Health startups anxiously await new data-sharing rules

Jay Desai's healthtech startup may be poised to have a very, very big year.

PatientPing, where he's CEO, is a digital health coordinator that shares real-time patient information with health care providers across organizations so patient care is streamlined and tracked in one place. The Boston-based startup already works with more than 1,000 U.S. hospitals — approximately one-sixth of the total in the country, according to numbers from the American Hospital Association. But if the government approves a new set of patient data-sharing rules soon, systems like PatientPing could become a must-have for hospitals across the land.

"We're just sort of anxiously waiting for the final rule," Desai said. "As an entrepreneur, you have to be comfortable managing for uncertainty and ambiguity."

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

The fate of his company is currently in the hands of the White House, which is considering whether to approve new rules first set forth by the U.S. Department of Health and Human Services in February 2019. The proposals are controversial, pitting some incumbent health companies against startups like PatientPing and bigger tech companies like Apple and Google, with everyone arguing over patient rights versus patient privacy.

At their core, the new rules are meant to make it easier for people to obtain their medical data and share it with third-party apps or other doctors. They would require the health care industry to allow patients to access their personal health information through open APIs. The directives would penalize information-blocking and would require hospitals to send admission, discharge and transfer notifications as a condition of their participation in Medicare and Medicaid programs.

Unlike other tech sectors, where consumer taste and trends shape company outcomes, health care is highly regulated, and the industry can experience massive shifts as new rules come into effect. Making it easier to share and combine data could be a windfall for healthtech startups like Desai's.

"I think in some ways it's akin to what I think about the internet: that you have this ability to create an ecosystem where, by allowing people to move their information around, you're going to enable a lot of development," said 23andMe CEO Anne Wojcicki, whose home DNA-testing company has been on the vanguard of delivering health data directly to patients. The company is also well-known for its battle with another regulatory agency, the FDA, which famously forced 23andMe to change its entire product after it launched.

In the new and intensifying fight for health data-sharing, the government seems poised to come down on the side of innovation, which alarms privacy advocates and some industry veterans.

Epic, the nation's largest electronic health record provider, is strongly against the proposed rules. The company argues that the data-sharing could put patient privacy at risk and "that patients and their family members will lose control of their confidential health information," it said in one of its notes to hospital CEOs, according to CNBC.

I don't think it's appropriate for a company like Epic to be saying, no, you do not have the ability, that your data should not be moved around because of potential risk, and that you as an individual are not necessarily capable of having that judgment. Like, how dare they? That's insulting. — Anne Wojcicki

In early February, Wisconsin-based Epic signed a letter alongside 60 health systems representing 400 hospitals, urging government regulators to delay implementation. Wisconsin Gov. Tommy Thompson, a former HHS secretary, came out against the rules, claiming it would hurt Epic's business and Wisconsin's economy. Epic also previously threatened to take legal action.

"We are supportive of the goals of the proposed regulations, but we believe that important changes must be made to the rule before it becomes final in order to protect the privacy of patients and their personal health information," said an Epic spokesperson. "We appreciate the work that HHS is doing to incorporate different perspectives and ensure that the final rule is a good one."

Some startups Protocol contacted about the regulation declined to comment, given the tenor of the political battle. POLITICO reported that other big tech companies, like Google and Apple, have done some lobbying and met with officials, but have otherwise largely remained on the sidelines.

Wojcicki thinks Epic and its allies have taken a very "paternalistic view" of consumer privacy. "Fundamentally, my bank doesn't put those restrictions on me, and frankly, that's a lot more sensitive," she told Protocol. She argues that privacy is giving patients a choice in how they use their data — including not sharing it at all. She pointed to 23andMe's research programs for instance, which are opt-in, as an example of how to give people options safely. Still, 23andMe has been dogged by privacy concerns of its own. Consumer fears over DNA ending up in the wrong hands was a factor in 23andMe's decreased sales and subsequent layoffs in January.

"I think there should be appropriate warnings, but I don't think it's appropriate for a company like Epic to be saying that no, you do not have the ability, that your data should not be moved around because of potential risk, and that you as an individual are not necessarily capable of having that judgment," she said. "Like, how dare they? That's insulting."

While the interoperability rules could help 23andMe's research business by making it easier to connect patient health records to 23andMe, Wojcicki still thinks it will be a long time before the rules really start to affect her business. "At 23andMe, we do not have anyone like just sitting here, waiting at the gates for the data to flow out," she said.

Instead, startups focused on enabling interoperability, like PatientPing, may be some of the first to feel the change. And already, new startups are launching that seem perfectly poised to take advantage of it. This month, venture capitalist Hemant Taneja and his team launched Commure, which is building a developer platform and APIs for health care.

Venture firm Venrock's Bob Kocher told Protocol in an email that he expects startups working on tech-enabled care like urgent care, telemedicine, primary care and home-based care to be among the beneficiaries — alongside patients.

"Health care data is oxygen for entrepreneurs and indispensable for patients," Kocher said. "Data is what enables entrepreneurs to personalize experiences, anticipate what will happen, act early to prevent complications, and make health care more like every other modern experience."

He said this kind of data sharing will help patients explore more options for their care, and will help doctors access and learn from patients' past treatments.

Yet Kocher, Taneja and others are venture capitalists, another group singled out by Epic as profiting from the regulation. "The primary beneficiaries of this rule are venture capitalists and others taking advantage of patient data," Epic executive Sumit Rama told POLITICO. (The company declined to comment on his remarks.)

"I mean, the statement in and of itself is obviously a bit alarmist," said Julie Yoo, a partner at Andreessen Horowitz who works on the firm's biotech fund. "It just struck me as very ironic that the very companies who benefited from this type of regulatory change and policy change are the very ones who are pushing back against sort of the obvious and logical next wave of regulatory change."

The new rules won't change her investing strategy too much, she said, as there are already a lot of startups that are trying to be the connective tissue between different vendors and systems. "But it might positively affect the capital, for instance, that these companies will have to raise to accomplish their goals," Yoo said.

As for the risk of a third-party app running away with health care information, that's a real concern, but she hopes venture capital could exert a positive influence by refusing to back businesses that might use data in nefarious or insecure ways. "Things take time in this space," Yoo said. "We always lament the fact that health care is 10 years behind and everything's slower. We certainly acknowledge that there's merit to that, because if we get it wrong, we're talking about patients' lives being at stake."