The American Hospital Association (AHA) has submitted extensive comments about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, voicing the concerns of its members. While many aspects of the proposed rule are covered, there is considerable concern over the requirement to permit any health app that a patient chooses to connect to healthcare providers’ APIs.
Mobile health apps can collect and store large quantities of personal and health information including information protected by the Health Insurance Portability and Accountability Act (HIPAA). AHA points out that HIPAA doesn’t normally apply to the developers of health app and health data gathered, saved, and transmitted by those apps might not be protected to the level demanded by HIPAA. If consumers key in information into the applications, they may not be aware that the measures in place to protect their privacy might not be as strict as those implemented by their healthcare providers, even if it is the same information.
Of particular concern is the transfer of health data from healthcare providers to these apps. Patients may not be aware that their PHI is no longer considered to be PHI once it is stored in the app. App developers are not bound by HIPAA Privacy Rule requirements, and the restrictions on allowable uses and disclosures will no longer apply. That means health app developers will be permitted to share that data with third parties.
AHA recommends that CMS should work closely with the OCR and the Federal Trade Commission to create a consumer education program to discuss the following to patients.
- The distinction between PHI and health data in health apps
- That app developers may choose to share health data with third parties
- The importance of examining the privacy policies and terms and conditions of the apps to find out what is likely to happen to their information and with whom the information will be shared.
Health apps enable patients to engage with their doctors and encourages them to have greater involvement in their own health care. The CMS has suggested that healthcare providers should enable any application that a patient chooses to connect with their APIs, provided those apps satisfy the technical requirements of the API. Although sharing healthcare information in this way will help patients to become more engaged in their own health care, this could jeopardize security.
To improve confidence in the safety of provider to patient data exchanges, AHA recommends that stakeholders should ought to be working together to create a safe app ecosystem for sharing health data. It is important for standards to be created to guarantee a baseline of security, such as with the Payment Card Industry Data Security Standard (PCI DSS). AHA suggests there should be a vetting procedure for apps, comparable to what the CMS uses, before apps are allowed to connect to Medicare claims data through the Blue Button 2.0 API.
For example, the Blue Button 2.0 system employs an app evaluation process for testing apps before they can connect and developers are required to accept CMS terms and conditions. It isn’t possible to link any app that matches the technical specs of its API.
The AHA has suggested the polices put in place by the CMS could be a good starting point for establishing a trusted app ecosystem.
Concern has also been raised about the potential for healthcare organizations that deny an app from linking to their API to be penalized for information blocking=, even though the app could be denied due to legitimate security concerns. In such cases, healthcare providers could be issued with a meaningful use payment penalty. CMS recommends that CMS works along with ONC and OIG to make sure that safety measures are included in future guidance and actions that do not constitute information blocking are clearly defined. CMS should also work with ONC and FTC to develop a mechanism that allows hospitals and health systems to report suspect apps.