HIPAA revamp talks gain momentum on the Hill

With help from Arthur Allen (@arthurallen202) and Darius Tahir (@dariustahir)

Editor’s Note: This edition of Morning eHealth is published Mondays, Wednesdays and Fridays at 10 a.m. POLITICO Pro eHealth subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.

Quick Fix

ONC head Don Rucker is slated to speak today at the Connected Health Initiative’s privacy briefing; we’ll be listening for any hints about the interoperability rule that hit OMB last month. Here’s what else we’re tracking:

— HIPAA revamp talks gain momentum on the Hill: Sens. Bill Cassidy and Jacky Rosen are the latest lawmakers to introduce legislation addressing gaps in federal privacy protections.

What we don’t know about Apple Watches: The results from a massive study of the atrial fibrillation detection system are in, and they’re mixed.

Surprise! EHRs are worse than microwaves: A first attempt to quantify just how unusable EHRs are pegs them well below Google searches, microwaves and GPS.

eHealth Tweets of the day from The Hill’s Emily Birnbaum, from a hearing with empty chairs and namecards for Mark Zuckerberg and Tim Cook: @birnbaum_e “I think the House Small Business Committee is a little frustrated that Apple and Facebook did not accept their invitation to a hearing about Big Tech’s impact on small business today”

@birnbaum_e “empty seat move: strongest subtweet authority available to Congress.”

It’s FRIDAY at Morning eHealth. What health tech stories flew under the radar this week? Tips, takes and rants go to [email protected]. Tweet the team at @arthurallen202, @dariustahir, @ravindranize, @POLITICOPro and @Morning_eHealth.

Driving the Day

GOOGLE MOVE SPURS BILLS, HEARINGS AND OUTRAGE IN WASHINGTON — Lawmakers are closely following an agreement between Google and Ascension that grants the tech giant access to tens of millions of patient records. Sen. Bill Cassidy (R-La.), for instance, is corralling his colleagues for a hearing examining tech companies’ HIPAA compliance; he also introduced a bill Thursday that would stop businesses from selling and sharing data gathered by fitness trackers, along with Sen. Jacky Rosen (D-Nev.).

.... Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) endorsed HHS’ investigation of Google’s partnership with Ascension, noting that the arrangement “raises significant questions concerning the safeguarding of private data.” They also plugged their bill, S. 1842 (116), which would direct HHS to come up with privacy rules for companies that sell health-related products but are not governed by HIPAA such as apps and direct-to-consumer genetic tests.

It’s not clear what OCR’s investigation will turn up, and it’s possible that the deal is legal under standard business associate agreements, experts say. But "[t]here’s a world of difference between standard data-sharing arrangements with a trusted tech company, and a partnership with the world’s biggest advertising firm,” Sen. Marsha Blackburn (R-Tenn.), who leads the Senate Judiciary Committee’s Tech Task Force, told us.

Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, told Morning eHealth that Google and Ascension’s deal should “set off alarm bells,” but that regulators should proceed gradually: First they should establish whether the agreement is lawful under HIPAA, including whether Google’s de-identification techniques are adequate, then consider whether HIPAA regulations are relevant given the development of new technology over the past two decades, and then potentially push for an update.

... AMIA’s Jeff Smith warned against losing sight of risks consumers face outside the traditional health system, which at least is governed by HIPAA. Whatever the agreement between Google and Ascension — neither group responded to POLITICO’s requests for details — “it likely has had dozens of lawyers and HIPAA compliance experts evaluate at granular detail the contours of how the data can be used.”

When patients share their data outside of the traditional health system, “a terms of service agreement is equivalent to and substitute for informed consent,” Smith said. “And even the FTC would be helpless to enforce some pretty disturbing behavior as long as it was spelled out in the fine print.”

Technology

APPLE HEART WATCH STUDY DELIVERS EQUIVOCAL RESULTS — A massive, nearly 420,000-person study of Apple Watch’s much-hyped atrial fibrillation algorithm has delivered equivocal results. The study, appearing in the latest New England Journal of Medicine, was conducted primarily by Stanford researchers and sponsored by Apple.

One aspect was a success, outside researchers and the authors agreed: It showed that you can quickly and affordably scale up a very large research study examining patients around the country. That’s definitely helpful given the problems researchers have in recruiting study subjects with a limited budget.

