How Digital Health Platforms Should Secure Patient Data Now the CURES Act is Live

With the CURES Act Anti-Information Blocking Rule finally in place, Americans theoretically have instant access to their medical records. And, while the technology to fully leverage this is still being developed - we are poised to see plenty more tech companies enter this space and deliver new solutions to patients.

Advances in digital health service delivery had been hamstrung by the inability to gain real-time access to patient's electronic health records (EHRs). This was partly due to the practice among record holders of putting up barriers, known as information-blocking. And also partly due to the technical challenges of retrieving this data, which was further stymied by information-blocking. In effect, this has meant that digital health companies have had one hand tied behind their back while providing services to patients or consumers.

But with the anti-information blocking rule now live, record-holders are prohibited from blocking access to EHRs. And with this regulation in place, technological solutions can be built that will deliver the long-held dream of enabling Americans to manage their healthcare in the same way they manage their finances - from the comfort of their smartphones.

However, while this is undoubtedly great for patient choice and access, platform providers must not lose sight of data privacy and protection. And this is all the more pertinent, considering HIPAA regs do not extend to these providers.

Health Apps and HIPAA

With the CURES Act breaking apart the control and management of EHRs away from traditional health exchanges, we’re entering a new paradigm for medical data usage. Digital health companies will not only be able to pull EHR data into their platforms, but they will also be able to share data back into health exchanges and update existing records.

This has caused some anxiety among provider groups, particularly regarding their liability once data goes out the door. This is specifically regarding HIPAA compliance, a federal law protecting sensitive medical data from being disclosed without a patient’s consent.

However, the Department of Health and Human Services (HHS) has clarified that “once protected health information has been shared with a third-party app, as directed by the individual, [EHR providers] will not be liable under HIPAA for the subsequent use or disclosure of electronically protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.”

But what about the health apps receiving and processing EHRs and their liability with regards to HIPAA? Well, in many cases, this doesn’t apply, as they won’t meet the definition of a HIPAA-covered entity. Furthermore, the Anti-Information Blocking Rule means that EHR holders cannot refuse to send data to an app if a patient requests this, regardless of what security standards the app possesses.

Data Security Considerations for Health Apps

While HIPAA regulations may not currently apply to most health apps, these operators still have a duty of care to their users regarding both data security and privacy.

When it comes to data security, principles that all app developers should heed when building their services include the following:

• SSL encryption: With Google pushing for “HTTPS Everywhere,” SSL/TLS certificates are more relevant than ever. This level of encryption will help to secure patient data both when stored and in transit.
• Locally-based data storage: Where you store encrypted data is another decision that requires careful consideration. For maximum security and oversight, consider using on-premises servers that are based within the USA.
• Multi-factor authentication (MFA): Accessibility measures considered optional or nice-to-have in other apps may become standard in healthtech. An extra layer of privacy protection that makes apps less instantaneous but far more secure will be needed to ensure only the patient is accessing their data.

A Focus on Privacy Policies

Beyond data security considerations, digital health providers and users need to also carefully consider the types of privacy policies that should accompany these services. This is all the more pertinent considering that a recent study found that 79% of health apps studied routinely shared user data but lacked transparency around this.

Here are key considerations all developers should have in mind with regards to privacy policies:

• How is the data shared? Arguably the single biggest concern among users is how their data is used and shared by app providers. There are, of course, clear commercial incentives to sharing data with advertisers, and this paradigm is what we’re all now accustomed to with digital services, particularly freemium models. However, we could find that health app users become far less comfortable with this, enabling those providers who do not share data to market this as a clear differentiator.
• What are the user’s rights? A health-tech company may know the types and amounts of data they receive from consumers, but the patient can’t be left in the dark. Clear guidance on not only what is being collected but also how to request a copy is essential.
• What are the harm reduction measures? Server-side protection, disaster recovery plans, anonymized data—healthcare information is vital, and efforts to reduce the risk of exposure need to be conveyed to the user.

The Bottom Line

Investment in healthtech startups reached over $15 billion in 2020, a big increase from $10.6 billion in 2019. While the pandemic has driven much of this growth, the upshot is that companies developing healthcare applications have more resources than ever to adapt to the Cures Act Final Rules.

The HHS envisions a wide ecosystem of apps and services to benefit patients in everything from pricing and transparency to quality of care.

Underlying all of this development will be an expectation of privacy that can be conveyed to the consumer through robust privacy policies, strong data protections, and a design philosophy that bridges the gap between the provider’s EHR and the needs of each patient.