Officials in the HHS office that oversees health technology have said new rules will give consumers transparency about app-makers’ privacy practices. That would give the Federal Trade Commission a role in keeping tech firms accountable — but some lawmakers say those FTC powers are inadequate. Sen Kirsten Gillibrand (D-N.Y.) recently introduced legislation to create a brand new federal agency devoted to data protection and privacy, in health and other sectors.
The increased push to let both patients and providers more easily move and share health records has been championed by White House senior adviser Jared Kushner. The president’s son-in-law has quietly helped craft the policy, which could upend the health technology sector and generate a windfall for Silicon Valley giants and startups alike.
Standing against the administration is Epic, the biggest player in health care software. The giant has bought up ads in the D.C. metro system and Reagan National Airport as one front in its campaign to delay the new policy on data sharing. And it briefly floated a lawsuit against HHS.
Central to Epic’s argument are privacy fears — and privacy and consumer advocates, hospitals and health systems are divided. Some agree the privacy challenges haven’t been thought through; others believe Epic is opportunistically trying to protect its market dominance.
The roiling privacy debate has reached within the administration, and concern within the Office of Management and Budget was one reason the rollout of the new rules was delayed, a government official and a second person familiar with the process said.
Patients already have rights to access their records, either by paper or in downloadable format, and firms like Apple have also enabled apps access to the phones. But it’s currently not as easy, affordable or complete as it should be, many patient advocates say. The new rules on patient access are part of a general push to make it easier to move data from one setting to another, known in the industry as interoperability.
Privacy hawks see an ironic threat: giving patients more control over their health data will ultimately result in them losing that very control. Once data is shared, privacy restrictions become looser, supercharging a burgeoning industry built on vacuuming up and reselling Americans’ medical information. Already, tech giants like Google and Facebook face renewed scrutiny on Capitol Hill over their use and protection of consumer data.
“This is not about interoperability — this is about having access to data,” said Jeff Chester, executive director of the Center for Digital Democracy and a prominent critic of Google. “The health data is going to give them insights into many other aspects of your life.”
Google and Apple have met with administration officials several times on the issue over the past few years, multiple sources confirmed, including a recent visit from from Google Health chief David Feinberg, who met with health officials amid an ongoing department investigation into Google’s recent patient data deal with health system Ascension Health.
The deal last year unleashed a furor from privacy hawks, lawmakers and regulators, prompting the probe over whether the partnership violates HIPAA.
HHS declined comment for specific questions about its meetings with tech firms, though Don Rucker, director of the Office of the National Coordinator for Health Information Technology, who oversees health tech in the department, confirmed Feinberg’s visit in a January speech.
Top health officials have made clear they see the regulations as a chance to dislodge health IT incumbents like Epic and jump-start what Rucker has called “new business models of health care.”
Rucker has dismissed privacy concerns as “realistically small risks,” and said that tech firms, mindful of their brands and reputations, will keep privacy on their mind. “Functioning markets take care of information,” he said.
“There’s a big alliance, because tech knows that the regulatory landscape either allows or stops clinical data movement,” said one official, who requested anonymity to describe one meeting between Apple and ONC. “Tech knows they own the consumer. If they can help government push regulation to help the patient/consumer, the game is over: tech wins.”
Official filings also reflect some changes in the giants’ lobbying strategies: Apple, for instance, added “issues related to consumer access to mobile medical devices and applications” to its fourth-quarter 2019 lobbying disclosure filing, already studded with references to apps, privacy and health records.
Apple declined to comment. Google declined to answer specific questions, instead saying it “shared HHS’s view” about the broad strokes of the regulations.
Kushner, through the White House’s Office of American Innovation, has also taken a lead role in pushing for the regulations — headlining early administration events on data sharing. That office has also spoken up on behalf of the rules as part of its regular meetings with OMB, two people familiar with the matter said. Kushner also helped push through the mega-deals to supply a new electronic health record to the departments of Defense and Veterans Affairs.
“America needs better patient access to data and interoperability now,” Kushner said in a 2018 speech before a health industry confab. “We have developed the plan to achieve this, and we are committed to seeing it through.”
A White House spokesperson said that the Office of American Innovation is “certainly helping to support” work on the interoperability rules, but that it is not the lead agency. It declined comment on Kushner’s role.
The push for better digital health is bipartisan; the Obama administration put billions into it. But the transition has been rocky. Despite gains in some areas, like reducing medication errors, doctors have complained of time-consuming busywork that takes away from patient care. And it has been difficult to move records so that a complete picture follows patients through the health care system.
Legislators empowered HHS to regulate the sector more closely as part of the 21st Century Cures Act. HHS had originally intended for the rules to come out last fall; the delay has led to a furious, last-minute lobbying campaign by Epic and some like-minded health systems.
Judy Faulkner, Epic’s CEO, warned that such apps can request data indiscriminately. And, once the data is out, “you can’t stick it back in,” she said in an interview. “The apps need to be responsible for keeping the data private and not misusing it.”
Multiple lawmakers have also petitioned HHS about potential intellectual property issues raised by the rule.
And Epic organized a letter signed by around 60 health system CEOs representing its client hospitals asking the office to delay its rules. But the list of signatories, while long, lacked the heft of the software giant’s most prominent clients: systems like Kaiser Permanente and the Mayo Clinic. The lack of star power has been noted. Rucker alluded to it at the recent Health Datapalooza conference, saying “most of the big customers” didn’t sign on to the letter.
Tech firms and their advocates also, meanwhile, say their business interests and patients’ intersect. Patients can have tremendous trouble getting their health records quickly and inexpensively. The advocates hope the rule, by mandating application programming interfaces, will make data much more available. That, in turn, will make the system much easier for patients: no more asking for faxes or toting around their own X-rays.
“It’s asinine to me that it’s 2020 and my [kids’] records don’t freely flow from one pediatrician’s office to the next,” said Chris Klomp, the CEO of startup Collective Medical.