Privacy Matters | Biometric data in EHRs, health data breaches, Jonah Leshin expounds on biometric data's ability to enhance patient matching, & more

Privacy Matters

Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary

To subscribe to our newsletter, click here. 

The last few weeks in a flash:

• Experts explore how the addition of biometric data to electronic health records could improve patient matching, balancing the benefits against privacy concerns.
• Healthcare data breaches and potential government surveillance of commercially-collected health data pose significant challenges to patient privacy.
• The protection of reproductive health information continues to be a major driver of research and advocacy efforts by medical professionals and organizations.

Leading Stories

How Adding Biometric Data to the EHR Can Drive Patient Matching
EHR Intelligence (November 2, 2022)
"Including biometric data like facial imaging in the EHR could help improve patient matching and cut costs, but patient data security remains a concern." Keep reading

• Biometrics Can Help Match Patients to Their Electronic Records, by Pew Charitable Trusts, is the report in question.
• The Pew Charitable Trusts is an independent non-profit, non-governmental organization (NGO), founded in 1948 with the mission to serve the public interest by "improving public policy, informing the public, and invigorating civic life."
  
  

Survey: Users of Digital Health Apps are Divided on Data Privacy but Most Share Data with Their Providers or Family Members
Cision PR Newswire (November 14, 2022)
"A new survey conducted by juli, the AI-powered chronic condition platform, reveals sharp differences among Americans in the value they place on digital privacy. Amid growing concern about the privacy of patient data, the survey found that app users' assessments of the importance of data privacy varied widely by age, gender and education level. Overall, women, older people, and those with a college education all rated privacy as more important than men, younger people, and those with a high school education." Keep reading

• juli is an AI-powered app for anyone with chronic conditions. juli collects data from various sources (phone, watch, environmental data, electronic health records and patient’s self-reported data).
  
  

Latest Healthcare Data Breaches Have Varying Impacts on Health Data
Health IT Security (November 14, 2022)
"The latest string of healthcare data breach notifications includes breaches at a New York police union, a California post-acute care facility, and a Colorado FQHC. . . In September, Legacy Post Acute Care first discovered that an unauthorized party had accessed several employee email accounts . . . [that] contained patient names, Social Security numbers, treatment information, health insurance information, financial information, prescription information, and patient account and medical record numbers." Keep reading 

Customer Data Can Be Used As Evidence in Government Surveillance
Marsh McLennan (November 13, 2022)
"The United States has electronic surveillance laws that prevent authorities from conducting wiretaps and other electronic surveillance without court oversight, but those laws do not necessarily protect our personal data collected commercially. That has profound implications in our post-Dobbs world, says Anne Toomey McKenna, professor of Law at University of Richmond School of Law and an expert on privacy, surveillance and law." Keep reading

Patients sue WakeMed, Aurora over data collection by Meta's pixel tool
SC Media (November 1, 2022)
"WakeMed Health and Hospitals, and Aurora Advocate Health are both facing patient-led lawsuits after two separate breach notices tied to possible data scraping by the use of Pixel on its hospital and patient-facing websites. . . WakeMed informed 495,000 patients and Advocate Aurora notified 3 million individuals that their data was inadvertently shared with Meta and other third-party vendors due to the use of Pixel on their respective websites." Keep reading

Experts Expound

Jonah Leshin, Head of Privacy Research at Privacy Hub by Datavant, elaborates on the Pew Charitable Trusts report's conclusion that adding biometric data to the EHR could enhance patient matching:

Incorporating biometric data into our patient matching paradigm has the potential to mitigate critical challenges that we face today, such as transient identifiers and manual data entry errors.

As the Pew report discusses, implementing biometric data into a patient matching process requires consideration along multiple dimensions, including:

• Storage of biometric data in a centralized database versus a decentralized on-device model.
• The type of biometric data to be collected; for example, fingerprint, facial scan, or both.
• The means by which biometric data is used to determine a patient match; for example, requiring an exact match on biometric data versus a hybrid approach in which biometric data is used in combination with more traditional demographic data.

Patient privacy plays a central role within and between each of these dimensions. The identifiability risks posed by the data itself, its transfer between systems, and the way it is combined with other data require close review. Moreover, the principles and analyses underlying such a review must be transparently laid out in order to build the trust that enables patient participation, and ultimately actualize the benefits of such a paradigm.

