chevron-down Created with Sketch Beta.
June 23, 2021 Feature

“Will You Share My Data, Please?” Evolving Legal Frameworks to Address Information Sharing by and for Patients

By Heather Deixler and Ty Kayam

In the midst of the “Regulatory Sprint” to a value-based healthcare system—which defines value as patient outcomes and rewards providers for improving the quality rather than the quantity of care provided—there is a shifting focus on patient-directed information sharing. Central to a successful value-based program is the sharing of information to coordinate care.1 While the Health Insurance Portability and Accountability Act of 1996, as amended, and regulations promulgated thereunder (hereinafter “HIPAA”) have always permitted healthcare providers to share protected health information (PHI) for treatment, payment, and healthcare operations purposes without patient authorization, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has recently proposed rules to modify HIPAA to emphasize the importance of information sharing by modifying standards that could be viewed as presenting barriers to coordinated care and case management.2

As federal regulators focus on patients’ right to access their health information, innovative companies are coming up with new and improved ways to track patients’ health-related data and make it accessible to the patient or their representative. As patients manage their own healthcare through a variety of sources, including wellness apps that monitor certain vital signs and collect a host of data about the individual, they are seeking solutions that enable them to access all of their health data in one place. How will the established regulatory framework evolve to encompass all of the different ways in which individuals record, maintain, and access information about their own health?

Keeping up with the Regulatory Sprint Information Sharing Is Key

At the heart of the transition to value-based care is coordinated, value-based care that is managed by a team of healthcare providers who are able to share patient data with one another to better coordinate the patient’s care. In conjunction with HHS’s Regulatory Sprint to Coordinated Care, also known as the “Regulatory Sprint,” final rules were issued by the Office of the Inspector General (OIG) and the Centers for Medicare & Medicaid Services (CMS) to remove potential regulatory barriers to care coordination and value-based care.3 In the OIG’s Final Rule regarding changes under the federal anti-kickback statute to protect certain value-based arrangements, OIG emphasizes the role that data sharing plays in order to “achieve safer, more effective, or more efficient care to improve the health outcomes of the target patient population.”4 In responding to requests from commenters for clarification of what constitutes the coordination and management of care, OIG noted that in order to achieve successful care management and coordination, the parties must do more than coordinate activities and must ensure that information about such activities is being shared among the parties.5

Further, OCR has issued proposed modifications to the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) to support the Regulatory Sprint, including a proposed amendment to the definition of “health care operations” to clarify that both population-based and individual-level activities constitute care coordination and case management activities by health plans and covered healthcare providers for purposes of such healthcare operations.6

When the Patient Is in Control

With the advent of digital health has come the proliferation of digital apps and a plethora of ways in which individuals can manage their data in order to manage their care. Long gone are the days of a family practice physician singlehandedly managing the health of a patient and his or her family and recording such health-related data on paper records. Rather, we now have a range of providers, including primary care physicians, specialists, and clinics (e.g., urgent care centers), along with health-related apps and remote patient monitoring devices that track and monitor the individual’s health in real time—most often operating separately from one another. With patients seeking to serve as the central custodian of their medical data, patients are increasingly requesting that healthcare providers share their medical records with third-party apps, and healthcare providers are finding themselves potentially facing consequences under the new information blocking and interoperability rules for failing to do so.

Beware of Not Sharing Information Blocking and Interoperability Rules

In 2016, Congress passed the 21st Century Cures Act, which prohibits the practice of information blocking.7 Broadly speaking, this meant that “actors” such as providers, electronic health record (EHR) companies, and health information exchanges/health information networks are not allowed to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) unless a specified exception applied.8

In 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued final interoperability and information blocking rules, which recently became effective on April 5, 2021 (Interoperability and Information Blocking Rules).9 Among other things, the Interoperability and Information Blocking Rules made clear that, upon request by an individual, these actors must make EHI available to third-party developers. As such, individuals must have the “ability to choose which third-party developer and app are best for receiving all or part of their EHI from a health care provider.”10

It is worth noting that regulators elected to create and use a new term—EHI—for the purpose of these rules. The concept of EHI originated from the 21st Century Cures Act but was not defined in the statute. During the proposed rule phase, ONC sought to define it broadly, including both electronic PHI regulated under HIPAA (ePHI) as well as any other information transmitted by or maintained in electronic media that identifies an individual and relates to their health, the provision of care, or payment for care.11 In the final rule, ONC elected to do away with the latter part of this definition and limited EHI to ePHI to the extent it is included in a patient’s designated record set, noting that aligning the definition with HIPAA will lessen the compliance burden of these rules.12

