Download as PDF

NAACOS’ Views on Patient Privacy and Health Information Technology

Under the 21st Century Cures Act, Congress has mandated that the Department of Health & Human Services (HHS) require electronic health records (EHRs) make patients’ medical records available through application programming interfaces (APIs). APIs are the technological highways that allow data and information to flow between different software, allowing easier communication with disparate systems and websites. HHS’s Office of the National Coordinator for Health IT (ONC) proposed this change in a February 2019 proposed rule. In a separate rule, CMS also proposed that health plans makes claims information available to their members using APIs. NAACOS was very supportive of these changes and urged the finalization of these rules to help solve interoperability issues that have plagued health care. 

Patients have an undeniable right to access their records —it’s their data and they should own it — and APIs enable access “without special effort,” as the Cures Act states. But we must respect patients’ privacy and their ability to control who can access those records when and if it leaves their doctor’s office. Patients should be able to opt out of sharing their data with entities not directly providing care when they choose. Providers and technology companies must be transparent in telling patients how their data are used, where it’s stored, who accesses it and when. This should include easy to understand terms and conditions. 

Patients must be able to trust the deeply sensitive information included in their medical record doesn’t fall into the hands of those they don’t want to see it. Patients’ trust of the health system takes years to build yet can be destroyed in an instant. And if we aren’t careful, seeding too much control to companies looking to pool health data for uses that are unclear to —and unwanted by —patients risks breaking the trust of the patient-provider relationship. 

However, we as a society can have both access to medical data and privacy, as it’s possible to craft a policy that offers both. Technology today can facilitate patients’ ability to decide what apps can and cannot access their data. Technical industry standards exist today that allow users to approve one application interacting with another on their behalf without giving away their password. This standard is widely used today, including by the banking industry. 

For too long patients have struggled to obtain their own medical records, which shouldn’t be difficult. APIs provide a way to enable data liquidity that policymakers have long sought. EHRs have had decades to make it possible for patients to get access to their personal health records, and we are no further along today than when EHRs first became common. APIs can make it easier to share records with and among patients, providers, payers, and other care-team members. APIs are a fundamental building block in every other sector of our economy. The lack of interoperability in health care has limited the success of ACOs and other alternative payment models, and APIs provide a way to exchange data and create a longitudinal health record that allows for well-coordinated care that these models thrive on. While respecting patients’ privacy demands are important, they also deserve high-quality care, which can’t be delivered while without a complete picture of a patient’s history.