What big tech companies aren't saying about HHS data rules

By Mohana Ravindranath

Hospitals and doctors are pitted against patient data advocates in a strident debate over HHS plans to facilitate data sharing with software companies. But the biggest tech players — Google, Facebook, Amazon and others — have largely remained on the sidelines.

Health care professional groups have flooded HHS with comments on upcoming data sharing rules, expressing worry that developers could sell patient data for advertising and marketing purposes. They are urging HHS to add privacy provisions before finalizing the rules, which would force providers, vendors and insurers to adopt common standards so patients can share their information with apps they choose.

Members of Congress have attacked the tech companies in recent months for allegedly reckless use of consumer data, and the privacy issue has been central to debate over the rules, developed by CMS and ONC and currently under review at the White House.

The American Medical Association, for instance, cited a study that found 81 percent of a sample of 36 smoking cessation and depression apps were sending data to Google and Facebook. Fewer than half disclosed this to consumers. Consumers need education "regarding the risk of posting API records on social media platforms and otherwise risky ways of sharing their data,” Network Health Plan warned in another comment.

Some of the provider groups warn that patients aren't savvy enough to understand that their personal data can be sold once it's outside the health care system, and say health care organizations can't take on the burden of vetting apps for patients.

Patient advocates and HHS officials, meanwhile, have dismissed such views as paternalistic. Last year, ONC chief Don Rucker testified to the Senate HELP Committee that the rules are designed to give patients "the ability to decide whether the potential benefit of an app to manage their health care information and medical conditions outweighs potential risks."

Apple, which has led the way in enabling patients to extract their records through agreements negotiated with hundreds of health care systems, is one of only a handful of Silicon Valley companies that have commented on the proposals. The company clarified that health and wellness apps in its app store may not mine or use health data for ads or marketing.

Facebook, as POLITICO has reported, has been criticized by patient advocates for promoting itself as a meeting place for patients without being clear that their names could be visible to outsiders, marketers, employers and insurers. The company did not offer comment on the rules and declined comment to POLITICO about them.

In lieu of a comment, Amazon indirectly indicated its support for the rules by referring a reporter to the company's recent pledge to support data interoperability and HHS-touted standards.

The decision to stay out of the rulemaking discussion is a "missed opportunity" to "provide some insight into each company's perspectives," privacy lawyer Matt Fisher, of Mirick, O'Connell, DeMallie & Lougee, told POLITICO in an email. "While that perspective may not necessarily address patient fears, it at least opens the door a little bit."

In the absence of privacy commitments from the tech companies, some groups have urged ONC to add mandatory privacy protocols to its API mandate. "[B]y failing to implement [such protocols], the agency is making a deliberate policy decision to not prioritize patient privacy," the American College of Ophthalmology wrote.

Google has not commented directly on the rules but referred to comments from the Health Innovation Alliance and Consumer Technology Association, trade groups to which it belongs. A spokesperson said the company supported HHS "initiatives to prevent information blocking and facilitate secure data access to patients."

But the Health Innovation Alliance, whose other members include IBM, McKesson and Athenahealth, gave a negative assessment of the rules and urged HHS to start over. ONC and CMS should "make clear that originators of data should not be responsible for the privacy and security of the data once it leaves their control." The group also emphasized that it did not have confidence that HIPAA protects all health data "in the world envisioned by ONC."

HHS' Office for Civil Rights is investigating Google's recently revealed partnership with Ascension, which gives the tech company access to millions of patient records.