Epic Building Tools to Help Patients Guard Their Health Data

New, Internet-connected devices—everything from watches that measure our steps and sleep to sensor-equipped inhalers able to track medication use—are starting to deliver on their promise of giving healthcare providers a fuller picture of what, and how, their patients are doing when they’re not in for a check-up.

But the more gadgets and software applications patients share their personal information with, the greater the risk of it coming into the possession of an identity thief or a group that unlawfully profits from the sale of user data.

This could present challenges for makers of electronic health records (EHR) software, which primarily stores information entered by healthcare workers. But EHR software may also pull in data collected by health-tracking applications and devices such as Fitbits. Sometimes, the information flows in the other direction, when patients give these outside entities permission to access parts of their medical records.

The information stored in patients’ health records is especially prized by data brokers and hackers; some consider having someone’s health data to be more valuable than having the person’s credit card information, according to a Reuters report.

Companies that develop EHR software, such as Verona, WI-based Epic Systems, are now weighing the benefits of letting patients share their health data with outside applications against the potential consequences of it falling into the wrong hands.

“We’re adding features so that when patients pick an application and authorize it to access their data in the EHR, they’re shown information about who made the application, and what it does,” said Sasha TerMaat, a director at Epic. The company wants to present such information in a way that’s “easier to understand than the pages of legalese patients might see today, so that they’re less likely to make a decision that they would later regret.”

The stakes are high. Violations of HIPAA, a law that regulates the use, disclosure, and transmission of protected patient health information, can result in steep fines or even jail time.

Leaders at Epic appear to be taking heed of a series of data privacy breaches outside the healthcare industry that have led to dire consequences for companies including Facebook (NASDAQ: FB) and Equifax (NYSE: EFX). Facebook got into trouble because it had permitted outside application developers, including the U.K.-based firm Cambridge Analytica, to extract and store the personal profiles of millions of Facebook users without their knowledge.

Facebook founder and CEO Mark Zuckerberg testified before members of Congress in April that Facebook would take steps to improve data privacy for its users. Still, Cambridge Analytica’s harvesting of Facebook data has unquestionably hurt the company’s bottom line; on July 26, Facebook’s market capitalization fell by $119 billion, which was reported to be the largest loss in stock market history.

During a conference at the company’s headquarters this week, Epic’s founder and CEO Judy Faulkner referenced Zuckerberg’s congressional testimony as she emphasized the importance of protecting patient data to hospital executives in the audience.

“If your patients permit a Cambridge Analytica lookalike to see their data and it includes family history and DNA, you may be up on the Senate floor too,” Faulkner said.

Faulkner said Epic plans to develop tools so that when “third party” software applications—healthcare providers and EHR vendors being the other two parties—asks patients for permission to access their medical records, Epic can tell the patient what the application is likely to do with their information.

The tools would “ask the third party, ‘What are you going to do with the data?’” Faulkner said. “Are you going to sell it? Are you going to advertise? We will then try to give those answers back to the patient. If the third party doesn’t answer, we’ll tell that to the patient.”

Critics of Epic have previously called the company’s software a “closed platform” and argued the software was limited in its ability to easily exchange data with third-party applications and hospitals that use EHR software developed by other vendors.

Epic has muffled some of those critiques by configuring its record-keeping tools to be able to share information with Apple’s HealthKit software, to name one example. But with so many costly data breaches in the headlines, Epic seems to be walking a fine line between openness and security.

“Social norms have changed, and if patients want to share their data, they should be able to,” said Epic senior vice president Sumit Rana.

However, Rana said that a typical medical record not only contains identifying information about patients, but also genomic data and information on their family and family history, for example. Above all, people should keep in mind the long-term consequences of clicking “I agree” on a computer or smartphone app’s terms and conditions screen, Rana said.

“Consider the implications of uploading [the] protected health information of a minor,” he said. “As an adult, they would be very upset to find that mom opted in to share their personal data with an app 20 years ago in exchange for bonus points on their favorite game.”

Trending on Xconomy