Wearable health devices, like Fitbits, have become almost as ubiquitous as smartphones. A sea of pink, blue, and black-banded wrists reflect our growing obsession with quantifying ourselves, whether it’s through measuring steps, counting calories or calibrating sleep quality.
The enormous and growing adoption of wearables has added fuel to the already widespread collection and curation of personal health information, a movement that has transformed modern healthcare. Offering both new ways for individuals to be engaged in their own health and new pathways for commercial innovation, the rise of wearables and other products, like body monitoring devices, that enable consumer-generated health information has also raised important questions about the privacy and security of health information that lays outside of the Health Insurance Portability and Accountability Act (HIPAA). To examine these and other health privacy questions, on Thursday CDT held the 4th event in its “Always On” series. Thursday’s event brought together leading experts in government, academia, advocacy, and industry to explore the regulatory and social challenges we face as digital patients.
The event began with fire starter speaker Ben Heywood, co-founder, President and Chief Privacy Officer of PatientsLikeMe.com, an online community for people suffering from chronic illnesses. Heywood described the for-profit entity he and his family founded after his younger Stephen was brother passed away from ALSas a “patient powered research network” in which users supply their health data to share and learn how others are managing similar illnesses. Heywood recognized the importance of user privacy, but also provocatively claimed such emphasis on privacy has prevented open data sharing and potential medical progress. “It’s fair to assume concerns about privacy and sharing have delayed some medical research by one year,” he said. “In that one year, 5,000 people with chronic diseases will die. How much is privacy really worth?”
After audience members gathered in small groups to discuss key questions such as whether consumer-generated health information should be regulated, CDT’s Deputy Director for Consumer Privacy Michelle De Mooy moderated a panel discussion that included Commissioner Julie Brill of the Federal Trade Commission, noted health privacy scholar Nicolas Terry from Indiana University School of Law, Corrine Carey, Assistant Legislative Director of the New York Civil Liberties Union and Dr. Christopher Boone, Executive Director of the Health Data Consortium. During a dynamic conversation on the legal, regulatory, and societal implications of mhealth, consumer-generated data, and the move towards open data, the experts agreed that HIPAA is outdated and that new legislation should be designed to reflect today’s technological environment. The experts also noted that although people care deeply about privacy, they make trade-offs for products and services. As Dr. Boone pointed out, consumers are “sacrificing our privacy for convenience.”
Commissioner Brill discussed confusion over regulation and enforcement of privacy laws in digital health, suggesting that rules of best practice may be more beneficial than concrete laws. “I really think the benefits in the m-health space are so tremendous, but researchers are so afraid to use [the data] because they don’t know where the lines are,” she said. “If we can develop best practices around the use of this data when it can go to third parties, this can do so much good.”
The panel concluded by discussing individual states’ power over health data, especially in selling data. Commissioner Brill cited research conducted by Dr. Latanya Sweeney which found that 33 state governments were selling or sharing health information to third parties, and only 3 of these states were compliant with HIPAA privacy standards. On the other hand, Professor Nicolas Terry pointed out, some states have even more protective data laws than HIPAA, such as California, a state where information from wearables is now protected by law.
CDT announced at the conclusion of the event that it will convene a Health Privacy Working Group and will send out information about how to participate to stakeholders soon.