New third-party healthcare data rules: Increased access alongside privacy considerations

It would be an understatement to say that 2020 is a monumental year for healthcare. The COVID-19 pandemic brought many aspects of care to the forefront – from technology and its ability to connect us, to the necessity for records to be quickly disseminated to patients and their providers, and patients’ rights to exercise informed control over their treatment.

healthcare data rules

In early March, as COVID-19 impacted areas of the U.S., new healthcare data rules were issued by the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) to “give patients unprecedented safe, secure access to their health data“ so that they can better manage their care.

Currently, many large healthcare organizations share patient information via health information exchanges (HIEs), which are strictly regulated by HIPAA and other similar laws. Under the new rules, patients can choose to have their health records shared with third-party applications that will use the approved API outside of HIPAA’s controls.

There are several federal agencies that will have influence over the development, implementation, and oversight of these applications. For example, if the application is considered a medical device (i.e., software-as-a-medical device), the FDA would oversee how these apps are developed.

Under the purview of HIPAA and new breeds of state privacy laws and regulations, these apps will need to be built with security and privacy in mind, governed with the right controls, and provide appropriate patient verification and authentication. This will fundamentally alter how health data is exchanged between insurers, patients and providers by broadening the scope, but could also open the door for large technology enterprises, many with questionable track records for consumer privacy, to enter the space.

The new rules are intended to empower patients to have greater control over their health data, access to their health information and share their information when and with whom they desire. Compiling health records from all healthcare providers into one application would provide a single source of truth to help patients see the full landscape of their treatments.

The changes to the ADT requirements will offer similar benefits for practitioners, as this would streamline information sharing between large healthcare systems, smaller practices, and specialists caring for the same patient. Combining the benefits of the API with the rapid event notification services, and the apps could provide the ability for providers to have the most current health information due to the real-time connectivity of these apps. This has the potential of enabling independent care teams a comprehensive, timely, and relevant platform to ensure the health and well-being of their patients.

For example: All providers could be notified if their patient tested positive for a virus. Or in a medical emergency, receive a patient’s latest stats to provide lifesaving background information. It would also give organizations advance notice to prepare and triage patients during a significant health crisis.

An app that is developed to aggregate information collected from providers, payers, and the patient can notify anyone the patient wants to know.

With all the benefits and promises that this legislation provides, there are several considerations that must be weighed due to the inherent sensitivity of patient health information. Regulations such as HIPAA may not apply to third-party applications, which shifts the onus of privacy to the patients, and forces them to make informed decisions about trusting the organization that developed an application that offers these capabilities.

A patient would need to ask: “Do I trust that this app has the appropriate security and privacy safeguards?” It’ll be even more crucial that patients now read the fine print in those complicated and (seemingly) never-ending user agreements. These are where patients give permission for the app developer to store, share, sell, and use their most sensitive information.

Before granting permission, it will be increasingly important to understand how their data will be used and shared. Information is an extremely valuable asset. If the company behind the application is for-profit, then a patient should understand the motive of collecting and using their information.

For practitioners, there are still several unknowns around the mainstream execution and adoption of a third-party application system.

Healthcare organizations will eventually be required to utilize the API of these apps for secure data transfer which could be a burden for smaller practices, and there is industry interest in aggregating records into a single source to assist with diagnostics. However, how would corrections or changes be uniformly executed if the patient’s records are dispersed to multiple organizations or platforms? This could create confusion and misinformation without a clear authority to instate the modifications.

Additionally, the security of the app will be crucial to safeguard this information, along with the right controls and verification and authentication checks. A data breach from these types of applications could trigger catastrophic impacts, such as reputational damage if sensitive patient information is leaked, or fraud results from malicious access to financial information.

Today, a batch of highly-detailed healthcare data on the Dark Web is priced between $100 – 500, according to RSA. Compare that to stolen bank account credentials that range in price from $3 – 24 and you see why patient data is a target for cybercrime.


The convergence of healthcare and technology holds great potential to democratize patient information and enhance practitioners’ ability to provide comprehensive care.

But the complexity of this new legislation creates an opportunity for information privacy risks as the industry has never seen before. There are still many unanswered questions about the realities of broad technology adoption, and updated legislation and Federal oversight to reflect the current technology environment are needed to help close the gaps.

These changes in information sharing and care are inevitable and needed, so providers should take it upon themselves to ensure they are informed and prepared to adapt in order to best treat their patients. If we start seeing these capabilities embedded in consumer apps, and done so in a responsible, collaborative manner, then the patient will be put first, and as the CMS says, “[given] access to their health information when they need it most and in a way they can best use it.”

Don't miss