Privacy Matters
Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
- Pressure compounds for big tech to strengthen its protection of reproductive health data
- While the federal privacy bill remains at a standstill in the House, other governmental attempts to bolster privacy continue to emerge and develop
- Health data privacy faces increasing challenges as a result of factors such as third-party risk, the Dobbs decision, the growing interconnectedness of healthcare, and evolving data-sharing and data-tracking technologies
Leading Stories
Report Highlights HHS Data and Cybersecurity Challenges
Healthcare Innovation Group (November 21, 2022)
"According to a report issued this month from the U.S. Department of Health and Human Services (HHS) Office of Inspector General, entitled '2022 Top Management & Performance Challenges Facing HHS,' HHS says that one of its six top management and performance challenges (TMCs) is 'Harnessing and Protecting Data and Technology to Improve the Health and Well-Being of Individuals.' The report states that 'The Department continues to improve how it collects, manages, shares, and secures its data. In parallel, HHS is refining its approach to influence and shape how other entities use technology. Yet HHS faces significant challenges to both protect data and technology from persistent cybersecurity threats and improve how the Department and related entities share large amounts of critical data from disparate sources, including public health data, on an unprecedented scale.'" Keep reading
10 State AGs Call on Apple to Bolster Reproductive Health Data Privacy in App Store
Health IT Security (November 23, 2022)
"Ten state attorneys general sent a letter to Apple urging the company to take steps to better protect reproductive health data in third-party apps available on the App Store." Keep reading
Do’s and don’ts of data de-identification
GNC (November 21, 2022)
"To ensure de-identified data cannot be engineered to reveal individuals’ sensitive information, the National Institute of Standards and Technology is updating its guidance to address advances in privacy technology in the six years since the last version was issued." Keep reading
- The National Institute of Standards and Technology is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness.
- De-Identifying Government Data Sets is the guidance in question.
Experts Expound
Ann Waldo, Outside Privacy Counsel for Datavant, elaborates on the risks of divergent de-identification laws, as expressed in Datavant’s Comment to the FTC regarding its Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security:
As a long-standing HIPAA lawyer and advocate for medical research and patient rights, I worry about recent trends to enact de-identification laws that diverge from HIPAA’s long-standing de-identification standard. HIPAA’s standard is backed up by several decades of statistical disclosure science and is deeply embedded in the health data ecosystem. Divergent standards would introduce chaos and costs.
California was first to create a de-identification definition that bore no resemblance to that in HIPAA. After two years of effort, CA changed its law to harmonize de-identification with HIPAA, though only for patient information. Thankfully, the next four state privacy laws enacted include harmonized HIPAA de-identification for health data. But the risk of divergent standards still looms. The pending federal privacy bill, ADPPA, contains a novel de-identification definition with no HIPAA harmonization. Whether the FTC’s potential new framework would recognize HIPAA de-identification is unknowable at this time.
The risk of a divergent state or federal standard is serious. If all of the hundreds of thousands of governmental and private sector users of de-identified health data had to meet not only the HIPAA standard but also a second (or third or fourth) standard, the compliance and financial burden on research, data fluidity, medical breakthroughs, payers, and ultimately, patients, would be vast and untenable. Maintaining de-identification harmonization is crucial.
Food for Thought
Top 3 HIPAA Compliance Challenges of This Year
HealthITSecurity (November 17, 2022)
Interview with Rebecca Herold
"A privacy expert breaks down the top HIPAA compliance challenges coming out of 2022, including the Dobbs decision, third-party risk, and the increasing interconnectedness of healthcare." Keep reading
- Rebecca Herold is the CEO and founder of The Privacy Professor and member of IEEE, a nonprofit technical organization.
New healthcare privacy challenges as online data tracking, sharing methods evolve
Healthcare IT News (November 16, 2022)
Interview with Andrew Maher
"With security concerns, including a potential breach and a class-action suit, around Meta Pixel and other web tracking tools, health systems should be considering 'all the ways PHI may be used, disclosed and accessed,' says a former OCR investigator." Keep reading
- Andrew Maher is a former investigator with HHS Office for Civil Rights and now Vice President of Privacy and Compliance at CynergisTek, a cybersecurity consulting firm.
