Skip to Content

Privacy & Data

Comments on Updates to the ONC Voluntary Personal Health Record Model Privacy Notice

Data collection via consumer health technology has greatly expanded in the five years since the initial development of the Model Privacy Notice. The ability for consumers to understand and act on information about a company’s data practices and policies has been severely compromised by the sheer amount of data being collected and shared. Consumers are increasingly using mobile phone apps and wearable devices to generate and share data on health and wellness, employing personal health record tools to access and copy health records and move them to third party platforms, and sharing health information on social networking sites. They leave digital health footprints when they conduct online searches for health information and the health data created, accessed, and shared by consumers using these and many other tools can range from detailed clinical information, such as downloads from an implantable device and details about medication regimens, to data about weight, caloric intake, and exercise logged with a smartphone app.

These developments offer a wealth of opportunities for health care and personal wellness. However, privacy questions arise due to the volume and sensitivity of health data generated by consumer-focused apps, devices, and platforms, including the potential analytics uses that can be made of such data. Transparency about data practices is essential not just as a fundamental element of privacy, but is also key to engendering consumer trust, which in turn is critical to the adoption of these services. Without trust, consumers will resist using apps or devices and the industry as a whole will suffer.

Overall, transparency practices should be guided by the principle that the consumer should not be surprised. The more unexpected or potentially objectionable a data collection or usage is, the greater the obligation to explain it to consumers.

These comments are split into eight sections:

  1. User scope
  2. Information type
  3. Information practices
  4. Sharing and storage
  5. Security and encryption
  6. Access to other device information
  7. Format
  8. Information portability