Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
How Adding Biometric Data to the EHR Can Drive Patient Matching
EHR Intelligence (November 2, 2022)
"Including biometric data like facial imaging in the EHR could help improve patient matching and cut costs, but patient data security remains a concern." Keep reading
Survey: Users of Digital Health Apps are Divided on Data Privacy but Most Share Data with Their Providers or Family Members
Cision PR Newswire (November 14, 2022)
"A new survey conducted by juli, the AI-powered chronic condition platform, reveals sharp differences among Americans in the value they place on digital privacy. Amid growing concern about the privacy of patient data, the survey found that app users' assessments of the importance of data privacy varied widely by age, gender and education level. Overall, women, older people, and those with a college education all rated privacy as more important than men, younger people, and those with a high school education." Keep reading
Latest Healthcare Data Breaches Have Varying Impacts on Health Data
Health IT Security (November 14, 2022)
"The latest string of healthcare data breach notifications includes breaches at a New York police union, a California post-acute care facility, and a Colorado FQHC. . . In September, Legacy Post Acute Care first discovered that an unauthorized party had accessed several employee email accounts . . . [that] contained patient names, Social Security numbers, treatment information, health insurance information, financial information, prescription information, and patient account and medical record numbers." Keep reading
Customer Data Can Be Used As Evidence in Government Surveillance
Marsh McLennan (November 13, 2022)
"The United States has electronic surveillance laws that prevent authorities from conducting wiretaps and other electronic surveillance without court oversight, but those laws do not necessarily protect our personal data collected commercially. That has profound implications in our post-Dobbs world, says Anne Toomey McKenna, professor of Law at University of Richmond School of Law and an expert on privacy, surveillance and law." Keep reading
Patients sue WakeMed, Aurora over data collection by Meta's pixel tool
SC Media (November 1, 2022)
"WakeMed Health and Hospitals, and Aurora Advocate Health are both facing patient-led lawsuits after two separate breach notices tied to possible data scraping by the use of Pixel on its hospital and patient-facing websites. . . WakeMed informed 495,000 patients and Advocate Aurora notified 3 million individuals that their data was inadvertently shared with Meta and other third-party vendors due to the use of Pixel on their respective websites." Keep reading
Jonah Leshin, Head of Privacy Research at Privacy Hub by Datavant, elaborates on the Pew Charitable Trusts report's conclusion that adding biometric data to the EHR could enhance patient matching:
Incorporating biometric data into our patient matching paradigm has the potential to mitigate critical challenges that we face today, such as transient identifiers and manual data entry errors.
As the Pew report discusses, implementing biometric data into a patient matching process requires consideration along multiple dimensions, including:
Patient privacy plays a central role within and between each of these dimensions. The identifiability risks posed by the data itself, its transfer between systems, and the way it is combined with other data require close review. Moreover, the principles and analyses underlying such a review must be transparently laid out in order to build the trust that enables patient participation, and ultimately actualize the benefits of such a paradigm.
Federal Trade Commission's Advance Notice of Proposed Rule on Commercial Surveillance and Data Security
Background: Unveiled on August 11, 2022, by the Federal Trade Commission (FTC) and published on August 22, 2022, in the Federal Register, this proposed rule on commercial surveillance and data security practices that harm consumers and competition is the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy.
Latest Developments:
Engage: The ANPRM asks for public comment on 95 questions, ranging from topics such as targeted advertising, security of personal information, algorithmic discrimination, and protection of children and teens. Deadline for ANPRM Comments is now November 21, 2022.
Background: On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The CPA is a part of the State of Colorado’s Consumer Protection Act. The CPA gives the Colorado Attorney General authority to adopt rules governing privacy. It also requires that, by July 1, 2023, the Colorado Attorney General specifically adopt rules that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.
Latest Developments:
Engage: In conjunction with the publication of the Draft Rules, the Colorado Attorney General’s Office will hold a public hearing on February 1, 2023 that will be conducted in person and by video conference. Anyone can request to testify at the rulemaking hearing and submit public comments.
Patient Matching: Privacy Considerations
Datavant (October 27, 2022)
Written by Jonah Leshin
"Piecing together a comprehensive and accurate view of the patient journey – for example, obtaining a complete prescription history or linking clinical trial data with future healthcare encounters – is critical to ultimately improving patient outcomes. . . Any given approach to patient matching carries its own elements of risk. Exploring these risk factors and how they can be mitigated is vital for implementing a process that is both privacy-first and fit-for-purpose." Keep reading
Protecting reproductive health information in the post-Roe era: interoperability strategies for healthcare institutions
JAMIA (October 26, 2022)
Study by Raman R Khanna, Sara G Murray, Timothy Wen, Kirsten Salmeen, Tushani Illangasekare, Nerys Benfield, Julia Adler-Milstein, and Lucia Savage
"Healthcare institutions capture information about patients’ pregnancy and abortion care and, due to interoperability, may share it in ways that expose their providers and patients to social stigma and potential legal jeopardy in states with severe restrictions. In this article, we describe sources of risk to patients and providers that arise from interoperability and specify actions that institutions can take to reduce that risk." Keep reading
Building Patient Privacy Trust for Digitized Healthcare Consumerism
PatientEngagementHIT (November 14, 2022)
Written by Sarah Heath (after interviewing Michael Levy
"Healthcare consumerism will hinge on health data liquidity. But with patients as the owners of that data, the industry has a big patient privacy trust imperative on its hands." Keep reading
PODCAST:
What the 2022 midterm election results mean for US privacy law
IAPP (November 11, 2022)
"To shed light on [how the results of the midterm elections affect federal and state privacy legislation in 2023 and beyond], IAPP Editorial Director Jedidiah Bracy, CIPP, caught up with R Street Resident Senior Fellow for Cybersecurity and Emerging Threats Brandon Pugh, CIPP/US, and Public Knowledge Senior Policy Counsel Sara Collins." Listen here
BLOG:
Why I let researchers sequence my DNA - a case for sharing health data
LinkedIn (October 24, 2022)
Written by Elenee Argentinis
"Today, online patient communities attract millions of patients seeking support, available trials, and experiences on different drugs. Patients share their stories [across social media]. . . By sharing health information we find support, acceptance, and possibly the next cure. . . I shared my health data long before I worked in real-world data professionally. Now that I work in this field, I’ve learned a few key things. First, research is expensive and time consuming. . . Second, de-identifying real-world data is required before it’s shared with parties who don’t have the patient’s consent to use their personal information. De-identification adds a layer of privacy to data held by insurance companies, health systems, and other care providers. . . Third, making sense of health data to understand disease is difficult. . . Today, researchers partner with tech companies who. . . make sense of our data in ways the best doctors and researchers cannot on their own." Keep reading
PODCAST:
'Podnosis': Sizing up data privacy legislation and what you missed from the Digital Pharma East conference
Fierce Healthcare (November 2, 2022)
"The American Data Privacy and Protection Act. . . comes at a time when more tech companies are breaking into the healthcare space and eyes are turning to the protection of reproductive health data. To gain insight into the bill’s uncertain future, Fierce’s Annie Burky spoke with Deven McGraw, lead of data stewardship and sharing at medical genetics company Invitae." Listen here