Privacy Matters
Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
- Significant privacy concerns surround tracking technologies
- Covering the spectrum from legislative needs to prevalent misconceptions, privacy experts offer varying perspectives on health data privacy's main challenges
- Innovative dataset to counter human trafficking highlights the continuous evolution of privacy-preserving technologies
Leading Stories
‘Out of control’: Dozens of telehealth startups sent sensitive health information to big tech companies
STAT News (December 13, 2022)
"A joint investigation by STAT and The Markup of 50 direct-to-consumer telehealth companies like Workit found that quick, online access to medications often comes with a hidden cost for patients: Virtual care websites were leaking sensitive medical information they collect to the world’s largest advertising platforms. On 13 of the 50 websites, STAT and The Markup documented at least one tracker — from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest — that collected patients’ answers to medical intake questions." Keep reading
OCR Warns Providers About Patient Data Trackers
Fox Rothchild LLP (December 2, 2022)
"Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Bulletin warning HIPAA covered entities and business associates about the use of tracking technologies that may collect protected health information (PHI) in violation of HIPAA. The Bulletin is a comprehensive description of how and when patient data trackers present HIPAA compliance hurdles." Keep reading
FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps
Sheppard Mullin Richter & Hampton LLP (December 9, 2022)
"The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its 'Mobile Health App Interactive Tool.'" Keep reading
Amazon's access to patient data raises privacy concerns
Becker's Hospital Review (December 1, 2022)
"Amazon is increasing its healthcare presence with its planned acquisition of One Medical and its new telehealth platform Amazon Clinic, but privacy experts are concerned about how the tech giant is going to handle protecting consumers' health data. . . According to Debbie Reynolds, a data privacy and protection expert, at the very least, Amazon Clinic will be bound by HIPAA, which means individual patient records will be protected as soon as a person begins a process with a healthcare provider. But all the information patients provide prior to this falls outside of HIPAA, giving Amazon access." Keep reading
IOM and Microsoft release first-ever differentially private synthetic dataset to counter human trafficking
Microsoft Research Blog (December 8, 2022)
"Today, using software developed by Microsoft researchers, IOM released its second synthetic dataset from trafficking victim case records, the first ever public dataset to describe victim-perpetrator relations. The synthetic dataset is also the first of its kind to be generated with differential privacy, providing an additional security guarantee for multiple data releases, which enables the sharing of more data and allows more rigorous research to be conducted while protecting privacy and civil liberties." Keep reading
- The United Nations’ International Organization for Migration (IOM) provides direct assistance and support to migrants around the world, as well as victims and survivors of human trafficking.
Food for Thought
Are we taking patient privacy as seriously as we ought to be?
Healthcare IT News (December 5, 2022)
Article on Anita Allen's conference remarks
"Anita Allen, professor of law and philosophy at the University of Pennsylvania, kicked off the 2022 HIMSS Healthcare Cybersecurity Forum on Monday, with a nuanced and thought-provoking discussion on patient privacy in an era of widespread data sharing. . . In her keynote speech, Allen focused on the shifting narrative of data sharing and privacy, which she has been studying and writing about for 35 years." Keep reading
- Anita L. Allen is a Professor of Law and Philosophy at University of Pennsylvania. A graduate of Harvard Law School with a PhD from the University of Michigan in Philosophy, Allen is internationally renowned as an expert on philosophical dimensions of privacy and data protection law, ethics, bioethics, legal philosophy, women’s rights, and diversity in higher education.
Why the Culture Shift on Privacy and Security Means Today's Data Looks Different
Dark Reading (November 29, 2022)
Article by Bajali Ganesan
"A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities." Keep reading
- Bajali Ganesan is the CEO & Founder of Privacera, a startup focused on building tools for enterprises to balance data democracy and open use of data with the need for comprehensive governance.
