By ADRIAN GROPPER, MD
This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.
It’s 2023. Alice, a patient at Ascension Seton Medical Center Austin, decides to get a second opinion at Mayo Clinic. She’s heard great things about Mayo’s collaboration with Google that everyone calls “The Platform”. Alice is worried, and hoping Mayo’s version of Dr. Google says something more than Ascension’s version of Dr. Google. Is her Ascension doctor also using The Platform?
Alice makes an appointment in the breast cancer practice using the Mayo patient portal. Mayo asks permission to access her health records. Alice is offered two choices, one uses HIPAA without her consent and the other is under her control. Her choice is:
- Enter her demographics and insurance info and have The Platform use HIPAA surveillance to gather her records wherever Mayo can find them, or
- Alice copies her Mayo Clinic ID and enters it into the patient portal of any hospital, lab, or payer to request her records be sent directly to Mayo.
Alice feels vulnerable. What other information will The Platform gather using their HIPAA surveillance power? She recalls a 2020 law that expanded HIPAA to allow access to her behavioral health records at Austin Rehab.
Alice prefers to avoid HIPAA surprises and picks the patient-directed choice. She enters her Mayo Clinic ID into Ascension’s patient portal. Unfortunately, Ascension is using the CARIN Alliance code of conduct and best practices. Ascension tells Alice that they will not honor her request to send records directly to Mayo. Ascension tells Alice that she must use the Apple Health platform or some other intermediary app to get her records if she wants control.
Disappointed, Alice tells Ascension to email her records to her Gmail address. In a 2021 settlement with the Federal Trade Commission, Facebook and Google agreed that they will not use data in their messaging services for any other purposes, including “platforms”. Unfortunately, this constraint does not apply to smaller data brokers.
Alice gets her records from Ascension the old-fashion way, by plain Gmail under the government interpretation of her right of access. The rules even say that Alice can request direct transmission of her records in an insecure manner such as plain email if she chooses. But Alice can’t send them directly to Mayo because Mayo, also following CARIN Alliance guidelines, insists that Alice install an app on her phone or sign up for some other platform.
Alice wonders how we got from clear Federal regulations for patient-directed access to anywhere to the situation where she’s forced to wait days for her records, receive them by email and then mail them to Mayo. Alice wonders.
—
It’s December 2019.
This post is about the relationship between two related health records technologies: patient-directed uses of data and platforms for uses of patient data. As physicians and patients, we’re now familiar with the first generation of platforms for patient data called electronic health records or EHR. To understand why CARIN matters, the only thing about EHRs that you need to keep in mind is that neither physicians nor patients get to choose the EHR. The hospitals do. The hospitals now have bigger things in mind, but first they have to get past the frustration that drove the massively bipartisan 21st Century Cures Act in 2016. The hospitals and big tech vendors are preparing for artificial intelligence and machine learning “platforms”. Patient consent and transparency of business deals between hospitals and tech stand in their way.
A platform is something everything else is built on. The platform operator decides who can do what, and uses that power for profit. We’re familiar with Google and Apple as the platforms for mobile apps. Google and Apple decide. A platform for use of health data will have the inside track on machine learning and artificial intelligence for us as patients and doctors. The more data, the better. What will be the relationship between the hospital controlled platform of today’s EHRs and tomorrow’s AI-enabled platforms? Will patients choose a doctor, a hospital, or just send health records to the AI directly? Will US health AI compete with Chinese AI given that the Chinese AI has access to a lot more kinds of data from a lot more places? The practices that will control much of tomorrows digital health are being worked out, mostly behind closed doors, by lobbyists, today.
Three years on, the nation still awaits regulations on “information blocking” based on the Cures Act. Even so, American Health Information Management Association (AHIMA), American Medical Association (AMA, American Medical Informatics Association (AMIA), College of Healthcare Information Management Executives (CHIME), Federation of American Hospitals (FAH), Medical Group Management Association (MGMA), and Premier Inc. are sending letters to House and Senate committees hoping for a further delay of the regulations.
Access to vast amounts of patient data for machine learning is also driving efforts to weaken HIPAA’s already weak privacy provisions. Here’s a very nice summary by Kirk Nahra. Are we headed for parity with Chinese surveillance practices?
For their part, our leading health IT academics propose “… strengthening the federal role in protecting health data under patient-mediated data exchange…” Where is this data we’re protecting? In hospital EHRs, of course. We’re led to believe that hospitals are the safe place for our data and patient-directed uses need to be “balanced” by the risk of bypassing the hospitals and their EHRs. Which brings us back to CARIN Alliance as the self-appointed spokes-lobby for patient-directed health information exchange.
According to CARIN, “Consumer-directed exchange occurs when a consumer or an authorized caregiver invokes their HIPAA Individual Right of Access (45 CFR § 164.524) and requests their digital health information from a HIPAA covered entity (CE) via an application or other third-party data steward.” (emphasis added) A third-party data steward is a fancy name for platform. But do you or your doctor need a platform to manage uses of your data?