A result of the Interoperability and Information Blocking Rules is that health information can now flow from the traditional healthcare ecosystem governed by HIPAA to third-party developers who are not subject to HIPAA. Consequently, HIPAA’s standards governing the privacy and security of PHI, including rules around use and disclosure, providing patients with a notice of privacy practices, and the prohibition on the sale of PHI, do not necessarily apply to third-party developers obtaining the EHI. Rather, these developers are regulated by disparate state laws as well as the Federal Trade Commission (FTC), under its authority to prohibit unfair or deceptive acts or practices affecting commerce.13 Under this authority, the FTC may challenge any deceptive privacy policies or other consumer-facing materials and any unfair practices that cause substantial injury that is unavoidable by consumers without outweighed benefits.14

Beyond just information relating to a patient’s health and related care, the new interoperability efforts also provide patients with flexibility on accessing information about payment for such care. On the same date as the ONC final rule, CMS published a final rule that, among other things, required that CMS-regulated plans make available claims data, encounter data, clinical data, and covered drug and formulary information to any third-party app at the direction of the patient.15 The intent of this rule is to allow patients to use the app of their choice and the technology of their choice to access this information. These plans are additionally tasked with educating patients on the risks associated with potential secondary uses of data by third parties.16 Similar to the ONC rules, third-party apps with which individuals choose to share this information would likely be governed by the FTC.

Regulators Are Focusing on Patients’ Right to Access Health Data

As the focus continues to shift toward sharing of health information and care coordination and care management, regulators are focused on patients’ right to access information. In 2019, OCR launched its HIPAA Right of Access Initiative, pursuant to which HHS has promised to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice.”17 Under HIPAA, a patient has the right to access, upon request, and with certain limited exceptions, their PHI that is maintained by the healthcare provider or health plan in a designated record set, which includes medical records, billing records, payment and claims records, case management records, and other records used, in whole or in part, by or for a covered entity to make decisions about the individual.18 The HIPAA Right of Access Initiative is designed to ensure that the HIPAA requirements for providing access are being met, including the following: (1) Responses are timely (i.e., must respond to an individual’s request within thirty days of the receipt of the request); (2) if any fee is charged to provide a copy of the PHI or direct a copy to a designated third party, the fee is a reasonable cost-based fee, which includes only the cost of certain labor, supplies, and postage); and (3) PHI is provided in a form and format requested by the individual.19 As of April 1, 2021, OCR has settled eighteen enforcement actions in its HIPAA Right of Access initiative.

Earning Patients’ Trust Transparency Is Key

As patients increasingly look to third-party apps to manage their health-related data, many of which are not governed by HIPAA, as either a covered entity or a business associate, it is becoming increasingly clear that such apps need to focus on transparency in describing the app’s privacy practices and ensuring that patients are aware of the ways in which their data are shared, and to whom. The importance of providing proper notice of data-sharing practices to individuals recently came into focus with the FTC’s settlement with Flo Health, Inc., with respect to its mobile app, Flo Period & Ovulation Tracker (the App).20 Through the app, users share data about their gynecological health, including information about physical health, menstruation, pregnancy, and childbirth. The FTC alleged that Flo Health shared this information with third parties without individual consent and without setting limitations on how the third parties may use this information.21 In fact, Flo Health’s privacy policies stated that the app would not share users’ health information with others.22

The FTC’s settlement with Flo Health provides some insight into how the agency may address practices related to health information moving forward. As part of the settlement, Flo Health is required to inform users about the purposes of data collection, use, and disclosure and inform consumers about controls they may exercise over their data.23 In addition, Flo Health must identify the parties to whom health information may be shared, the categories of health information shared with such third parties, and the purposes for sharing such information, including how the information may be used by the third party.24 Importantly, Flo Health must obtain a user’s affirmative express consent prior to sharing information with third parties.25

While the Flo Health mobile app only involved the collection of information directly from the user, under the new Interoperability and Information Blocking Rules, individuals could request their healthcare providers to share EHI with third-party apps. In the rules, ONC has made it clear that any “vetting” for security purposes by healthcare providers of such third-party apps selected by individuals and intended to facilitate patient access to EHI held by such actors would likely be viewed as an interference. ONC notes that there would generally be no need for “vetting” on security grounds because, unlike a business associate under HIPAA, healthcare providers do not need to conduct necessary vetting of third-party apps to comply with the HIPAA Security Rule and the app developer’s authentication and authorization can occur through an EHR.26 Instead, providers may educate patients about the privacy and security practices of third-party apps so long as the providers focus on privacy and security risks and ensure that the information is factually accurate, unbiased, and objective.27 In response to comments expressing concern that such third-party apps would be able to use and disclose patient data in ways that the HIPAA Rules would not permit, ONC responded that it supports an individual’s ability to select its own third-party developer and app, and stated firmly that an actor may not prevent the individual from sharing health information with a third-party developer despite any risks identified about the app or the developer.28 While actors are strongly encouraged to inform and educate the individual about potential risks, the decision-making power lies with the individual.