Experts Expound
Building off Anita Allen’s recent remarks at HIMSS regarding the shifting narrative of data sharing and privacy, Dr. Patrick Baier, HIPAA Privacy Expert at Privacy Hub by Datavant, offers his perspective on current attitudes towards privacy and the most significant compliance blind spots amongst entities that use health data:
Overall, I think the vast majority of businesses and individuals using de-identified health information are very diligent and act responsibly regarding patient privacy. Very rarely do I feel that there is a deliberate disregard for either legal requirements under HIPAA or ethical standards patients should be entitled to expect from users of their health data.
However, mishandling of data does unfortunately occur, and it often stems from lack of awareness or a certain naïveté, rather than ill intention. For instance, users need to be aware that combining two de-identified data sets will not always yield a de-identified result within the meaning of the HIPAA Privacy Rule; the acquisition of additional sources of information by a data user may open new avenues of disclosure for that user that were not realistically available before. This also implies that a HIPAA-certified dataset cannot in general be shared freely with new users without re-evaluating HIPAA compliance.
Therefore, given the diversity of use cases and variety of applications relying on sensitive medical information, privacy experts’ work takes into account not only the data itself, but also the entire data environment: who the anticipated recipient is, what other data sources are available, how the data is going to be used, what other data the data is going to be combined with, who the data will be shared with, etc. Each of these aspects has an impact on what avenues of disclosure are realistically possible, and expert determinations include appropriate conditions under which each dataset continues to abide by HIPAA standards.
The privacy expert will make this determination at a point in time. It is then the responsibility of various parties involved to ensure the conditions are and continue to be met, and to re-evaluate the risk setting from time to time. Hence, it is imperative that all entities handling health data embed privacy into their everyday thinking, making it an integral part of all business decisions, in the same way a medical professional will always act with the patient’s physical and mental safety and well-being in mind.
Dr. Baier expounds further on a following edition of Privacy Matters.
Government Watcher
The California Privacy Rights Act
- Background: The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations. It was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020.
- Latest Developments:
California Asked to Protect Audience Measurement in Privacy Bill
Research Live (November 29, 2022)
"The Insights Association (IA) has warned that changes to California’s privacy laws due to come into effect in 2023 could effectively ban audience measurement [which allows companies to combine personal information received from businesses with personal information received from the service provider’s own interactions with consumers] unless protections for the industry are added." Keep reading
European Union-U.S. Data Privacy Framework
- Background: On October 7, 2022, President Joe Biden issued an Executive Order on the new EU-US Data Privacy Framework (EU-US DPF) which, if approved in the EU, would allow for the enhanced protection of personal information transferred between the US and the EU. The Executive Order follows an agreement in principle on the transfer framework which was announced in March 2022 by the President of the European Commission, Ursula von der Leyen, and marked the first formal step in adopting a new mechanism for transatlantic data flows.
- Latest Developments:
EU-US draft adequacy decision arrives, EU process begins in earnest
IAPP (December 13, 2022)
"The next domino in the finalization of the proposed EU-U.S. Data Privacy Framework has fallen. The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows. . . The draft decision will now move through a robust stakeholder consultation that includes examination and nonbinding opinions from the European Data Protection Board, the Council of the European Union and European Parliament." Keep reading
Best of the Rest
PODCAST:
HIMSSCast: A corporate counsel's perspective on data breaches
Healthcare IT News (December 11, 2022)
"In this special episode, recorded live in Boston at the HIMSS Healthcare Cybersecurity Forum, Roshal Marshall of McKesson discusses [perspectives on data breaches: how she works with chief information security officers and other IT leaders, advice on ensuring compliance, managing incident response, handling litigation and more]. [Other issues discussed include] emerging challenges around artificial intelligence and algorithmic integrity, the 21st Century Cures and information blocking rules – and other data governance and compliance challenges." Keep reading
- Roshal Erskine Marshall is the Managing Chief Counsel of Global Privacy and Cybersecurity at McKesson Corporation, a large provider of pharmaceuticals, medical supplies, and health information technology products and services.
Reach us at privacymatters.privacyhub@datavant.com
