Protecting Health Care Data: Balancing Patient Privacy, Control and Consent in a Time of Increasing Access

Delivery of good health care depends on free and honest communication between patient and practitioner, and providers have long respected patient privacy. Yet, as Americans grow accustomed to the convenience of instant and portable access to their health care records, we must understand the inherent compromise in this arrangement. The recent New York Times article “When Apps Get Your Medical Data, Your Privacy May Go With It” highlights this serious privacy dilemma.

We live in a world driven by convenience facilitated by the internet, smartphones — and, increasingly, third-party apps. Fitness, wellness, and health care apps hold enormous potential to revolutionize healthcare management and delivery. What patients may not realize, however, is that the protections of the Health Insurance Portability and Accountability Act may not apply in the new world order of apps. While the U.S. Department of Health and Human Services oversees HIPAA, the Federal Trade Commission is charged with oversight of third-party apps.

Data is an increasingly valuable and profitable commodity, and federal safeguards should help protect against unexpected commoditization and sharing of sensitive patient information. Without proper federal oversight, patient data will fall prey to the same opaque erosion of privacy seen with other consumer data.

Today, when patients undergo surgery or a procedure, they are informed of its risks.  Apps require similar “informed consent,” but lengthy privacy notices written in complex legal jargon do not adequately inform and warn patients who may click through them without absorbing the fine print.  When using apps, patients should be informed in succinct and plain language about how their information will be used and distributed. Clear disclaimers are needed if information will be repurposed, marketed or sold to other parties. The consequences are simply too great for boilerplate agreements which prioritize the protection and profit of apps before patients and their private data.

This is more than just a privacy issue. It is first a matter of security. Health care institutions and clinicians face a daily barrage of cyber-attacks from criminal syndicates eager for health data to sell or exploit. Federal guidelines are needed to ensure that before third-party apps are connected to electronic health records, some level of validation is in place to guard against security threats. And, second, to be better informed consumers, patients will need help discerning which apps are worthy of their trust. Today with no process or Good Housekeeping seal of approval for certifying apps, patients must parse through an ever-growing universe of apps on their own.

As Congress defines privacy policies for consumers, it is imperative that the protection of health care information is a priority. HHS and FTC must work together to address concerns regarding the commoditization and distribution of health care data. Self-policing of third-party apps, as some have suggested, is insufficient. With or without protective legislation, patients should actively monitor how their health information will be used. Without action to address these critical issues, we face untold violations of patient privacy which some have aptly coined the Wild West.

Daniel Barchi is chief information officer of New York-Presbyterian and leads the health system’s technology, artificial intelligence, and telemedicine practice. 

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult