With help from Arthur Allen (@arthurallen202) and Darius Tahir (@dariustahir)

Editor’s Note: This edition of Morning eHealth is published Mondays, Wednesdays and Fridays at 10 a.m. POLITICO Pro eHealth subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.

Quick Fix

The battle between established health IT vendors and patients and newer tech entrants heated up this week, and we’re sure it’ll be the topic du jour at ONC’s annual meeting next week. Here’s what we’ve got:

— Epic ramps up campaign against HHS rules: CEO Judy Faulkner told POLITICO that the health record giant might join a lawsuit if HHS finalizes data-sharing regulations that it views as deeply flawed.

— How to make privacy legislation inclusive: Policymakers and privacy experts are still figuring out how to ensure all consumers properly understand what they’re agreeing to.

— Spotlight on Europe: Health apps sharing data without consent: Across the pond, yet another report finds that health apps aren’t getting consent from consumers to share data, even under what’s widely seen as the world’s toughest privacy regime.

eHealth tweets of the day: ONC@ONC_HealthIT “Health tech developers: clearly convey your privacy and security policies to your users/consumers about their digital health data using our Model Privacy Notice as a starting point: https://healthit.gov/topic/privacy-security-and-hipaa/model-privacy-notice-mpn…#HealthcareIT#HealthIT#transparency

Adam C Lake MD @ACLakeMD “Sometimes the best healthcare is knowing a good immigration or poverty law project to refer a patient. Very hard to treat legal issues with medications.”

Your author wishes you a happy FRIDAY from Morning eHealth. Pass your juiciest news tips — paired with your favorite pressure cooker recipes — to the newest Instant Pot convert at [email protected]. Tweet the team at @arthurallen202, @dariustahir, @ravindranize, @POLITICOPro and @Morning_eHealth.

Driving the Day

POTENTIAL EPIC LAWSUIT RILES PATIENT DATA ADVOCATES — Faulkner escalated her campaign against HHS’ data sharing rules this week, triggering backlash from patients and advocates who say she’s trying to protect the Wisconsin company’s business interests at patients’ expense.

... Earlier this week, Faulkner told POLITICO that her company might sue HHS if the final versions of the two data sharing rules — expected early this year — are as objectionable as she found their draft versions. She argued that the rules don’t provide privacy protections for patients, and that once patients send the data into unregulated apps that might sell or exploit it, it’s impossible to get it back. And as CNBC reported, Faulkner also circulated a letter to its health system customers urging them to oppose the rules, as they appeared in draft form.

Among critics of the letter was Aneesh Chopra, formerly White House chief technology officer under Barack Obama. Chopra told CNBC it was “unfortunate to see this much effort placed at stalling the important, bipartisan progress we have made to open up health information — at a minimum to consumers and institutions they trust.”

“anyone up for a roll call? tweet if your ceo plans to sign on to this letter?,” he later tweeted.

If finalized, the rules could also pave the way for newer entrants — Apple, Google and other Silicon Valley giants — to compete with established health IT vendors such as Epic and Cerner, HITAC member and PatientRightsAdvocate.org founder Cynthia Fisher tells Morning eHealth. Fisher says more competition is better for patients, and that Epic’s privacy concerns are a “smokescreen” to protect its business interests.

“Innovative companies are being blocked today by the likes of Epic, and the likes of the hospitals,” Fisher said, adding that sometimes they are charged high fees or experience delays in accessing patient data, even when patients grant permission.

As we’ve reported, some companies such as Google, Facebook and Amazon have largely stayed out of the conversation about the rules, either avoiding comment or commenting indirectly; some experts say they’re missing an opportunity to address privacy concerns from patients worried about their health data being used for ads or marketing. Still, Fisher said, “technology can be a benefit to the consumer ... the tech community can do [to health IT] what Uber did to the taxicab industry.”

NAVIGATING THE PRIVACY LAW PATCHWORK — Speaking on a Next Century Cities panel this week, Asian Americans Advancing Justice’s K.J. Bagchi urged policymakers crafting privacy legislation — whether at the state or federal level — to accommodate a diverse group of consumers.

