On Tuesday, February 9, 2021, CDT hosted a webinar alongside eHI to debut this final proposed consumer privacy framework for health data. We published an earlier draft proposal and solicited public feedback.
The final proposed framework below reflects that feedback, in addition to the guidance of experts and leaders from healthcare systems, technology companies, academia, and organizations advocating for privacy, consumer, and civil rights.
Introduction and Background
Health data—or data used for health-related purposes—is not regulated by a single national privacy framework. Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has governed the use and disclosure of certain health information held by certain entities such as doctors and insurance companies. However, with the rise of wearable devices, health and wellness apps, online services, and the Internet of Things, extraordinary amounts of information reflecting mental and physical well-being are created and held by entities that are not bound by HIPAA obligations. This issue has only gained importance, as new regulations finalized in the spring of 2020 will also ease and promote the movement of previously HIPAA-covered medical records into this commercially facing, non-HIPAA-covered and unregulated space. The novel coronavirus has also thrust the issue of patient data privacy to the forefront, as efforts to trace and combat the spread of the virus have brought with them the relaxation of some federal privacy protections as well as increased data collection and use.
Project Goals and Process
With funding from the Robert Wood Johnson Foundation, the eHealth Initiative (eHI) and the Center for Democracy & Technology (CDT) collaborated on a Consumer Privacy Framework for Health Data, with invaluable engagement and help from a steering committee of leaders from healthcare entities, technology companies, academia, and organizations advocating for privacy, consumer, and civil rights.
This steering committee helped guide eHI and CDT during the development of this framework. Specifically, the framework consists of a set of detailed use, access, and disclosure principles and controls for health data that are designed to address the gaps in legal protections for health data outside HIPAA’s coverage. The framework also includes a proposed self-regulatory program to hold companies accountable to such standards. Non-HIPAA-covered entities would voluntarily hold themselves to a set of standards and subject themselves to potential enforcement mechanisms beyond current Federal Trade Commission (FTC) processes. Even outside this program, the authors hope that the substantive standards will serve as a benchmark to shape industry conduct and influence companies’ approaches to ensure users’ health data is protected.
The standards emphasize transparency, accountability, and appropriate limitations on health data collection, disclosure, and use. Importantly, the standards:
- Move beyond outdated models that place too much emphasis on notice and consent and fail to articulate data use limits;
- Cover all information that can be used to make inferences or judgments about a person’s physical or mental health; and
- Cover all non-HIPAA-covered entities that collect, disclose, or use consumer health information, regardless of the size or business model of the covered entity.
With respect to the self-regulatory program, the framework seeks to balance the need for enforcement mechanisms that will effectively hold companies responsible and promote consumer trust, while ensuring the program is workable enough for potential participating entities to join. This is a challenging balance, which the authors know will rely on entities participating in good faith.
Importantly, this proposal is not designed to be a replacement for new and necessary comprehensive data privacy legislation. Indeed, we believe strongly in the need for such a law and support all efforts to date that have served to build momentum for one. Given that congressional action is likely some time away and would take additional time to go into effect, this effort is designed to build support for best practices and enable us to take what action we can now, in the interim, to shore up protections for non-HIPAA covered health data. We hope that some of the tenets of our proposal can and will be helpful to federal lawmakers in their future efforts.