Newsletter

Privacy Matters | Biometric data in EHRs, health data breaches, Jonah Leshin expounds on biometric data's ability to enhance patient matching, & more

Written by Privacy Hub Team | Nov 17, 2022 7:09:00 PM

Privacy Matters

Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary

To subscribe to our newsletter, click here

 

The last few weeks in a flash:

  • Experts explore how the addition of biometric data to electronic health records could improve patient matching, balancing the benefits against privacy concerns.
  • Healthcare data breaches and potential government surveillance of commercially-collected health data pose significant challenges to patient privacy.
  • The protection of reproductive health information continues to be a major driver of research and advocacy efforts by medical professionals and organizations.

 

Leading Stories

How Adding Biometric Data to the EHR Can Drive Patient Matching
EHR Intelligence (November 2, 2022)
"Including biometric data like facial imaging in the EHR could help improve patient matching and cut costs, but patient data security remains a concern." Keep reading

Survey: Users of Digital Health Apps are Divided on Data Privacy but Most Share Data with Their Providers or Family Members
Cision PR Newswire (November 14, 2022)
"A new survey conducted by juli, the AI-powered chronic condition platform, reveals sharp differences among Americans in the value they place on digital privacy. Amid growing concern about the privacy of patient data, the survey found that app users' assessments of the importance of data privacy varied widely by age, gender and education level. Overall, women, older people, and those with a college education all rated privacy as more important than men, younger people, and those with a high school education.Keep reading

  • juli is an AI-powered app for anyone with chronic conditions. juli collects data from various sources (phone, watch, environmental data, electronic health records and patient’s self-reported data).

Latest Healthcare Data Breaches Have Varying Impacts on Health Data
Health IT Security (November 14, 2022)
"The latest string of healthcare data breach notifications includes breaches at a New York police union, a California post-acute care facility, and a Colorado FQHC. . . In September, Legacy Post Acute Care first discovered that an unauthorized party had accessed several employee email accounts . . . [that] contained patient names, Social Security numbers, treatment information, health insurance information, financial information, prescription information, and patient account and medical record numbers.Keep reading 

Customer Data Can Be Used As Evidence in Government Surveillance
Marsh McLennan (November 13, 2022)
"The United States has electronic surveillance laws that prevent authorities from conducting wiretaps and other electronic surveillance without court oversight, but those laws do not necessarily protect our personal data collected commercially. That has profound implications in our post-Dobbs world, says Anne Toomey McKenna, professor of Law at University of Richmond School of Law and an expert on privacy, surveillance and law." Keep reading

Patients sue WakeMed, Aurora over data collection by Meta's pixel tool
SC Media (November 1, 2022)
"WakeMed Health and Hospitals, and Aurora Advocate Health are both facing patient-led lawsuits after two separate breach notices tied to possible data scraping by the use of Pixel on its hospital and patient-facing websites. . . WakeMed informed 495,000 patients and Advocate Aurora notified 3 million individuals that their data was inadvertently shared with Meta and other third-party vendors due to the use of Pixel on their respective websites." Keep reading

 

Experts Expound

Jonah Leshin, Head of Privacy Research at Privacy Hub by Datavant, elaborates on the Pew Charitable Trusts report's conclusion that adding biometric data to the EHR could enhance patient matching:

Incorporating biometric data into our patient matching paradigm has the potential to mitigate critical challenges that we face today, such as transient identifiers and manual data entry errors.

As the Pew report discusses, implementing biometric data into a patient matching process requires consideration along multiple dimensions, including:

  • Storage of biometric data in a centralized database versus a decentralized on-device model.
  • The type of biometric data to be collected; for example, fingerprint, facial scan, or both.
  • The means by which biometric data is used to determine a patient match; for example, requiring an exact match on biometric data versus a hybrid approach in which biometric data is used in combination with more traditional demographic data.

Patient privacy plays a central role within and between each of these dimensions. The identifiability risks posed by the data itself, its transfer between systems, and the way it is combined with other data require close review. Moreover, the principles and analyses underlying such a review must be transparently laid out in order to build the trust that enables patient participation, and ultimately actualize the benefits of such a paradigm.

 

Government Watcher

Federal Trade Commission's Advance Notice of Proposed Rule on Commercial Surveillance and Data Security 
Background: Unveiled on August 11, 2022, by the Federal Trade Commission (FTC) and published on August 22, 2022, in the Federal Register, this proposed rule on commercial surveillance and data security practices that harm consumers and competition is the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy. 

Latest Developments:

  • Planned Parenthood Calls on FTC to Protect Sensitive Data
    Media Post via IAPP (November 14, 2022)
    "Planned Parenthood urged the U.S. Federal Trade Commission to 'write tailored regulations to protect consumers' sensitive data from the potentially dangerous consequences of commercial surveillance and lax data security.'" Keep reading
  • US senators request halt to FTC privacy rulemaking
    Media Post via IAPP (November 8, 2022)
    "U.S. senators sent a letter to U.S. Federal Trade Commission Chair Lina Khan asking the agency to stop its rulemaking initiative on commercial surveillance and lax data security. . . Sens. Cynthia Lummis, R-Wyo., Kevin Cramer, R-N.D., and Marco Rubio, R-Fla., wrote the FTC 'should not exceed its authority' with a rulemaking in the absence of a federal privacy law and instead 'leave that work to Congress.'" Keep reading

Engage: The ANPRM asks for public comment on 95 questions, ranging from topics such as targeted advertising, security of personal information, algorithmic discrimination, and protection of children and teens. Deadline for ANPRM Comments is now November 21, 2022.