“We talk about consumers as a sort of monolithic block. ... You have individuals who are going to have varying levels of education, varying levels of English proficiency, and even within the federal legislation we’re looking at, just the idea of how terms of service should be presented to the consumer are varied.

“When you’re looking at the consumer, who’s trying to understand ... it’s important to have consistency,” he said.

California’s sweeping privacy law took effect a few weeks ago (though it won’t be enforced until July), and Washington state lawmakers are considering their own framework, among other states. But it could be a while before we see federal privacy legislation take shape, as POLITICO has reported.

It’s “exciting” to see lawmakers hash out certain elements such as ways to take the burden off consumers, guardrails limiting how data can be used and shared, and declaring certain practices harmful, said FTC’s Ben Rossen, a senior attorney at the Division of Privacy and Identity Protection, who emphasized at the event that he wasn’t speaking on behalf of the agency. “How exactly that will shake out remains to be seen,” he added.

SLEEP, DIET APPS SHARING DATA WITHOUT CONSENT — A Belgian consumer group is filing a complaint with the country’s data privacy authority about mobile health apps that share personal information with third parties, our colleague Sarah Wheaton reports.

... In a recent examination of 14 sleep, diet and lifestyle trackers, all but one shared personal data with third parties, consumer nonprofit Test Achats said. In some cases this included sensitive medical information. The data is often shared with a “total lack of transparency,” according to the group, which says the privacy policies for the most part do not comply with the General Data Protection Regulation.

Sleep Cycle and Migraine Buddy, for instance, both send email addresses and other personal information to third parties. They also send medical information, such as when people dream or snore, or the frequency of migraines, to those third parties, without disclosing how they share the data or allowing users to opt out.

“What if this data ends up in the hands of an insurer?” Test Achats said in a press release, warning of the possibility that an individual could be refused coverage or face higher premiums because the person “sleeps poorly or suffers from numerous migraines.”

Apple Health was the only app assessed that doesn’t share data with third parties, Test Achats found.

... This is just the latest report uncovering health apps’ potential violation of GDPR — a sweeping consumer privacy law seen by some U.S. lawmakers as a potential model for federal legislation. A report earlier this month commissioned by Norwegian Consumer Council found that apps routinely share data with third parties for advertising—even period trackers.

These reports raise concerns about patient privacy and could fuel the debate over HHS’ draft data-sharing rules — especially as developers don’t appear to be complying with the strong privacy regulations Europe put in place.

The Norwegian Consumer Council report, for instance, “reiterates AMA’s serious concern with respect to apps sharing and selling data without a consumer’s knowledge,” the American Medical Association told POLITICO earlier this month. “How many stories are needed before regulators will admit this is an issue worth addressing?”

PFIZER AND ROMAN INK PARTNERSHIP — Pharmaceutical giant Pfizer and direct-to-consumer website Roman have signed a deal, the companies announced Thursday. Roman, which provides men with prescriptions for conditions like erectile dysfunction and baldness, will be using Pfizer’s Greenstone division’s approved generic version of Viagra. The startup says the deal will ensure consistency in its supply chain.

Roman is one of many competitors jostling to provide patients with prescriptions to pharmaceuticals in convenient, direct-to-consumer fashion over the internet; some others in this sector include Nurx and hims & hers. At times, critics have focused on these companies’ safety problems:take this examination from Slate on beta blocker prescriptions, or the New York Times’ investigation of Nurx’s “cutting corners” while providing access to birth control.

DA VINCI PROJECT COVENES CLINICAL ADVISORY COUNCIL — The Da Vinci Project, a group trying to use FHIR standards for value-based pay,is creating a new clinical advisory council to assist in standardizing data-requests like prior authorization and quality metric reporting, the group announced today. The council’s co-chairs are Steven Lane of Sutter Health and Steven Waldren of the American Academy of Family Physicians.

What We're Reading

— Chrissy Farr reports on 23andMe’s recent layoffs for CNBC.
— Bloomberg’s Amy Thomson and Stephanie Bodoni report on Google and Alphabet CEO Sundar Pichai’s belief that AI will be a “more profound change than fire.”

Follow us on Twitter


• Mohana Ravindranath @ravindranize
• Darius Tahir @dariustahir

Follow Us