AHIP president calls for health data privacy rules to apply to tech firms

Matt Eyles say new final data standards regs would let tech firms sell personal health data on the open market.

One provision of the rule would require carriers to provide a patient access API that the patients can use to get to their own health insurance claims information. (Photo: Shutterstock)

The Centers for Medicare and Medicaid Services (CMS) released the final version of major patient health data standards regulations Monday — amidst a blizzard of emergency notices related to efforts to contain and fight the Covid-19 pneumonia outbreak.

Matt Eyles, the president of America’s Health Insurance Plans (AHIP), said in a statement that he believes the new CMS Interoperability and Patient Access could make patients’ health records too accessible to private technology companies.

Resources related to the final CMS Interoperability and  Patient Access regulations are available here.

Those companies operate beyond the reach of the Health Insurance Portability and Accountability Act (HIPAA) health information privacy and data security rules, Eyles said.

Related: What does Trump’s data proposal mean for Big Tech?

“We remain gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws,” Eyles said. “Individually identifiable health care information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors. Consumers will ultimately have no control over what data the app developers sell, to whom or for how long.”

The final regulations

CMS has posted a preliminary version of the final regulations on its own website and is preparing to post the true final version in the Federal Register soon.

One provision, for example, requires all health plans regulated by CMS, such as Medicare plan issuers, to make health care provider directory information available through a standardized connector called an API. Plans must provide public access to the provider directory information by Jan. 1, 2021.

“Making this information broadly available in this way will encourage innovation by allowing third-party application developers to access information so they can create services that help patients find providers for care and treatment, as well as help clinicians find other providers for care coordination, in the most user-friendly and intuitive ways possible,” officials say in a CMS fact sheet summarizing the new final regulation. “Making this information more widely accessible is also a driver for improving the quality, accuracy, and timeliness of this information.”

Another provision, which also takes effect Jan. 1, 2021, requires carriers to provide a patient access API that the patients can use to get to their own health insurance claims information.

The history

CMS developed the regulations in an effort to force U.S. health care system players to adopt compatible patient health information systems, to make health records available to the patients, and to make it easy for patients to move electronic health records from one entity to another.

Congress included health record standardization provisions in HIPAA, which became law in 1996.

But patients, providers and others have complained bitterly about U.S. health system players’ ongoing failure to give health record systems the ability to interact with other health record systems.

Neal Patterson, the founder and chief executive officer of Cerner Corp., testified at a Senate hearing in June 2015 that his own wife, who was fighting breast cancer, had to carry her own medical records from one provider to another in shopping bags.

CMS Administrator Seema Verma reported in April 2018, at a health data conference, after she was already the head of CMS, that she herself faced terrible problems with getting the information she needed after her own husband, who’s a psychiatrist, suffered a heart attack.

AHIP’s view

Eyles said AHIP members believe that Americans should be able to get their health care information when they need it, in a format that is convenient for them, to help them make better, more informed health care choices.

“That’s why health insurance providers continue to make personalized tools available to deliver actionable health information, from patient portals to mobile apps and telehealth services,” Eyles said.

Health insurance providers agree on the need for expanded consumer data access and are committed to building a truly interoperable health care system, Eyles said.

“However,” Eyles said, “when it comes to transparency in health care, patients overwhelmingly want two things: for the information to be clear, concise, and customized, and for their privacy to be protected.”

Any new rules must protect patient privacy, Eyles said.

“Sixty two percent of consumers say that stronger protection of their personal privacy should outweigh any efforts to make it easier to access consumer health care data, and 90% believe that private technology companies should be held to the same privacy standards as health insurance providers,” Eyles said.

AHIP still hopes to work with the Trump administration to ensure that the implementation of the new regulations is done in a way that protects patient privacy, Eyles said.

Read more: