Sharing your personal health data with apps, doctors and hospitals will get easier under new federal rules, announced Monday, that are likely to sharpen a debate over patient privacy.
By standardizing the way data must be shared and mandating that individuals have digital access to their own health records, the regulations are widely expected to benefit a mushrooming industry around health data. The records hold a wealth of intimate information—the history of patients’ illnesses, prescriptions, laboratory results and sometimes genetics—and are seen as increasingly valuable to companies that can crunch vast databases to develop health-care services.
Apple Inc., Alphabet Inc.’s Google and Microsoft Corp., which are making inroads in health care, have generally backed the main rule, as have some consumer groups. Consumers often face barriers to getting personal medical information to share between doctors or feed to smartphone apps and web portals that provide health services. Today, patients often still need to carry printouts or physical discs to a new doctor’s office or input data by hand.
The final rules, issued by two different agencies within the Department of Health and Human Services, include provisions to ease access to digital health records. There are also changes that could force more disclosure to consumers about apps’ privacy policies, according to federal officials who shared details with The Wall Street Journal.
The main new rule sets technical standards that will allow app developers or others with authorization to connect digitally with hospitals and doctor offices and pull data such as medications, lab test results and vital signs like blood pressure.
Another provision will require health insurers that offer government-backed plans—such as Medicare Advantage, managed Medicaid and Affordable Care Act exchange coverage—to open up similar seamless digital access to claims data for consumers, including information on costs of services, according to federal officials.
One upshot: Consumers might be able to organize information from all the different doctors and hospital systems they visit, as well as their health insurers, in one tool on their smartphones.
“It will be absolutely transformative,” said Ken Mandl, a Harvard professor who directs a health-informatics program at Boston Children’s Hospital. “No one can get data out of [electronic health records] into applications in a standardized, effective way, so we don’t get innovation at scale.”
Trump administration officials said the rules will encourage the development of new digital tools to help consumers.
“This will allow them to have their complete medical record at their fingertips,” said Seema Verma, the administrator of the Centers for Medicare and Medicaid Services, which is issuing one of the rules.
But the rules will also likely amplify a debate over patient privacy protections, which have drawn increasing public attention as hospitals strike data-sharing deals with companies such as Google and Microsoft.
As patients begin more easily offering up their health data to apps, they will be navigating a complicated privacy dynamic. The main federal law that protects health data, the Health Insurance Portability and Accountability Act, or HIPAA, applies to physicians and health-care companies, as well as third parties that work with them, such as the technology firms with which hospitals share data.
Tech firms that get health data directly from consumers—or from doctors or hospitals that release it based on a consumer’s authorization—aren’t generally subject to HIPAA. They are overseen primarily by the Federal Trade Commission, which focuses largely on whether companies adhere to their own privacy policies.
“There is a legitimate concern that people will be sharing their sensitive health information with organizations that can use and sell that information however they want,” said Joy Pritts, a consultant who is a former federal health-privacy official. “They are restricted by their terms of service, but we all know that no one reads them.”
Trump administration officials said the rules enable hospitals, doctors and insurers to check apps’ privacy policies and share information about them with consumers. Patients will also be able to select which particular data elements they want to share. Health-care providers can warn consumers when their data might be leaving the protections of HIPAA.
“This information cannot just accidentally…sneak out,” said Don Rucker, the national coordinator for health information technology at HHS. “This is a much more explicit process” than the typical click-through agreement, he said.
Details of the rules had been hotly contested during their development.
Some of the strongest opposition has come from Epic Systems Corp., a privately owned electronic-health-record company that is one of the largest. Epic Chief Executive Judy Faulkner urged the company’s hospital customers to push back on proposals released last year, warning of fines for noncompliance, disruption to hospitals’ technology systems and patient-privacy risks.
“You don’t want unintended consequences,” Ms. Faulkner told customers who gathered at the company’s Verona, Wis., campus in August for one of its annual meetings.
In written comments filed with regulators, Epic strongly objected to a proposal that people such as doctors and health-care-software engineers should be able to share screenshots of electronic health records to disclose problems in areas like usability. The final rule says EHR vendors can’t block screenshots or brief videos from being shared but could set some limits, according to federal officials.
Patient-safety experts have called for sharing of screenshots to flag issues that can lead to medical errors. Epic said to regulators it would support screenshot sharing with patient-safety organizations.
“The rule is very important to health systems and their patients, so we will read it carefully to understand its impact before making judgments,” the company said before the final rules were released.
One of the new rules includes a requirement for hospitals to provide digital notifications to other health-care providers when their patients are admitted, transferred or discharged. The rule says that hospitals must do so to participate in the Medicare program. Hospitals had argued that the mandate shouldn’t be tied to Medicare participation.