New, Internet-connected devices—everything from watches that measure our steps and sleep to sensor-equipped inhalers able to track medication use—are starting to deliver on their promise of giving healthcare providers a fuller picture of what, and how, their patients are doing when they’re not in for a check-up.
But the more gadgets and software applications patients share their personal information with, the greater the risk of it coming into the possession of an identity thief or a group that unlawfully profits from the sale of user data.
This could present challenges for makers of electronic health records (EHR) software, which primarily stores information entered by healthcare workers. But EHR software may also pull in data collected by health-tracking applications and devices such as Fitbits. Sometimes, the information flows in the other direction, when patients give these outside entities permission to access parts of their medical records.
The information stored in patients’ health records is especially prized by data brokers and hackers; some consider having someone’s health data to be more valuable than having the person’s credit card information, according to a Reuters report.
Companies that develop EHR software, such as Verona, WI-based Epic Systems, are now weighing the benefits of letting patients share their health data with outside applications against the potential consequences of it falling into the wrong hands.
“We’re adding features so that when patients pick an application and authorize it to access their data in the EHR, they’re shown information about who made the application, and what it does,” said Sasha TerMaat, a director at Epic. The company wants to present such information in a way that’s “easier to understand than the pages of legalese patients might see today, so that they’re less likely to make a decision that they would later regret.”
The stakes are high. Violations of HIPAA, a law that regulates the use, disclosure, and transmission of protected patient health information, can result in steep fines or even jail time.
Leaders at Epic appear to be taking heed of a series of data privacy breaches outside the healthcare industry that have led to dire consequences for companies including Facebook (NASDAQ: [[ticker:FB]]) and Equifax (NYSE: [[ticker:EFX]]). Facebook got into trouble because it had permitted outside application developers, including the U.K.-based firm Cambridge Analytica, to extract and store the personal profiles of millions of Facebook users without their knowledge.
Facebook founder and CEO Mark Zuckerberg testified before members of Congress in April that Facebook would take steps to improve data privacy for its users. Still, Cambridge Analytica’s harvesting of Facebook data has unquestionably hurt the company’s bottom line; on July 26, Facebook’s market capitalization fell by $119 billion, which was reported to be the largest loss in stock market history.
During a conference at the company’s headquarters this week, Epic’s founder and CEO Judy Faulkner referenced Zuckerberg’s congressional testimony as she emphasized the importance of protecting patient data to hospital executives in the audience.
“If your patients permit a Cambridge Analytica lookalike to see their data and it includes family history and DNA, you may be up on the Senate floor too,” Faulkner said.
Faulkner said Epic plans to develop tools so that when “third party” software applications—healthcare providers and EHR vendors being the other two parties—asks patients for permission to access their medical records, Epic can tell the patient what the application is likely to do with their information.
The tools would “ask the third party, ‘What are you
