient groups, and others founded to advance effective patient confidentiality protections.

While the Health Insurance Portability and Accountability Act safeguards a specific subset of “protected health information,” the law applies only to traditional health care covered entities (CEs) and their business associates. A vast amount of health-related information does not fall within the HIPAA regulatory framework and is largely unprotected from misuse.

The coalition is urging the Departments of Commerce and Health and Human Services to take action to protect patients from inappropriate disclosures of their health information.

  • Release additional guidance on the types of third-party app security and privacy verification that will be permitted and allow CEs themselves to undertake an appropriate level of review of a third-party app before permitting it to connect to their APIs.
  • Require entities that are not HIPAA CEs or business associates to clearly stipulate to the individual the purposes for which they collect, use, and disclose identifiable health information and require that these individuals be given clear, succinct notice concerning the collection, use, disclosure, and protection of individually identifiable health information that is not subject to HIPAA.
  • Work with the private sector in the development of a privacy and security accreditation or certification framework for third-party apps seeking to connect to APIs of certified health IT. Once established, CEs should be permitted to limit the use of their APIs to third-party apps that have agreed to abide by the framework. Such a program would not only foster innovation, but also establish improved assurance to patients of the security of their information.
  • Apply similar security requirements in the private sector as CMS applies to its Blue Button 2.0 and DPC initiatives, requiring all third-party apps seeking to access PHI via provider or health plan APIs to prove adherence to a strict set of privacy and security guidelines or successfully complete a CMS-approved security certification.

“We believe that for health care data exchange to occur in an interoperable manner as called for under the 21st Century Cures legislation, there must be a consistent and high level of trust among all participants, including entities that are not legally a CE or bound by a BAA,” the letter reads in part. “The deployment of effective federal policies is critical to assist in facilitating this trust framework.”