New Data Rules Could Empower Patients but Undermine Their Privacy

In a move intended to give Americans greater control over their medical information, the Trump administration announced broad new rules on Monday that will allow people for the first time to use apps of their choice to retrieve data like their blood test results directly from their health providers.

The Department of Health and Human Services said the new system was intended to make it as easy for people to manage their health care on smartphones as it is for them to use apps to manage their finances.

Enabling people to access their medical records via mobile apps represents a major milestone for patient rights, even as it may heighten risks to patient privacy.

Prominent organizations like the American Medical Association have warned that, without accompanying federal safeguards in place, the new rules could expose people who share their diagnoses and other intimate medical details with consumer apps to serious data abuses.

Although Americans have had the legal right to obtain a copy of their personal health information for two decades, many people face obstacles in getting that data from providers.

Some physicians still require patients to pick up computer disks — or even photocopies — of their records in person. Some medical centers use online portals that offer access to basic health data, like immunizations, but often do not include information like doctors’ consultation notes that might help patients better understand their conditions and track their progress.

The new rules are intended to shift that power imbalance toward the patient.

They will require health providers to send a core set of medical data directly to third-party apps, like Apple’s Health Records, after a patient has authorized the information exchange. In addition to lab test results and vital signs, the data will include clinical notes about a patient’s surgeries, hospital stays, imaging tests and pathology results.

Dr. Don Rucker, the federal health department’s national coordinator for health information technology said allowing people to access their medical data through consumer apps would give them more detailed insights into their health and greater choices over their health care. He compared it to ride-hailing apps like Uber and Lyft that let consumers make pricing choices in advance, gauge the arrival times of their drivers and follow maps of the routes they’re traveling.

“We as patients have not gotten really anywhere near the benefits from modern computing that we could or should get,” Dr. Rucker said. “The ability of smartphones to take the care with you, to be continuous, to be engaging, is going to allow totally different ways of thinking about chronic illness.”

Health regulators are opening patient access to their medical records against a backdrop of a virtual gold rush for Americans’ health data by hundreds of players, including tech giants, analytics start-ups and pharmaceutical companies. So many entities have access to Americans’ medical records — including identifiable medical data and pseudonymous files that track people by I.D. codes — that it can seem easier for third parties to acquire patient data than patients themselves.

Dozens of professional medical organizations and health industry groups have pushed back against the rules, warning that people who share sensitive medical record details — such as data on depression, cancer or sexual health — with apps could face major privacy invasions.

That is because federal privacy protections, which limit how health providers and insurers may use and share medical records, no longer apply once patients transfer their data to consumer apps.

“App frequently do not provide patients with clear terms of how that data will be used — licensing patients’ data for marketing purposes, leasing or lending aggregated personal information to third parties, or outright selling it,” Dr. James L. Madara, the chief executive of the American Medical Association, wrote in public comments to health regulators last year. “These practices jeopardize patient privacy, commoditize an individual’s most sensitive information, and threaten patient willingness to utilize technology to manage their health.”

Dr. Rucker, the health department’s technology coordinator, said that when patients initiate the data-sharing process with apps, their providers will inform them about the data transfer and be able to communicate privacy risks.