As the U.S. Department of Health and Human Services prepares to increase patient access to personal health data, healthcare experts warned Congress that privacy concerns are growing as more health data is shared.
Witnesses told members of the U.S. Senate Health, Education, Labor and Pensions Committee at a March 26 hearing that as patients gain access to health records, they are also more vulnerable to data being sold or shared by third-party companies not regulated by the Health Insurance Portability and Accountability Act.
Lucia Savage, chief privacy and regulatory officer for Omada Health Inc., a designer and developer of digital programs to help identify chronic diseases, said HIPAA laws prevent Omada and other companies from sharing or selling data in an identifiable way. However, Savage said third-party companies developing health apps may not be governed by HIPAA laws that restrict how data can be used.
Savage — who was the chief privacy officer at the Office of the National Coordinator for Health Information Technology, or ONC — added that consumers may not understand which apps or companies HIPAA regulates.
"It's a very confusing place for consumers ... it's too much information for them to understand," Savage said. "People definitely think that rules apply when they don't."
Policies and rules can be understood by doctors and healthcare professionals, but consumers also need to be understood easily by consumers, Savage said when questioned about needed changes.
The hearing was called to examine two proposed rules from the ONC and the Centers for Medicare and Medicaid Services that plan to increase patients' access to personal health information.
CMS will require multiple government health insurance programs, such as Medicaid and Medicare Advantage, to provide enrollees with immediate access to their health records. The rule would take effect in 2020 and impact 125 million people, according to CMS Administrator Seema Verma. ONC's rule will allow patients to easily access health records and other health information on smartphones and mobile devices with no cost.
Committee Chairman Sen. Lamar Alexander, R-Tenn., said during his opening statement that easing access to health data through the proposed rules will help both patients and doctors.
"This will be a huge relief to any of us who have spent hours tracking down paper copies of our records and carting them back and forth to different doctors' offices," Alexander said.
Mary Grealy, president of the Healthcare Leadership Council, a coalition of CEOs from across the healthcare industry, said that the two proposed rules "incorporate new, innovative products," but the new products are not covered under HIPAA. Grealy echoed Savage's concerns about protecting the privacy of patients' health data.
"We need to ensure a thoughtful approach in how those entities currently covered by HIPAA share information with new entities to ensure the safeguarding of sensitive — and valuable — personal information," Grealy said in her submitted testimony.
Grealy requested a 30-day extension on the public comment period for both proposed rules, which are open for public comment until May 3.
Interoperability key challenge
Ben Moscovitch, project director of health information technology at the Pew Charitable Trust, said electronic health records struggle with interoperability when different computer systems communicate and share information with each other.
When different providers are communicating about the same patient, electronic health records will only be matched up about 50% of the time, according to Moscovitch. Using a postal address or email address, which most electronic health records have and do not use for identification, could be a more efficient way of matching patients, Moscovitch said.
Moscovitch praised provisions of the two proposed rules, but added that easing data extraction from systems and increasing the usability of electronic health records is still needed.