Privacy policy takes over

With help from Arthur Allen (@arthurallen202), Dan Diamond (@ddiamond) and Mohana Ravindranath (@ravindranize)

Editor’s Note: This edition of Morning eHealth is published weekdays at 10 a.m. POLITICO Pro eHealth subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.

PRIVACY POLICY TAKES OVER: Privacy policy was the central focus Wednesday as both the administration and Congress previewed future attractions:

— OCR RFI: The Office for Civil Rights unveiled its long-awaited request for information Wednesday, posing a battery of 54 questions about possible changes to HIPAA. The inquiries are probing whether the longstanding privacy rule should be changed to reflect the imperatives of care coordination — asking about sharing data with social services, to take one example.

They also revisit accounting-of-disclosures policy. Longtime health IT folks know that OCR was required, by HITECH, to promulgate a rule describing how patients could ask for information about how and to whom their data has been disclosed. But the office’s first crack at such a rule failed after a barrage of negative commentary, so OCR is resetting the process.

Privacy observers weren’t blown away by the RFI — for which comments are due by Feb. 11 — but were generally intrigued by some of the smaller parts.

“I suspect more hype than substance,” Matthew Fisher, a privacy lawyer with Mirick O’Connell, said regarding the ultimate effects of the RFI. Fisher believes that most of the potential data-sharing questions are already allowed under HIPAA; meaning that, were policymakers interested in substantial changes, they’d need to change statutes.

Jodi Daniel, a former ONC official and current lead of Crowell and Moring’s digital health practice, urged HHS to consider whether “the Privacy Rule should be used to require disclosures without patient consent, when there are other authorities, such as information blocking under the Cures Act, to promote information sharing.”

Other observers have other big asks on their wishlist. Alex Cooke, the director of membership for ACT | The App Association, said that it believes believe the RFI signals OCR’s intention to take steps to promote value-based care. “The thing we’ll recommend and harp on,” she said, is that the technologies falling under the business associate category — your gadgets and apps — that help connect doctors and patients aren’t forgotten.

Cooke specifically cited a desire for official guidance on texting: OCR, she said, has talked about its approach to e-mail and patient portals, but explicit, formal guidance on texting would be helpful.

New privacy bill: Sen. Brian Schatz of Hawaii — and a pretty sizable chunk of the Senate Democratic caucus — have their own take on consumer online privacy, in a new bill introduced Wednesday. The bill requires websites and app makers to secure data, inform users, and bar the use of data that harms users — and beefs up the FTC’s authority to make rules and fine offenders related to privacy. The bill specifically cites biometrics, and medical and mental health data, as sensitive information needing protection.

The legislation is another entry in the new debate over federal privacy regulations. As you’d expect, Republicans and Democrats have very different ideas about what it should look like. Kirk Nahra, a privacy lawyer with Wiley Rein, called the bill “an interesting set of ideas” but a “rough draft of concepts at this point.” We’ve covered how the national privacy debate could impact health care here.

eHealth tweet of the day: Jeffrey Lin @jeffreylinMD “Saw my third worry well today about Apple Watch. What is the appropriate use case for this new EKG tool? The technology is cool (though not that novel ie AliveCor) but Apple, what is the use case where this has been shown to improve patient outcomes.”

THURSDAY: What are you looking forward to in 2019? Share at [email protected]. Discuss socially at @ravindranize, @arthurallen202, @dariustahir, @POLITICOPro, @Morning_eHealth.

YOUR APPLE TODAY: Some noteworthy tidbits out of Cupertino:

Apple Health expands: The Apple Health juggernaut rolls out; the personal health record app has signed up six more health system partners, Ricky Bloomfield tweeted Wednesday.

Lots of doctors: Dozens of doctors work at Apple, ace CNBC reporter Christina Farr reported today, based on both inside reporting and LinkedIn searches. For what it’s worth, your correspondent did some similar reporting back in 2016, when we flagged 98 individuals with health backgrounds (of all types). We held on to the spreadsheet from our own LinkedIn searches, and virtually none of the docs’ names flagged by Farr are on our two-year-old list — so Apple appears to be bullishly charging ahead on MD hiring.

