Protecting Health Data – CDT and eHI Release Consumer Privacy Framework for Health Data
CDT and the eHealth Initiative (eHI), with generous support from the Robert Wood Johnson Foundation, have partnered to develop a consumer privacy framework to better protect health data. Our proposed Consumer Privacy Framework for Health Data establishes critically needed protections around the collection, disclosure, and use of health data, much of which is unregulated under existing laws.
Data about our health is not only collected and kept by our doctors and hospitals – it’s truly everywhere. Our smartwatches know how physically active we are. Popular smartphone apps track the most intimate details about reproductive health. Medical websites, prescription services, and mental health apps all collect data about the medical conditions we have and the ways we treat them.
When used in certain ways by health professionals and researchers, this type of data can be valuable and produce positive health outcomes. However, when used in other ways, these sets of personal health data can harm people. For example, the Federal Trade Commission (FTC) just entered into a settlement with Flo, the developer of a popular fertility tracking app used by more than 100 million users. The FTC took action against Flo because the developer allegedly told users their data would be private, but, in practice, Flo shared users’ sensitive health data with numerous third parties, including Facebook and Google.
Apps that collect reproductive, prescription, or mental health data are all gathering a host of very personal and sensitive data. If that information is then disclosed in a manner users did not authorize or anticipate, that can be embarrassing, stigmatizing, and exacerbate existing biases in the provision of care and treatment. Moreover, when shared with others, like an employer, information about our health can have real life impacts on our jobs and access to opportunities. When shared without our knowledge or with unanticipated parties, we can quickly lose all control over our intimate health data. Finally, when not used appropriately, this data can lead to greater lack of trust in technology and health services.
Current privacy protections do not go far enough to adequately protect data about our health. In the United States, we have sector-specific laws that protect some of our data. For example, you have likely heard about the Health Insurance Portability and Accountability Act of 1996 (HIPAA). At its heart, HIPAA is a relatively strong data privacy law. It makes clear that health data is sensitive and, because of that, when held by specific entities (like your doctor, hospital, or health insurer), that data deserves heightened privacy protections around its collection, disclosure, and use. But for all the positive protections HIPAA provides, it doesn’t reach huge amounts of data about our health that is being collected and used by entities that fall outside the scope of the law.
Fortunately, there continues to be momentum to provide greater privacy protections for data about our health. For instance, several bills introduced in Congress recognize the sensitivity of data about health and the need to provide greater protections around its collection, disclosure, and use. However, right now, none of these bills have passed. States have also taken the lead and continue to advance privacy practices around consumer’s health data. For example, in November of 2020, Californians voted for the California Privacy Rights Act of 2020 (CPRA) which includes specific provisions and protections around sensitive data like health data.
While these legislative steps are positive, there is more we can and should do now. That’s why CDT and the eHealth Initiative have spent the past year developing a consumer privacy framework to better protect health data. Throughout 2020, we actively engaged with experts from the healthcare community, app and IoT developers, academics, patient and consumer advocates, and privacy experts. This included the release of an earlier draft proposal for public comment, feedback on which directly shaped our current draft. We are grateful to everyone who participated and offered constructive input and feedback throughout this process.
Today, we are proud to release our proposed Consumer Privacy Framework for Health Data. The framework includes a set of detailed use, access, and disclosure limitations and controls for health data that are designed to address the current gaps in legal protections. More specifically, the framework:
- Moves beyond outdated models that place too much emphasis on notice and consent and fail to articulate clear data use limits. Currently, the burden of ensuring sufficient privacy protections around health data disproportionately falls on consumers. To address this current imbalance, the framework focuses on data collection and use practices that ensure data is used for limited purposes consistent with consumer requests and expectations.
- Covers all information that can be used to make inferences or judgments about a person’s physical or mental health. Our definition of consumer health information recognizes that all data can be “health data” if it is used for those purposes, even if it appears unrelated on its face. A purpose- and use-based approach to our definition has several benefits. First, it benefits consumers by raising the bar for all the data that is used to impact their health and wellness. Modern data use is complex, opaque, and instantaneous. Trying to delineate distinct data sets as worthy of coverage, and others as not worthy, no longer makes sense for the people whose information is implicated. Second, it creates a tech-neutral standard that will stay relevant as technology evolves.
- Applies to all non-HIPAA-covered entities that collect, disclose, or use consumer health information, regardless of the size or business model of the covered entity. The framework includes very limited exceptions that permit some collection, use, and sharing of health data. Mindful of how exceptions can undercut the effectiveness of a framework, these provisions borrow from long-standing laws that attempt to balance the equities between individual privacy, societal benefits from the use of this data, and participants’ needs to process data to deliver the service or product requested by an individual.
Our proposal is designed to benefit everyone. The clear collection, disclosure, and use limits raise the bar and provide meaningful privacy protections to consumers. And by making pro-privacy decisions now, entities that elect to participate and adopt the framework will stay ahead of the regulatory curve and avoid having to make product changes that could be more expensive, time-consuming, or complicated in response to future regulation. Congress and federal and state-level regulators will also benefit from companies committing to a common set of publicly available data practices. This commitment will allow these governmental bodies to enforce these practices, which will be more explicit than many existing company privacy policies. Finally, the framework recognizes the importance of research and establishes clear standards for when research relying on consumer health information is permitted.
Our proposal is not designed to be a replacement for necessary comprehensive data privacy legislation. Rather, our effort is designed to build consensus on best practices and to do what we can now, in the interim, to shore up protections for non-HIPAA-covered health data. We also recognize that we have tried to address a number of difficult questions and there may need to be additional modifications to the framework. We look forward to continuing to work with our partners to ensure that users health data and privacy are protected.
