Medical records companies baulk at sharing data with CDC

Electronic health records companies have prevented covid-19 data from being shared with the US Centers for Disease Control and Prevention, a congressional committee has heard.

Graham Dufault, a senior director at the Washington, DC trade group The App Association, told the Senate Committee on Commerce, Science and Transportation this week that members of his organisation had cited data suppliers’ privacy concerns as a blockage to health data sharing.

According to Dufault, one of his organisation’s members is a startup called Particle Health, which has built a platform that has access to medical records for some 250 million Americans – allowing patients to easily access and share their health data.

Dufault said Particle Health wants to provide the CDC with “limited” access to this platform for covid-19 research purposes. However, electronic health records (EHR) companies – the sources from which Particle Health has built its platform – have blocked these efforts. According to Dufault, EHRs do not allow records sharing for non-treatment reasons, including public health purposes.

“EHRs have emerged as a chokepoint for healthcare data that patients should otherwise be able to use as they wish,” he said.

Dufault said EHRs have prevented data sharing because of the Health Insurance Portability and Accountability Act (HIPAA), though he was dubious of this claim: “HIPAA is supposed to make data portable, as the name suggests,” he said.

The Department of Health and Human Services (HHS) last month issued regulations aimed at improving healthcare data interoperability. Dufault said these regulations will require EHRs to honour patient requests to transfer their data to a third party, subject to a variety of restraints and caveats.

But the rules will be implemented over a phased, two-year period, Dufault said. The rules were not a part of the HHS’s emergency action last month, which suspended certain HIPAA rules during the Covid-19 crisis, but were issued earlier in the month as part of the Trump administration’s mandate to promote competition in the healthcare sector.

Dufault told the committee that the interoperability rules should be implemented as soon as possible.

“If they had been implemented several years ago, we would have been in a better position to respond to the crisis armed with big data tools,” he said. “The covid-19 pandemic has only intensified the need for patients to be able to access their own health data as soon as possible, especially for those who are at risk and need their health histories to help providers understand the patient’s level of exposure risk.”

Senator Cory Gardner pushed back on Dufault’s testimony. “You criticize EHRs as a “chokepoint” … [but] numerous technology companies have been criticized for the lack of transparency into their data policies and confusing privacy regimes that leave users without a firm understanding of how their data will be used and maintained,” Gardner said.

Gardner asked Dufault whether his members will publish clear and transparent policies that ensure patients know how their data is being used.

Dufault responded that the senator’s criticism is a “fair point,” and that his association urged the HHS to make sure app developers have strong privacy policies. He said the health authority has included a number of privacy requirements in its recent interoperability regulations.

“This is an important measure to inform patients as they consider options with respect to their healthcare information. However, it is not a substitute for a strong, national privacy framework,” he said. “We strongly encourage Congress to develop a single, national set of privacy rules to govern the processing and transfer of data under the FTC's broad jurisdiction.”