AMA: Government must not trade privacy for efficiency
As the federal government pushes for streamlined information-sharing among healthcare providers, it may face a major hurdle: what patients want. Recent polling has shown that many consumers are wary of sharing their health data and have serious privacy concerns around technology companies that handle it.
The American Medical Association issued new privacy principles supporting the rights of patients to control, access and delete their personal information.
"Patients’ confidence in the privacy and security of their data has been shaken by repeated technology-sector scandals and the wired economy’s default business model that quietly gathers intimate glimpses into private lives – often without patient knowledge, consent or trust,” said AMA president Dr. Patrice A. Harris.
Citing a 2019 white paper from Rock Health and Stanford's Center for Digital Health showing consumers' increasing reluctance to disclose health data, Harris warned, "Patients are less willing to share information with physicians for fear that technology companies and data brokers will have full authority over the use of their indelible health data."
"Unfortunately, recently finalized federal regulations will make this more likely to happen.”
Harris is undoubtedly referring to the rules from the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services, which include requirements to enable data sharing with patients through application programming interfaces and for hospitals to electronically notify other healthcare facilities when patients are admitted, discharged or transferred.
The federal government has presented these rules with the aim of empowering patients and promoting efficiency. However, privacy advocates and industry groups have expressed concerns about giving third-party APIs and other entities access to medical data.
"Any new rules must ensure we protect patient privacy, reduce healthcare costs and get personalized information into the hands of patients," said America's Health Insurance Plans president and CEO Matt Eyles in March.
"We remain gravely concerned that patient privacy will still be at risk when healthcare information is transferred outside the protections of federal patient privacy laws," he said.
"Individually identifiable healthcare information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors," he warned. "Consumers will ultimately have no control over what data the app developers sell, to whom or for how long."
Third parties as information stewards
In its privacy principles, the AMA urged lawmakers to enact a "privacy law [that] protects the sacred trust at the heart of the physician-patient relationship."
It noted that existing federal law may not safeguard data that could leave people open to discrimination, especially once that data is in the hands of third parties.
"Health care information is one of the most personal types of information an individual can possess and generate –regardless of whether it is legally defined as 'sensitive' or protected health information under HIPAA – and individuals accessing, processing, selling, and using it without the individual’s best interest at heart can cause irreparable harm," said the AMA in the principles.
"Privacy legislation should apply to entities that access, use, transmit, and disclose data, including HIPAA business associates, with exceptions for HIPAA-covered entities given their obligations under existing HIPAA regulation," the AMA continued.
Noting other industries' expansion into the healthcare landscape, it said, "We believe this framework would lead to enhanced transparency around the use of business associates in health care, particularly now that entities not traditionally associated with health care are more active in the healthcare industry."
"Third parties who access an individual’s data should act as responsible stewards of that information, just as physicians promise to maintain patient confidentiality," it said.
The AMA also pointed out how members of vulnerable communities, such as people with low incomes, may not have the resources to protect themselves and their data. As a result, it vowed to oppose any apps that contribute to such inequity.
"Because low-income individuals and other vulnerable populations have fewer resources and tools at their disposal to effectively assert their privacy rights, purchase technology with the most advanced and up-to-date privacy and security technology, and recover from harmful invasions of privacy, privacy frameworks (legal or otherwise) must advance policies to benefit individuals of all income levels," it said.
"For example, the AMA would not support a policy in which paid apps provided greater privacy protections than free apps."
After the crisis
The COVID-19 pandemic has thrown the importance of safeguarding data into sharp relief, as technology companies ratchet up information-sharing and -tracking innovations with government support.
"There is unprecedented reliance on remote-care technologies, like telehealth, to help people avoid leaving their homes during the COVID-19 pandemic," wrote the AMA in a statement accompanying the release of the privacy principles.
"But both patients and clinicians are justified in questioning how platforms will secure and protect the information exchanged during the virtual visits."
"Similarly, many private and public efforts are underway to collect, use, and disseminate public health surveillance data to help inform public health officials and policymakers about the spread of the novel coronavirus," the AMA continued. "These efforts are critically necessary but must address questions about how best to handle the data both during collection and once the pandemic has subsided."
Regarding post-crisis government use of data, HIMSS Chief Clinical Officer Dr. Charles Alessi wrote in March that "there is good reason to be concerned."
"History teaches us that governments tend not to dismantle technologies or processes set up wholly appropriately in emergencies as readily as they could and indeed in some cases, some aspects of surveillance and intrusion somehow seem to persist even after the threat has long gone," Alessi wrote.
Ultimately, the AMA said, patients should be the arbiters of their own information.
"Individuals have the right to control how entities access, use, process, and disclose their data, including secondary (and beyond) uses," it said.
Kat Jercich is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.