Government Watcher

Federal Trade Commission's Advance Notice of Proposed Rule on Commercial Surveillance and Data Security 
Background: Unveiled on August 11, 2022, by the Federal Trade Commission (FTC) and published on August 22, 2022, in the Federal Register, this proposed rule on commercial surveillance and data security practices that harm consumers and competition is the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy. 

Latest Developments:

• Planned Parenthood Calls on FTC to Protect Sensitive Data
  Media Post via IAPP (November 14, 2022)
  "Planned Parenthood urged the U.S. Federal Trade Commission to 'write tailored regulations to protect consumers' sensitive data from the potentially dangerous consequences of commercial surveillance and lax data security.'" Keep reading
• US senators request halt to FTC privacy rulemaking
  Media Post via IAPP (November 8, 2022)
  "U.S. senators sent a letter to U.S. Federal Trade Commission Chair Lina Khan asking the agency to stop its rulemaking initiative on commercial surveillance and lax data security. . . Sens. Cynthia Lummis, R-Wyo., Kevin Cramer, R-N.D., and Marco Rubio, R-Fla., wrote the FTC 'should not exceed its authority' with a rulemaking in the absence of a federal privacy law and instead 'leave that work to Congress.'" Keep reading

Engage: The ANPRM asks for public comment on 95 questions, ranging from topics such as targeted advertising, security of personal information, algorithmic discrimination, and protection of children and teens. Deadline for ANPRM Comments is now November 21, 2022.

Colorado Privacy Act Rules

Background: On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The CPA is a part of the State of Colorado’s Consumer Protection Act. The CPA gives the Colorado Attorney General authority to adopt rules governing privacy. It also requires that, by July 1, 2023, the Colorado Attorney General specifically adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

Latest Developments:

• Colorado Attorney General Releases Proposed Privacy Rules and Begins Holding Stakeholder Meetings
  Foley & Lardner (November 10, 2022)
  "After engaging in a pre-rulemaking process in which the Attorney General sought input from interested persons about the upcoming rulemaking, the Attorney General released the proposed Colorado Privacy Act Rules (Draft Rules) on September 30, 2022 kicking off the notice-and-comment rulemaking phase. At almost 40 pages long, the Draft Rules are now available for public comment." Keep reading

Engage: In conjunction with the publication of the Draft Rules, the Colorado Attorney General’s Office will hold a public hearing on February 1, 2023 that will be conducted in person and by video conference. Anyone can request to testify at the rulemaking hearing and submit public comments.

Food for Thought

Patient Matching: Privacy Considerations
Datavant (October 27, 2022)
Written by Jonah Leshin
"Piecing together a comprehensive and accurate view of the patient journey – for example, obtaining a complete prescription history or linking clinical trial data with future healthcare encounters – is critical to ultimately improving patient outcomes. . . Any given approach to patient matching carries its own elements of risk. Exploring these risk factors and how they can be mitigated is vital for implementing a process that is both privacy-first and fit-for-purpose." Keep reading

• Jonah Leshin is the Head of Privacy Research at Privacy Hub by Datavant. He holds a Ph.D. in Mathematics from Brown University.

Protecting reproductive health information in the post-Roe era: interoperability strategies for healthcare institutions
JAMIA (October 26, 2022)
Study by Raman R Khanna, Sara G Murray, Timothy Wen, Kirsten Salmeen, Tushani Illangasekare, Nerys Benfield, Julia Adler-Milstein, and Lucia Savage
"Healthcare institutions capture information about patients’ pregnancy and abortion care and, due to interoperability, may share it in ways that expose their providers and patients to social stigma and potential legal jeopardy in states with severe restrictions. In this article, we describe sources of risk to patients and providers that arise from interoperability and specify actions that institutions can take to reduce that risk." Keep reading

• Authored by medical and research professionals, several of which focus on obstetrics.
• Affiliations include UCSF's Department of Medicine, Center for Clinical Informatics and Improvement Research, and Department of Obstetrics, Gynecology, and Reproductive Sciences. 
   

Building Patient Privacy Trust for Digitized Healthcare Consumerism
PatientEngagementHIT (November 14, 2022)
Written by Sarah Heath (after interviewing Michael Levy
"Healthcare consumerism will hinge on health data liquidity. But with patients as the owners of that data, the industry has a big patient privacy trust imperative on its hands." Keep reading

• Sarah Heath is the Managing Editor at Xtelligent Healthcare Media.
• Michael Levy is the CEO of the Digital Health Institute for Transformation (DHIT), a North Carolina-based non-profit education and research institute focused on leveraging patient health data to advance community health and equity.