An ongoing U.S. Department of Health and Human Services rulemaking seeks to increase the interoperability of electronic health records (there are two related rulemakings: one by the Centers for Medicare & Medicaid Services and one by the Office of the National Coordinator for Health Information Technology).

The comment period for both rulemakings has closed. While increased interoperability is generally a good thing, as well as something required by the 21st Century Cures Act, it also presents a serious privacy dilemma. Patient access to interoperable health records is good, but making those records readily available to patients will lead to widespread commercial access and use outside the health care system. 

In describing the dilemma, it is necessary to ignore some related issues along the way, including the consequences of interoperable health records for increased and unwanted surveillance of consumers, new health identifiers, compounding of data errors, and the inability of consumers to fix those errors.

We begin with the first prong of the dilemma.

It follows from basic fair information practices and from the Health Insurance Portability and Accountability Act itself that patients have a right to see and have a copy of their health records. HIPAA has shortcomings in that it does not require full patient access, but that’s another issue ignored here. Interoperability will make patient records more accessible to patients and more useful to them. Those are good things. Full stop.

The second prong is that many health records available to patients through greater interoperability will end up in the hands of third parties, including banks, data brokers, marketers, merchants, crooks, big tech companies and an untold number of websites. The result is that providing patients with ready access to their electronic records will have significant deleterious effects on patients, their privacy, the practice of medicine, the cost of health care, and other institutions and policy objectives. These are bad things. Full stop.

It is useful to understand the extent to which personally identifiable health information is routinely bought and sold today. For example, you can buy lists of diabetic patients by type of treatment (e.g., insulin, oral drugs) and by actual drug used (e.g., Avandia, Glucophage). Phone numbers and email addresses are available. Lists and profiles reflect nearly every patient ailment, from the most common to the most obscure.

Health records subject to HIPAA are rarely the source for records used in commercial data activities. Rather, the records come from data subjects, social media, email read by email providers, surveys completed by patients, IDs retrieved via cookies and otherwise from web surfing, health apps, and in other ways. In 2016, there were more than 165,000 health and wellness apps available through the Apple App Store alone.

With electronic records in patient hands, commercial data users will have more complete, more accurate and more current data. New industries devoted to obtaining and exploiting digital health records from patients will appear. Apps will compete to host records for patients, offering sweepstakes, T-shirts and maybe even cash. A health record can be exploited for the life of the patient and for the lives of blood relatives. Full digital health records shared with patients will pour out into the hands of third parties that are entirely unregulated for privacy in the United States.

The uses of these records for advertising are obvious. But that advertising will become much more ubiquitous and much more targeted than today. Anyone with a formal diagnosis of diabetes, arthritis, psoriasis or any of a hundred other conditions will be harassed by targeted ads (for high-priced, patent-protected drugs) wherever they turn. So will their relatives. Secondary uses for consumer scoring will abound.

We will also have more data breaches, more medical identity theft, and probably more malpractice suits. Just wait for the ads from lawyers asking patients to share their records to look for evidence of malpractice. Crooked Medicare clinics will find new sources of patient data for illicit billing. Health care costs will rise.

Notwithstanding all the above, I’m still for patient access to records. There is no retreat on that front. What to do?

In theory, Congress could pass new privacy laws that could help. That won’t happen any time soon.

There’s no hope that the Federal Trade Commission can do anything useful with its existing authority. It can’t write rules, and it will never produce or enforce guidance. It can’t oversee the hundreds of thousands of companies in this space.

The Department of Health and Human Services has no jurisdiction over entities outside of HIPAA. HHS could try to force HIPAA-covered entities to exercise some oversight, but most covered entities have no relevant capabilities. Frankly, HHS already made things worse by requiring covered entities to share patient records with anyone at patient direction. If a covered entity gets a signed patient consent giving Junk Mail America access to a patient’s health record, the covered entity must turn over the record.

Self-regulation for privacy has been an abject failure. There is no chance that the hundreds of thousands of companies that are or would traffic in health information could police themselves.

We can’t rely on patients either. Some individuals know how to manage their privacy, but it’s too big and too hard a job for most. Remember that these are the same folks who routinely turn their personal information over to big tech companies with few limits. Consumer education always sounds promising, but there are literally dozens of other consumer issues for which education is also a solution. Consumers don’t have the time.

Would anything help?

Frankly, the best hope is delay. HHS should drag its feet, go back to Congress, and ask for privacy legislation. If and when Congress acts in three or four or more years, there will be time to issue a final interoperability rule. The substantive issues in the rulemaking are pretty challenging, and it will take the health industry some time to adopt any solutions. With a hard issue and a bureaucracy approaching a presidential election year, we might get some delay for free.

I wish I had a better answer. There’s a reason it’s a dilemma.