Skip to page content

Epic Supports Patients’ Access to Their Data, Proposes ONC Rule Solutions to Protect Privacy

Posted to the homepage on January 27, 2020

Epic strongly agrees with the goal of the Office of the National Coordinator for Health IT (ONC) to support patients’ ability to access their data. For decades, Epic has been enabling this access, starting with the creation of the MyChart patient portal 20 years ago. From there, Lucy (2010) allowed patients to download health information to a file or a thumb drive, and Share Everywhere (2017) allowed patients to share personal health information with anyone in the world who has internet access.

We appreciate that HHS is trying to make their proposed rule for data sharing better for patients and has been listening to many voices. We recommend necessary solutions before the ONC rule is finalized to prevent serious risks to patient privacy.

Recommendations to help ONC avoid privacy risks for family members and for patients:

By requiring health systems to send patient data to any app requested by the patient, the ONC rule inadvertently creates new privacy risks.  According to a recent study, 79% of health care apps resell or share data[i], and there is no regulation requiring patient approval of this downstream use. There are two highly likely patient privacy risks.

  • Family member data may inadvertently be shared. The data sent to the apps might include family member data, without the patient realizing it and without the family members’ knowledge or permission. Almost all medical records contain family history, which may be threaded throughout the record.

After surgery, Jim’s doctor wants to prescribe an opioid for Jim during his recovery. Jim prefers not to take an opioid because his brother Ken struggles with addiction.  The doctor makes a note about that in Jim’s medical record.  When Jim’s health data is sent to an app, and that data is used, shared, or sold, Ken’s addiction status may become public without Ken’s knowledge or permission.

Jim and Ken’s story is similar to what happened to Facebook friends who did not give their approval for their information to be harvested by Cambridge Analytica

  • Apps may take much more of the patient’s data than the patient intended. There are no transparency requirements to make it very clear to the patient what data the app is taking and what the app will do with that data.

A wellness app offers Liz a cholesterol study and asks her to approve sending the app her lab results. Liz does not realize that the app has gathered all of her lab results, including sensitive information such as her pregnancy status and STD testing results. She does not know that the app will sell that data.  Once her health information is out, she cannot pull it back.

We have always, and will always, support patients’ right to use their data as they see fit. However, it is the role of government to ensure that patients have the information they need to make those decisions knowledgeably, like they have for nutrition and food or labels in the clothes they buy. Patients must be fully informed about how apps will use their data, and apps and other companies must be held accountable to honor the promises they made to patients.

For patients to benefit from the ONC rule without these serious risks to their privacy, we recommend that transparency requirements and privacy protections are established for apps gathering patient data before the ONC rule is finalized.

Epic does not typically comment publicly on national policy issues. However, our goal is to keep the patients at the heart of everything we do, and we must speak out to avoid a situation like Cambridge Analytica. The solution has a clear precedent in HIPAA protections, and creating similar protections that apply to apps would make a difference in the privacy and well-being of millions of patients and their families.

[i] Grundy, Q., Chiu, K., Held, F., Continella, A., Bero, L., & Holz, R. (2019). Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis. BMJ 2019, 364–1920. doi: 10.1136/bmj.l920.