Colorado Privacy Act Rules

Background: On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The CPA is a part of the State of Colorado’s Consumer Protection Act. The CPA gives the Colorado Attorney General authority to adopt rules governing privacy. It also requires that, by July 1, 2023, the Colorado Attorney General specifically adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

Latest Developments:

Engage: In conjunction with the publication of the Draft Rules, the Colorado Attorney General’s Office will hold a public hearing on February 1, 2023 that will be conducted in person and by video conference. Anyone can request to testify at the rulemaking hearing and submit public comments.

 

Food for Thought

Patient Matching: Privacy Considerations
Datavant (October 27, 2022)
Written by Jonah Leshin
"Piecing together a comprehensive and accurate view of the patient journey – for example, obtaining a complete prescription history or linking clinical trial data with future healthcare encounters – is critical to ultimately improving patient outcomes. . . Any given approach to patient matching carries its own elements of risk. Exploring these risk factors and how they can be mitigated is vital for implementing a process that is both privacy-first and fit-for-purpose." 
Keep reading

  • Jonah Leshin is the Head of Privacy Research at Privacy Hub by Datavant. He holds a Ph.D. in Mathematics from Brown University.


Protecting reproductive health information in the post-Roe era: interoperability strategies for healthcare institutions
JAMIA (October 26, 2022)
Study by Raman R Khanna, Sara G Murray, Timothy Wen, Kirsten Salmeen, Tushani Illangasekare, Nerys Benfield, Julia Adler-Milstein, and Lucia Savage
"Healthcare institutions capture information about patients’ pregnancy and abortion care and, due to interoperability, may share it in ways that expose their providers and patients to social stigma and potential legal jeopardy in states with severe restrictions. In this article, we describe sources of risk to patients and providers that arise from interoperability and specify actions that institutions can take to reduce that risk." Keep reading

  • Authored by medical and research professionals, several of which focus on obstetrics.
  • Affiliations include UCSF's Department of Medicine, Center for Clinical Informatics and Improvement Research, and Department of Obstetrics, Gynecology, and Reproductive Sciences. 
     

Building Patient Privacy Trust for Digitized Healthcare Consumerism
PatientEngagementHIT (November 14, 2022)
Written by Sarah Heath (after interviewing Michael Levy
"Healthcare consumerism will hinge on health data liquidity. But with patients as the owners of that data, the industry has a big patient privacy trust imperative on its hands." Keep reading

  • Sarah Heath is the Managing Editor at Xtelligent Healthcare Media.
  • Michael Levy is the CEO of the Digital Health Institute for Transformation (DHIT), a North Carolina-based non-profit education and research institute focused on leveraging patient health data to advance community health and equity.
 

Best of the Rest


PODCAST:
What the 2022 midterm election results mean for US privacy law
IAPP (November 11, 2022)
"To shed light on [how the results of the midterm elections affect federal and state privacy legislation in 2023 and beyond], IAPP Editorial Director Jedidiah Bracy, CIPP, caught up with R Street Resident Senior Fellow for Cybersecurity and Emerging Threats Brandon Pugh, CIPP/US, and Public Knowledge Senior Policy Counsel Sara Collins." Listen here

BLOG:
Why I let researchers sequence my DNA - a case for sharing health data

LinkedIn (October 24, 2022)
Written by Elenee Argentinis
"Today, online patient communities attract millions of patients seeking support, available trials, and experiences on different drugs. Patients share their stories [across social media]. . . By sharing health information we find support, acceptance, and possibly the next cure. . . I shared my health data long before I worked in real-world data professionally. Now that I work in this field, I’ve learned a few key things. First, research is expensive and time consuming. . . Second, de-identifying real-world data is required before it’s shared with parties who don’t have the patient’s consent to use their personal information. De-identification adds a layer of privacy to data held by insurance companies, health systems, and other care providers. . . Third, making sense of health data to understand disease is difficult. . . Today, researchers partner with tech companies who. . . make sense of our data in ways the best doctors and researchers cannot on their own." Keep reading


PODCAST:
'Podnosis': Sizing up data privacy legislation and what you missed from the Digital Pharma East conference

Fierce Healthcare (November 2, 2022)
"The American Data Privacy and Protection Act. . . comes at a time when more tech companies are breaking into the healthcare space and eyes are turning to the protection of reproductive health data. To gain insight into the bill’s uncertain future, Fierce’s Annie Burky spoke with Deven McGraw, lead of data stewardship and sharing at medical genetics company Invitae." Listen here

 
Feedback or questions? We'd love to hear from you!
Reach us at privacymatters.privacyhub@datavant.com