But the study was fuzzy about the efficacy of the product itself, which Apple has tried to promote as a life-saving device. Cardiologists have questioned whether deploying an atrial fibrillation detection algorithm at scale will be helpful, as it might unleash a wave of false positives. And it’s unknown whether or not detecting atrial fibrillation among younger, healthier people is all that helpful.

“We don’t know the rate of false positives from this study,” Ethan Weiss, a University of California, San Francisco cardiologist said. “We really don’t know rate of false negatives. We also don’t even technically know that a true positive was an actual positive.”

The study found that about .5 percent of trial participants got irregular pulse alerts. Of that number, 150 eventually had a confirmed diagnosis of atrial fibrillation. While the researchers caution that the study wasn’t designed to serve as an assessment of the product as a screening tool, Twitter wags nevertheless had their day. “At >$1 million per case of afib detected, the key question is this: did the people like their Apple Watches?” asked Jeremy Sussman, a VA doctor and researcher at the University of Michigan.

... Also on Apple, the company is announcing new observational health studies related to menstruation, hearing and mobility, Stat’s Rebecca Robbins reports.

SPEAKING OF BIG TECH ... CICILLINE SUGGESTS HALTING TECH MERGERS — David Cicilline (D-R.I.), chair of the House Judiciary antitrust subcommittee, floated the idea this week of stopping Silicon Valley companies from making any acquisitions until the federal government’s antitrust enforcers are done with their probes, our POLITICO colleague Cristiano Lima reports. Cicilline pressed Justice Department antitrust chief Makan Delrahim at a hearing this week on whether he’d consider a “merger moratorium for dominant platforms.”

... “Delrahim, whose department announced a broad investigation into the online marketplace that has in part targeted Google, expressed openness to the idea,” Cristiano writes.

EHRs IN THE BOTTOM 9TH PERCENTILE FOR USABILITY — A study in Mayo Clinic Proceedings found a strong relationship between physicians’ burnout levels and poor EHR design, which the lead author says means that usability scores should figure prominently in an upcoming registry of customer reviews of health IT.

Researchers polled physicians about their experience using any EHR product, as well as their feelings of professional burnout. Odds of burnout dropped 3 percent for every one point more favorably respondents rated their EHR experience.

... The AMA-funded study appears to be a first attempt to compare EHRs to other tech products using a commonly used design benchmark known as the System Usability Scale, which asks respondents questions about how easy or difficult it is to use a certain product. A previous study scored Google searches at 93; microwaves at 87 and Excel spreadsheets at 57. EHRs as a whole scored 45, placing it in the bottom 9th percentile of products whose usability has been measured using this system.

As ONC develops the 21st Century Cures Act-mandated EHR reporting program, usability should be a strong component, lead author Ted Melnick told POLITICO.

Eye on FDA

PATIENTS WANT TO BE IN THE LOOP ON CYBER RISKS — That’s just one of the lessons FDA leadership picked up this year from a discussion on patient engagement and medical devices, according to a new blog post from acting CIO and principal deputy commissioner Amy Abernethy and Suzanne Schwartz, deputy director of the office of strategic partnerships and technology innovation at the Center for Devices and Radiological Health.

“One thing we heard loud and clear from patients is that they want to be told about a cybersecurity matter even if a fix is not yet available,” the two wrote. And if they know what to look for, patients can “serve as a ‘boots-on-the-ground’ intelligence system” to alert FDA to other risks, they added.

... The daylong meeting with patients in September has given FDA leadership ideas for developing a new strategy for communicating medical device cybersecurity risks to patients, Abernethy and Schwartz wrote.

Veterans

NEWS TO NO ONE — Federal agencies including the VA have a long way to go in shoring up their information security programs, a GAO official testified to a House Veterans’ Affairs subcommittee on Thursday. In 2016, GAO recommended the VA take 74 steps to improve its cybersecurity program; as of October of this year, it hadn’t made adequate effort to address 42 of them, according to the watchdog.

What We're Reading

— Kiran Gupta, Sara Murray, Urmimala Sarkar, Michelle Mourad and Julia Adler-Milstein write in NEJM Catalyst about differences in EHR use across gender.

— The anonymous whistleblower describes risks facing patients whose data is used in Google’s Project Nightingale for The Guardian.