HIPAA does not say that the individual right of access has to involve a third party data steward. We are familiar with our right to ask one hospital to send health records directly to another hospital, or to a lawyer, or anywhere else using mail or fax. But CARIN limits the patient’s HIPAA right of access dramatically: “All of the data exchange is based on the foundation of a consumer who invokes their individual right of access or consent to request their own health information. This type of data exchange does not involve any covered entity to covered entity data exchange.” (emphasis added)
By restricting the meaning of patient-directed access beyond what the law allows, everybody in CARIN gets something they want. The hospitals get to keep more control over doctors and patients while also using the patient data without consent for machine learning and artificial intelligence in secret business deals. The technology vendors get to expand their role as data brokers. And government gets to outsource some of their responsibility for equity, access, and patient safety to private industry. To promote these interests, the CARIN version of patient-directed access reduces the control over data uses for physicians as well as patients much beyond what the law would allow.
The CARIN model for digital health and machine learning is simple. Support as much use and sale by hospitals and EHR vendors without consent while also limiting consented use to platform providers like Amazon, Google, IBM, Microsoft, Oracle and Salesforce, along with CARIN board member Apple.
CARIN seems to be a miracle of consensus. They have mobilized the White House and HHS to their cause. Respected public interest organizations like The Commonwealth Fund are lending their name to these policies. Is it time for this patient advocate to join the party?
Some of what CARIN is advocating by championing the expansion of the FHIR interface standards is worthwhile. But before I sign on, what I want CARIN to do is:
- Remove the scope limitation on hospital-to-hospital patient-directed sharing.
- Suspend work on the Code of Conduct – here’s why.
- Separate work on FHIR data itself from work on access authorization to FHIR data.
- Do all work in an open forum with open remote access, open minutes, and an email list for discussion between meetings. Participation in the HEART Workgroup (co-chaired by ONC) and also designed to promote patient-directed uses would be part of this.
Digital health is our future. Will it look like The Mayo Platform with Google and Google’s proprietary artificial intelligence behind the curtain? Will digital health be controlled by proprietary and often opaque Google or Apple or Facebook app store policies?
The CARIN / CMS Connectathon and CARIN Community meeting are taking place this week. Wouldn’t it be a dream if they would engage in a public conversation of these policies from Alice’s perspective. And for my friends Chris and John at Mayo, what can they do to earn Alice’s trust in their Platform by giving her and her doctors unprecedented transparency and control.
Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.
Categories: Uncategorized
Deven, I might agree with you about the intent and scope of the Code of Conduct but my concerns are about the HL7 standards that drive the implementation of patient-directed exchange.
This is an Implementation Guide. The HL7 Background does not even mention a Code of Conduct and that’s entirely appropriate because it’s a technical specification, not a policy.
HIPAA does not require a Code of Conduct for either patient or physician-facing apps, although the physician-facing app case obviously includes one by default. A code of conduct is not required for patient-directed sharing via US Mail or fax.
Maybe I misunderstand CARIN’s and HL7’s intent and there will be no link between the Code of Conduct and the HL7-compliant patient-directed FHIR API practice. If that’s the case, then clearly the patient-directed FHIR API will also be accessible to physician-facing apps using HIPAA-compliant systems, including EHRs. In that case, CARIN Alliance and HL7 can just clarify this point and we will be well along to meeting the four points I suggest are needed for a consensus.
Adrian, I believe you misread the CARIN Code of Conduct and the intent behind it. The purpose of the Code of Conduct is provide consumers with a tool to use in selecting a personal health record app or platform IF the consumer decides to use one in order to access their health information through FHIR APIs. The language in the Code and introductory material defining “consumer-directed exchange” as involving an app selected by a consumer, and differentiating it from circumstances where covered entities like hospitals and doctors share data directly with one another under the TPO (treatment, payment, operations) exceptions to HIPAA, is just about narrowing the scope of what the voluntary code is intended to cover. It is not an intent to confine the health data sharing universe to only circumstances where patients hire apps.
There are many instances of data sharing per HIPAA – including when covered entities disclose data pursuant to the Privacy Rule without the need for patient authorization and when individuals invoke their HIPAA right of access to obtain copies of their data, either for themselves or to have it sent elsewhere (such as to another doctor or hospital). The Code does not limit that sharing at all – it doesn’t even address it (or at least that was not the intent).
I believe the intent for the Code is to invite personal health record app vendors attest to it — which would provide consumers with a tool for choosing apps IF and only IF they decide to hire one for collecting and then managing their health records. So in your scenario, Ascension could not “adopt the Code” to preclude a patient from exercising her HIPAA rights to have information sent directly to Mayo. Ascension would only “adopt the Code” if it were offering a personal health record app to patients and decided it wanted to attest to the Code as a way of assuring patients regarding the app’s data practices. And in that case, the Code would apply to the activities of the app and not necessarily to Ascension’s other practices with patient data.
In my view, the Code serves an important purpose – but it is far narrower than the role that you have ascribed to it.
An answer to one simple question would be a good start:
Why is CARIN excluding patient-directed sharing between one hospital and another hospital if that is already allowed by US Mail or Fax?
All of our readers should speculate on this but I’m especially curious to hear from two trusted leaders in this space, Apple and Commonwealth Fund, who are lending their name to this organization.
Adrian, thanks for making a compelling case. I look forward to hearing how CARIN responds to your concerns.