With So Much Opportunity Is There Opportunity for All?

The digital era and these changes to laws are helping many individuals take control of their health. However, some populations are unable to benefit from potential health and medical innovation due to lack of broadband, issues of accessibility, and the cost of technology. As a result, if only certain populations are interacting with health-related apps and technology, then any data necessary to drive innovation—such as data used to develop artificial intelligence and machine learning technology models—is not reflective of the full population that could benefit from the innovation. This can exacerbate health inequities and slowly result in a digital divide, referred to as “health data poverty” and defined as “the inability for individuals, groups, or populations to benefit from a discovery or innovation due to a scarcity of data that are adequately representative.”29 Fortunately, in recognizing this issue, many from the medical and technology fields are working to ensure that datasets are representative of whole populations. On the other hand, data are very susceptible to exploitation, and this is particularly the case for health data. In these efforts for representative datasets, as technologists, scientists, and policy makers make decisions on how best to solve for health data poverty, it is important for developers to be mindful of the dark history of race and medicine and the mistreatment of minority and marginalized populations in the progress toward modern medicine.

Will Information Sharing Be the Catalyst for an Evolving Legal Framework?

With the evolution of data sharing, and the proliferation of health-related apps, the need to modernize our current legal framework is clear. While HIPAA currently regulates only covered entities and business associates, the information sharing at the heart of our shift to a value-based system may be the catalyst for a uniform approach to governing the use and disclosure of health-related data by all entities involved in maintaining such data for individuals. As the FTC continues to govern this space and ensure that consumers are provided with proper notice of how their health-related data are used and disclosed, it appears that a common framework would benefit patients and consumers alike.

Endnotes

1. See, e.g., What Is Value-Based Healthcare?, New Eng. J. Med. Catalyst (Jan. 1, 2017), https://catalyst.nejm.org/doi/full/10.1056/CAT.17.0558; Value-Based Programs, Ctrs. for Medicare & Medicaid Servs., https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/Value-Based-Programs/Value-Based-Programs.

2. Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446, 6446–538 (Jan. 21, 2021).

3. Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 85 Fed. Reg. 77,684 (Dec. 2, 2020) (OIG Final Rule); Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77,492 (Dec. 2, 2020).

4. OIG Final Rule at 77,721.

5. Id. at 77,722.

6. Proposed Modifications, 86 Fed. Reg. at 6472.

7. 21st Century Cures Act, Pub. L. No. 114-255, 130 Stat. 1033, 4004 (2016).

8. Id.

9. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25,642 (May 1, 2020) (the ONC Final Rule).

10 Id.

11. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 84 Fed. Reg. 7424, 7513 (Mar. 4, 2019).

12. ONC Final Rule, 85 Fed. Reg. at 25,803.

13. 15 U.S.C. § 45(a)(1).

14. ONC Final Rule, 85 Fed. Reg. at 25,642, 25,817; 15 U.S.C. § 45(n).

15. Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health Care Providers, 85 Fed. Reg. 25,510, 25,523 (May 1, 2020).

16. Id. at 25,543.

17. See, e.g., Press Release, Dep’t of Health & Human Servs., OCR Settles Second Case in HIPAA Right of Access Initiative (Dec. 12, 2019), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/korunda/index.html.

18. 45 C.F.R. § 164.501.

19. Id.

20. See Proposed Settlement Between the FTC and Flo Health, In re Flo Health, Inc., File No. 1923133, available at https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf (the Flo Health Proposed Settlement).

21. See Complaint at 1–3, In re Flo Health, Inc., available at: https://www.ftc.gov/system/files/documents/cases/flo_health_complaint.pdf.

22. Id.

23. See Flo Health Proposed Settlement, supra note 20, at 3–4

24. Id. at 4.

25. Id.

26. See ONC Final Rule, 85 Fed. Reg. at 25,762; see also id. at 25,814–15. ONC noted that it is not prohibited for EHRs to verify the app developer’s authenticity by enabling the app’s registration with the EHR’s authorization server for the purpose of demonstrating technical conformance. Id.

27. Id. at 25,814–15.

28. Id. at 25,815.

29. See Hussein Ibrahim et al., Health Data Poverty: An Assailable Barrier to Equitable Digital Health Care, 3 The Lancet: Digital Health e260 (Apr. 1, 2021), https://www.thelancet.com/journals/landig/article/PIIS2589-7500(20)30317-4/fulltext.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By Heather Deixler and Ty Kayam

Heather Deixler is counsel in the San Francisco and Silicon Valley offices of Latham & Watkins LLP, where she advises companies operating in the healthcare industry on data privacy and security matters. Ty Kayam is counsel for U.S. Health & Life Sciences at Microsoft, where she focuses on digital health and technology transactions. The views expressed in this article are her own and do not reflect the official policy or position of Microsoft.