Home Warner urges HHS to establish data standards to protect patient privacy
Local

Warner urges HHS to establish data standards to protect patient privacy

Contributors
Photo Credit: Peshkova

U.S. Sen. Mark Warner (D-VA) wrote to the Department of Health and Human Services regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications.

In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

  • Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
  • Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
  • Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data.
  • Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties.

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans.

Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

Contributors

Contributors

Have a guest column, letter to the editor, story idea or a news tip? Email editor Chris Graham at [email protected]. Subscribe to AFP podcasts on Apple PodcastsSpotifyPandora and YouTube.