Investment in health tech startups reached over $15 billion in 2020—a big increase from $10.6 billion in 2019. While the pandemic has driven much of this growth, the upshot is that companies developing healthcare applications have more resources than ever to adapt to the Cures Act Final Rules.
With the CURES Act Anti-Information Blocking Rule finally in place, Americans theoretically have instant access to their medical records. And, while the technology to fully leverage this is still being developed - we are poised to see plenty more tech companies enter this space and deliver new solutions to patients.
Advances in digital health service delivery had been hamstrung by the inability to gain real-time access to patient's electronic health records (EHRs). This was partly due to the practice among record holders of putting up barriers, known as information-blocking. And also partly due to the technical challenges of retrieving this data, which was further stymied by information-blocking. In effect, this has meant that digital health companies have had one hand tied behind their back while providing services to patients or consumers.
But with the anti-information blocking rule now live, record-holders are prohibited from blocking access to EHRs. And with this regulation in place, technological solutions can be built that will deliver the long-held dream of enabling Americans to manage their healthcare in the same way they manage their finances - from the comfort of their smartphones.
However, while this is undoubtedly great for patient choice and access, platform providers must not lose sight of data privacy and protection. And this is all the more pertinent, considering HIPAA regs do not extend to these providers.
With the CURES Act breaking apart the control and management of EHRs away from traditional health exchanges, we’re entering a new paradigm for medical data usage. Digital health companies will not only be able to pull EHR data into their platforms, but they will also be able to share data back into health exchanges and update existing records.
This has caused some anxiety among provider groups, particularly regarding their liability once data goes out the door. This is specifically regarding HIPAA compliance, a federal law protecting sensitive medical data from being disclosed without a patient’s consent.
However, the Department of Health and Human Services (HHS) has clarified that “once protected health information has been shared with a third-party app, as directed by the individual, [EHR providers] will not be liable under HIPAA for the subsequent use or disclosure of electronically protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.”
But what about the health apps receiving and processing EHRs and their liability with regards to HIPAA? Well, in many cases, this doesn’t apply, as they won’t meet the definition of a HIPAA-covered entity. Furthermore, the Anti-Information Blocking Rule means that EHR holders cannot refuse to send data to an app if a patient requests this, regardless of what security standards the app possesses.
While HIPAA regulations may not currently apply to most health apps, these operators still have a duty of care to their users regarding both data security and privacy.
When it comes to data security, principles that all app developers should heed when building their services include the following:
Beyond data security considerations, digital health providers and users need to also carefully consider the types of privacy policies that should accompany these services. This is all the more pertinent considering that a recent study found that 79% of health apps studied routinely shared user data but lacked transparency around this.
Here are key considerations all developers should have in mind with regards to privacy policies:
Investment in healthtech startups reached over $15 billion in 2020, a big increase from $10.6 billion in 2019. While the pandemic has driven much of this growth, the upshot is that companies developing healthcare applications have more resources than ever to adapt to the Cures Act Final Rules.
The HHS envisions a wide ecosystem of apps and services to benefit patients in everything from pricing and transparency to quality of care.
Underlying all of this development will be an expectation of privacy that can be conveyed to the consumer through robust privacy policies, strong data protections, and a design philosophy that bridges the gap between the provider’s EHR and the needs of each patient.