ACP Champions Greater Protection of Personal Health Information Shared Via Apps

Advocate Masthead

Recently published policy paper outlines necessary changes for improving the existing health information privacy framework

May 7, 2021 (ACP) -- Amid the acceleration of technology that collects patient data, the American College of Physicians is calling for updated privacy regulations that better safeguard patients' personal health information and improve patient trust in digital health technology.

Most patients have apps that track their daily steps, sleep, meditation habits, glucose levels, blood pressure or other important health data, which hold patients accountable to lifestyle changes and help physicians better counsel and manage patients' health in real time. However, health information technology gathered by apps and websites may not be well protected.

Since HIPAA was first signed into law in 1996, technology has changed significantly, explained ACP President Dr. Jacqueline W. Fincher. “HIPAA looked at privacy of health information being exchanged between direct medical organizations such as physician offices, hospitals and insurance companies,” said Fincher. Today, this health information is shared with numerous parties both within and outside of traditional health care.

“All of these new apps and websites are collecting patient data and may be making money off their use without any guardrails and regulation,” she said. “Most of the population doesn't realize how much is unregulated and, therefore, at risk.”

In a new policy paper, ACP outlines the changes necessary to improve the existing health information privacy framework and expand privacy regulations and standards to which physicians have been held to entities not yet governed by privacy laws and regulations. The policy paper, titled “Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem: A Position Paper of the American College of Physicians,” is published in the April 27, 2021 issue of the Annals of Internal Medicine.

ACP built its health information privacy policy for the evolving digital health landscape on six principles:

1. Protecting the privacy and security of personal health information collected within and outside the health care system is essential for fostering trust in the digital health care system.

ACP is proposing that all stakeholders agree to play by the same rules. This starts with analyzing where we are now, Fincher said. “States have different rules, and at the federal level, there are rules under the U.S. Centers for Medicare & Medicaid Services and the Federal Trade Commission,” she said. These entities must ultimately come together to develop and implement any new regulations.

The next step is to identify any gaps in terms of health information patient privacy. The biggest gaps appear to be with mobile apps. “There is a huge burgeoning field of commercial apps, and they are not regulated in terms of privacy policies, so patients are innocently inputting personal information that they think is private, but it's not,” Fincher said.

2. Transparency and public understanding must be increased, and models of consent should be improved regarding the collection, exchange and use of personal health information.

“The new regulations must be transparent and understandable to those who are providing the information, so they understand how it is being used,” Fincher said. Updated regulations must also be adaptable to all types of apps and technologies.

3. Confidentiality of personal health information is a fundamental aspect of health care.

4. Health information technology and other digital technologies should incorporate privacy and security principles within their design.

Exactly what new health information technology privacy and security protections will look like is a work in progress, Fincher said. “It has to be comprehensive and involve everyone handling any personal health information,” she said, adding that these parties must be held accountable for maintaining confidentiality, privacy and security of that information and should incorporate privacy and security principles within their design.

5. There must be oversight and enforcement to ensure that all entities not currently subject to HIPAA rules that interact with personal health information are held accountable.

6. Testing of privacy and security measures is essential before implementation, and these measures should be regularly reevaluated.

These new approaches to privacy and security measures should be regularly reevaluated to assess their effect in real-world health care settings, Fincher said. “Patients' personal health information should always be protected -- and that's the real goal of this policy paper and the recommendations it includes,” she said.

More Information

The position paper, “Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem: A Position Paper of the American College of Physicians,” is available on the Annals of Internal Medicine website.

Health Day Logo

Back to the May 7, 2021 issue of ACP Advocate