Third-Party Health Technologies and Data Privacy in Medicare

In May, the Centers for Medicare & Medicaid Services (CMS) released the Health Technology Ecosystem Request for Information (RFI). One of CMS’ reasons for issuing the RFI is to explore the use of digital health technologies to help Medicare beneficiaries make better-informed health decisions. CMS defined several types of digital technologies that could be discussed by contributors, including:

• Hardware, such as sensors and wearable technology;
• Software applications that collect and organize health records and provider encounter data for viewing, sharing, and usage in digital health products, and;
• Digital tools that leverage personal data and other information to help patients with health decisions

CMS’ support for increasing access to digital health technologies could help improve care outcomes for Medicare beneficiaries. Digital health technology devices can provide appointment alerts and medication reminders, as well as track an array of health information including vital signs, physical activity, sleep patterns, blood sugar levels, and heart monitoring.

One study found that adults considered apps and wearables highly effective in helping them manage and improve their health. Subjects without prior health expertise were able to better understand their health data and the benefits of a healthy lifestyle. They were also motivated to improve their health through fun and educational features, and they valued the safety and emergency options offered by the technology.

The odds of increased adoption are also favorable as the number of older adults using technology continues to increase. The Pew Research Center found that the proportion of adults aged 65 and older in the U.S. who own a smartphone increased from 13% in 2012 to 61% in 2021, and those who use social media increased from 11% to 45%. While digital health technologies might potentially improve the health of Medicare beneficiaries, those improvements may come at the expense of data privacy.

CMS works with multiple third parties, from health plans and software vendors to drug manufacturers and medical device suppliers. These organizations are heavily regulated and adhere to strict requirements concerning medical data storage, transmission, and usage. CMS engaging with digital health technology developers that have previously only provided products at the consumer level would mark an unprecedented shift in the types of organizations that can access beneficiary data. Unlike CMS-affiliated vendors, digital health product manufacturers have historically not been required to adhere to regulations governing healthcare data privacy and may lack familiarity with HIPAA compliance, patient data protection, and informed consent protocols.

Consumers typically must accept broad terms and conditions before using digital health technology products. These agreements may include allowances for companies to use the collected data in various ways, such as for research, advertising, and artificial intelligence training, or to even grant the company the right to sell user data to other organizations. In some cases, user consent to sell data may not be explicitly granted within the user agreement or the agreement may be considered misleading; however, this ambiguity isn’t enough to stop companies from selling the data. One recent example is Flo Health, a popular female health app maker which recently reached a settlement with the Federal Trade Commission over allegations it shared user health information with outside data analytics providers. Additionally, Flo Health, Google, and Meta will face a jury trial to determine if the companies violated state and federal data-sharing privacy laws. Similar complaints have been levied against BetterHelp and Google-owned FitBit.

Another complicating factor in addressing data privacy is user consent. The CMS RFI includes no mention of how beneficiary consent will be managed by digital health technology developers, nor does it stipulate what methods will be available for beneficiaries to actively manage their consent preferences. These companies’ agreements are often lengthy, filled with legal jargon, and may not clearly spell out what permissions regarding data gathering and usage consumers are agreeing to by giving their consent.

An example of how consent can be murkily defined with digital health technology companies is the case against FitBit. noyb, a European non-governmental organization that works to enforce data protection laws, filed complaints that the FitBit agreement requires user consent with no clear information about how the data will be used, which third-party companies will receive it, or to which countries the data will be sent. noyb alleges the only way to withdraw consent is for users to delete their accounts, which results in the user losing access to all of their data and rendering their digital health device unusable.

Governing how digital health technology developers collect and manage data will be challenging. Ideally, CMS would put guardrails in place to ensure organizations adhere to the strict healthcare data privacy regulations that have already been established, as well as require the implementation of robust consent management capabilities. However, one question in the RFI is cause for concern: How might CMS balance patient privacy with convenience and access to digital health products and services that may lead to significant improvements in health? Rather than enforcing existing requirements or even increasing data privacy and consent regulations for digital health technology developers, this question could imply that CMS is willing to relax regulations to allow more digital health technologies to easily integrate with beneficiaries. If so, beneficiaries will need to determine if the potential health benefits outweigh the risks of entrusting their data to organizations that are not currently held to the same rigorous data privacy standards.