Government Watcher
- Background: Unveiled on August 11, 2022, by the Federal Trade Commission (FTC) and published on August 22, 2022, in the Federal Register, this proposed rule on commercial surveillance and data security practices that harm consumers and competition is the first step toward creating national privacy and security rules that, if finalized, would apply across most sectors of the U.S. economy.
- Latest Developments:
U.S. Chamber Opposes FTC's Data Privacy Rulemaking
US Chamber of Commerce (November 21, 2022)
"Jordan Crenshaw, Vice President of the U.S. Chamber’s Technology Engagement Center issued the following statement today following the U.S. Chamber’s filing of comments with the Federal Trade Commission regarding its privacy rulemaking proposal: 'The Federal Trade Commission’s comprehensive data privacy rulemaking is another action from an agency gone rogue. The FTC has signaled that it intends to act as its own legislature to force sweeping regulations on the whole economy that Congress has not authorized. The Commission should respect due process and separation of powers, work to limit the burdens on responsible data-driven innovation, and not micromanage the decisions of every American business.'" Keep reading
- Background: On November 28, 2022, the U.S. Health and Human Services Department, through the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), announced proposed changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (“Part 2”), which protects patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures. Specifically, [November 28th]’s proposed rule increases coordination among providers in treatment for substance use challenges and increases protections for patients concerning records disclosure to avoid discrimination in treatment.
- Latest Developments:
HHS Proposes New Rule to Align 42 CFR Part 2 With HIPAA
Health IT Security (November 28, 2022)
"The HHS Office for Civil Rights and the Substance Abuse and Mental Health Services Administration proposed updates to increase care coordination and strengthen Part 2’s alignment with HIPAA." Keep reading - Engage: The public is welcome to submit comments on the NPRM within 60 days after its publication in the Federal Register.
- Background: This document, shared with Congress on November 29, 2022, is a supplement to the President's FY 2023 Budget Request to Congress. Following Congressional mandate, the Supplement incorporates budgetary and programmatic information for member agencies of the NITRD Program and for the National Artificial Intelligence Initiative.
- Relevant Developments: "NITRD’s budget crosscut has increased from $7.8 billion requested in FY 2022 to $9.6 billion requested in FY 2023. The $1.8 billion increase emphasizes the Biden Administration's commitment to robust, safe, secure, and privacy-preserving machine learning and to equity for all. Furthermore, R&D investments support the research, development, and application of technologies that promote socially responsible computing and defend critical infrastructure and sensitive networks."
European Union-U.S. Data Privacy Framework
- Background: On October 7, 2022, President Joe Biden issued an Executive Order on the new EU-US Data Privacy Framework (EU-US DPF) which, if approved in the EU, would allow for the enhanced protection of personal information transferred between the US and the EU. The Executive Order follows an agreement in principle on the transfer framework which was announced in March 2022 by the President of the European Commission, Ursula von der Leyen, and marked the first formal step in adopting a new mechanism for transatlantic data flows.
- Latest Developments:
Pressure points remain with EU-US Data Privacy Framework
IAPP (November 29, 2022)
"While a final resolution is near, there's been more wait-and-see periods than action during negotiations for the EU-U.S. Data Privacy Framework.First it was months of waiting in between the provisional EU-U.S. agreement on data transfers and the executive order securing U.S. national security commitments. Now concerned parties are set to stand by another six months at least while the European Commission works through a potential adequacy decision." Keep reading
Best of the Rest
ARTICLE / CLIENT ADVISORY:
Biometric Privacy Trends in the United States
Hughes Hubbard & Reed (November 17, 2022)
"The United States is seeing a surge in litigation over biometric privacy rights. Most of this litigation is happening under state law, and state attorneys general and private litigants have been bringing lawsuits in record numbers. In particular, there has been an uptick in class action litigation filed under the Illinois Biometric Privacy Act (BIPA)." Keep reading
Feedback or questions? We'd love to hear from you!
Reach us at privacymatters.privacyhub@datavant.com
