By ADRIAN GROPPER, MD
This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.
It’s 2023. Alice, a patient at Ascension Seton Medical Center Austin, decides to get a second opinion at Mayo Clinic. She’s heard great things about Mayo’s collaboration with Google that everyone calls “The Platform”. Alice is worried, and hoping Mayo’s version of Dr. Google says something more than Ascension’s version of Dr. Google. Is her Ascension doctor also using The Platform?
Alice makes an appointment in the breast cancer practice using the Mayo patient portal. Mayo asks permission to access her health records. Alice is offered two choices, one uses HIPAA without her consent and the other is under her control. Her choice is:
- Enter her demographics and insurance info and have The Platform use HIPAA surveillance to gather her records wherever Mayo can find them, or
- Alice copies her Mayo Clinic ID and enters it into the patient portal of any hospital, lab, or payer to request her records be sent directly to Mayo.
Alice feels vulnerable. What other information will The Platform gather using their HIPAA surveillance power? She recalls a 2020 law that expanded HIPAA to allow access to her behavioral health records at Austin Rehab.
Alice prefers to avoid HIPAA surprises and picks the patient-directed choice. She enters her Mayo Clinic ID into Ascension’s patient portal. Unfortunately, Ascension is using the CARIN Alliance code of conduct and best practices. Ascension tells Alice that they will not honor her request to send records directly to Mayo. Ascension tells Alice that she must use the Apple Health platform or some other intermediary app to get her records if she wants control.
Disappointed, Alice tells Ascension to email her records to her Gmail address. In a 2021 settlement with the Federal Trade Commission, Facebook and Google agreed that they will not use data in their messaging services for any other purposes, including “platforms”. Unfortunately, this constraint does not apply to smaller data brokers.
Alice gets her records from Ascension the old-fashion way, by plain Gmail under the government interpretation of her right of access. The rules even say that Alice can request direct transmission of her records in an insecure manner such as plain email if she chooses. But Alice can’t send them directly to Mayo because Mayo, also following CARIN Alliance guidelines, insists that Alice install an app on her phone or sign up for some other platform.
Alice wonders how we got from clear Federal regulations for patient-directed access to anywhere to the situation where she’s forced to wait days for her records, receive them by email and then mail them to Mayo. Alice wonders.
It’s December 2019.
This post is about the relationship between two related health records technologies: patient-directed uses of data and platforms for uses of patient data. As physicians and patients, we’re now familiar with the first generation of platforms for patient data called electronic health records or EHR. To understand why CARIN matters, the only thing about EHRs that you need to keep in mind is that neither physicians nor patients get to choose the EHR. The hospitals do. The hospitals now have bigger things in mind, but first they have to get past the frustration that drove the massively bipartisan 21st Century Cures Act in 2016. The hospitals and big tech vendors are preparing for artificial intelligence and machine learning “platforms”. Patient consent and transparency of business deals between hospitals and tech stand in their way.
A platform is something everything else is built on. The platform operator decides who can do what, and uses that power for profit. We’re familiar with Google and Apple as the platforms for mobile apps. Google and Apple decide. A platform for use of health data will have the inside track on machine learning and artificial intelligence for us as patients and doctors. The more data, the better. What will be the relationship between the hospital controlled platform of today’s EHRs and tomorrow’s AI-enabled platforms? Will patients choose a doctor, a hospital, or just send health records to the AI directly? Will US health AI compete with Chinese AI given that the Chinese AI has access to a lot more kinds of data from a lot more places? The practices that will control much of tomorrows digital health are being worked out, mostly behind closed doors, by lobbyists, today.
Three years on, the nation still awaits regulations on “information blocking” based on the Cures Act. Even so, American Health Information Management Association (AHIMA), American Medical Association (AMA, American Medical Informatics Association (AMIA), College of Healthcare Information Management Executives (CHIME), Federation of American Hospitals (FAH), Medical Group Management Association (MGMA), and Premier Inc. are sending letters to House and Senate committees hoping for a further delay of the regulations.
Access to vast amounts of patient data for machine learning is also driving efforts to weaken HIPAA’s already weak privacy provisions. Here’s a very nice summary by Kirk Nahra. Are we headed for parity with Chinese surveillance practices?
For their part, our leading health IT academics propose “… strengthening the federal role in protecting health data under patient-mediated data exchange…” Where is this data we’re protecting? In hospital EHRs, of course. We’re led to believe that hospitals are the safe place for our data and patient-directed uses need to be “balanced” by the risk of bypassing the hospitals and their EHRs. Which brings us back to CARIN Alliance as the self-appointed spokes-lobby for patient-directed health information exchange.
According to CARIN, “Consumer-directed exchange occurs when a consumer or an authorized caregiver invokes their HIPAA Individual Right of Access (45 CFR § 164.524) and requests their digital health information from a HIPAA covered entity (CE) via an application or other third-party data steward.” (emphasis added) A third-party data steward is a fancy name for platform. But do you or your doctor need a platform to manage uses of your data?
HIPAA does not say that the individual right of access has to involve a third party data steward. We are familiar with our right to ask one hospital to send health records directly to another hospital, or to a lawyer, or anywhere else using mail or fax. But CARIN limits the patient’s HIPAA right of access dramatically: “All of the data exchange is based on the foundation of a consumer who invokes their individual right of access or consent to request their own health information. This type of data exchange does not involve any covered entity to covered entity data exchange.” (emphasis added)
By restricting the meaning of patient-directed access beyond what the law allows, everybody in CARIN gets something they want. The hospitals get to keep more control over doctors and patients while also using the patient data without consent for machine learning and artificial intelligence in secret business deals. The technology vendors get to expand their role as data brokers. And government gets to outsource some of their responsibility for equity, access, and patient safety to private industry. To promote these interests, the CARIN version of patient-directed access reduces the control over data uses for physicians as well as patients much beyond what the law would allow.
The CARIN model for digital health and machine learning is simple. Support as much use and sale by hospitals and EHR vendors without consent while also limiting consented use to platform providers like Amazon, Google, IBM, Microsoft, Oracle and Salesforce, along with CARIN board member Apple.
CARIN seems to be a miracle of consensus. They have mobilized the White House and HHS to their cause. Respected public interest organizations like The Commonwealth Fund are lending their name to these policies. Is it time for this patient advocate to join the party?
Some of what CARIN is advocating by championing the expansion of the FHIR interface standards is worthwhile. But before I sign on, what I want CARIN to do is:
- Remove the scope limitation on hospital-to-hospital patient-directed sharing.
- Suspend work on the Code of Conduct – here’s why.
- Separate work on FHIR data itself from work on access authorization to FHIR data.
- Do all work in an open forum with open remote access, open minutes, and an email list for discussion between meetings. Participation in the HEART Workgroup (co-chaired by ONC) and also designed to promote patient-directed uses would be part of this.
Digital health is our future. Will it look like The Mayo Platform with Google and Google’s proprietary artificial intelligence behind the curtain? Will digital health be controlled by proprietary and often opaque Google or Apple or Facebook app store policies?
The CARIN / CMS Connectathon and CARIN Community meeting are taking place this week. Wouldn’t it be a dream if they would engage in a public conversation of these policies from Alice’s perspective. And for my friends Chris and John at Mayo, what can they do to earn Alice’s trust in their Platform by giving her and her doctors unprecedented transparency and control.
Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.