Skip to Content

Privacy & Data

CDT, eHI Release Draft Consumer Privacy Framework for Health Data

On Wednesday, August 26, 2020, CDT hosted a webinar alongside eHI to debut this draft framework. We will solicit public feedback on all aspects of this draft framework for 30 days from the date of the webinar.


Health data — or data used for health-related purposes — is not regulated by a single national privacy framework. Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has governed the use and disclosure of certain health information held by certain entities like doctors and insurance companies. However, with the rise of wearable devices, health and wellness apps, online services, and the Internet of Things (IoT), extraordinary amounts of information reflecting mental and physical wellbeing are created and held by entities who are not bound by HIPAA obligations. This issue has only gained importance in the last several months, as new regulations will also be moving HIPAA-covered medical records into this commercially-facing and unregulated space. The novel coronavirus, too, has thrust the issue of patient data privacy to the forefront, as efforts to trace and combat the spread of the virus has brought with it the relaxation of some federal privacy protections, as well as increased data collection and use.

With funding from the Robert Wood Johnson Foundation, the eHealth Initiative (eHI) and the Center for Democracy & Technology (CDT) have been collaborating on a Consumer Privacy Framework for Health Data, with invaluable engagement and help from a Steering Committee of leaders from healthcare providers, technology companies, academia, and organizations advocating for privacy, consumer, and civil rights. Two workgroups – focused on the Framework’s Substance and Structure – have developed detailed use, access, and disclosure principles and controls for health data designed to address the gaps in legal protections for health data outside HIPAA’s coverage, along with a draft self-regulatory model to support enforcement of such standards. The standards’ emphasis is on transparency, accountability, and the limitation on health data collection, disclosure, and use. Importantly, the standards:

  1. move beyond outdated notice and consent models,
  2. cover all health information, and
  3. cover all entities that use, disclose or collect consumer health information, regardless of the size or business model of the covered entity.

This proposal is not designed to be a replacement for necessary comprehensive data privacy legislation. Given that Congressional action to pass such a law is likely some time away, this effort is designed to build consensus on best practices and to do what we can now, in the interim, to shore up protections for non-HIPAA covered health data.

Read the full draft framework here.

Watch the webinar recording here, and the slides here. More info on the event can be found here.

Submit comments on this draft framework via email to Alice Leiter at eHI ([email protected]) or Andy Crawford at CDT ([email protected]), or visit here.