GROUP WITH LONG NAME TRIES TO SOLVE PROBLEM WITH LONG HISTORY: The National Committee on Vital and Health Statistics is meeting this week to kickstart a plan to get standards adopted for electronic transactions. Groups like HL7 and X12 create these data fields and transmission methods for health claims, electronic money transfers, pre-authorization requests and other fun communication between clinicians and the folks who pay them.

But getting the standards implemented has been a major pain. Billions of dollars and hours of time on the telephone (and fax) line are wasted because of the lack of accepted standards.

HIPAA designated NCVHS as the arbiter of the standards, which it then recommends to HHS for adoption. But HHS has been pokey at times. For example, one HL7-X12 standard to move data electronically has been sitting at HHS for 22 years awaiting rulemaking, according to Rob Tennant, policy director for health IT at the Medical Group Management Association. So NCVHS issued a draft roadmap to move forward faster earlier this year — and today is holding the second of two days of hearings to get feedback from 40 or so concerned health care citizens.

“We’re excited they’ve taken on this yeoman’s task and hope that at the end of day, standards will be adopted that meet industry needs,” Tennant said. His group wrote a letter to NCVHS last week with various complaints about HHS’s behavior on the standards issue.

ON ‘PULSE CHECK,’ STRIDE HEALTH TOUTS NEW PARTNERSHIP WITH CMS: Under a newly announced “enhanced direct enrollment” process, the gig economy workers that use Stride Health will no longer need to visit HealthCare.gov when signing up for coverage and getting verified for tax credits. Stride has suggested the partnership will help lower the uninsured rate among the millions of workers for companies like Uber and Etsy.

… POLITICO’s question: If Stride’s announcement is so important, why is it coming in the waning days of HealthCare.gov open enrollment? The years-long project was “the greatest example ... of a deep technical integration between a technology company and a government entity,” Stride CEO Noah Lang argued on the podcast. “And the reality is, it was a hard piece of technology with a number of high hurdles to clear when it comes to things like security and privacy.”

… Lang also praised the behind-the-scenes continuity at CMS, noting that tech officials under the Obama administration began setting up the new enrollment pathway that’s been newly finalized under the Trump administration. “The last CMS laid a lot of the foundation for what we’re doing now,” Lang added. Listen to the episode.

HEALTH DATA IN MORE HANDS: Stanford Medicine’s 2018 Health Trends report, introduced today, centers on one key theme: that more people and more organizations now hold more health data than ever before. Here are a few of our takeaways:

... AI could reduce costs by catching chronic conditions earlier. Since about 90 percent of health spending goes to chronic care treatment, population-level efforts could slow the onset of such conditions, slashing treatment costs.

... More accessible data means more citizen science. Efforts to make research data publicly accessible online opens the door for citizen scientists, including people who don’t have a background in health.

... Health tech needs to reexamine “trust.” Consumer tech companies are betting on the health market with devices like Apple’s heart-monitoring smart watch. But consumers don’t trust non-traditional health care groups with their medical data, even though they still look to platforms like Google, Wikipedia and Facebook for other health information. Consumer trust is complicated, authors say — and the physician-patient relationship doesn’t seem to be going anywhere.

SASSE FOLLOWS UP ON IRANIAN HACKERS: Sen. Ben Sasse has taken an interest in the Iranian hackers indicted by the Department of Justice in November. The two hackers had prosecuted a years-long ransomware campaign that hit OrthoNebraska, a group located in the senator’s home state. He sent a letter to the department requesting more details on the attack and the evolution of ransomware hacks in general. Read the full letter here.

Penn’s Regulatory Review discusses the HIPAA privacy rule.

Teladoc hit with class-action lawsuit over salacious investigative report on CFO.

Correction: The Dec. 12 edition of Morning eHealth presented a count of OCR’s settlements and fines in 2018 as comprehensive, rather than specifically related to digital technology. A separate item misidentified the office presenting a VA data architecture plan.