Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
‘Out of control’: Dozens of telehealth startups sent sensitive health information to big tech companies
STAT News (December 13, 2022)
"A joint investigation by STAT and The Markup of 50 direct-to-consumer telehealth companies like Workit found that quick, online access to medications often comes with a hidden cost for patients: Virtual care websites were leaking sensitive medical information they collect to the world’s largest advertising platforms. On 13 of the 50 websites, STAT and The Markup documented at least one tracker — from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest — that collected patients’ answers to medical intake questions." Keep reading
OCR Warns Providers About Patient Data Trackers
Fox Rothchild LLP (December 2, 2022)
"Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Bulletin warning HIPAA covered entities and business associates about the use of tracking technologies that may collect protected health information (PHI) in violation of HIPAA. The Bulletin is a comprehensive description of how and when patient data trackers present HIPAA compliance hurdles." Keep reading
FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps
Sheppard Mullin Richter & Hampton LLP (December 9, 2022)
"The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its 'Mobile Health App Interactive Tool.'" Keep reading
Amazon's access to patient data raises privacy concerns
Becker's Hospital Review (December 1, 2022)
"Amazon is increasing its healthcare presence with its planned acquisition of One Medical and its new telehealth platform Amazon Clinic, but privacy experts are concerned about how the tech giant is going to handle protecting consumers' health data. . . According to Debbie Reynolds, a data privacy and protection expert, at the very least, Amazon Clinic will be bound by HIPAA, which means individual patient records will be protected as soon as a person begins a process with a healthcare provider. But all the information patients provide prior to this falls outside of HIPAA, giving Amazon access." Keep reading
IOM and Microsoft release first-ever differentially private synthetic dataset to counter human trafficking
Microsoft Research Blog (December 8, 2022)
"Today, using software developed by Microsoft researchers, IOM released its second synthetic dataset from trafficking victim case records, the first ever public dataset to describe victim-perpetrator relations. The synthetic dataset is also the first of its kind to be generated with differential privacy, providing an additional security guarantee for multiple data releases, which enables the sharing of more data and allows more rigorous research to be conducted while protecting privacy and civil liberties." Keep reading
Are we taking patient privacy as seriously as we ought to be?
Healthcare IT News (December 5, 2022)
Article on Anita Allen's conference remarks
"Anita Allen, professor of law and philosophy at the University of Pennsylvania, kicked off the 2022 HIMSS Healthcare Cybersecurity Forum on Monday, with a nuanced and thought-provoking discussion on patient privacy in an era of widespread data sharing. . . In her keynote speech, Allen focused on the shifting narrative of data sharing and privacy, which she has been studying and writing about for 35 years." Keep reading
Why the Culture Shift on Privacy and Security Means Today's Data Looks Different
Dark Reading (November 29, 2022)
Article by Bajali Ganesan
"A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities." Keep reading
Building off Anita Allen’s recent remarks at HIMSS regarding the shifting narrative of data sharing and privacy, Dr. Patrick Baier, HIPAA Privacy Expert at Privacy Hub by Datavant, offers his perspective on current attitudes towards privacy and the most significant compliance blind spots amongst entities that use health data:
Overall, I think the vast majority of businesses and individuals using de-identified health information are very diligent and act responsibly regarding patient privacy. Very rarely do I feel that there is a deliberate disregard for either legal requirements under HIPAA or ethical standards patients should be entitled to expect from users of their health data.
However, mishandling of data does unfortunately occur, and it often stems from lack of awareness or a certain naïveté, rather than ill intention. For instance, users need to be aware that combining two de-identified data sets will not always yield a de-identified result within the meaning of the HIPAA Privacy Rule; the acquisition of additional sources of information by a data user may open new avenues of disclosure for that user that were not realistically available before. This also implies that a HIPAA-certified dataset cannot in general be shared freely with new users without re-evaluating HIPAA compliance.
Therefore, given the diversity of use cases and variety of applications relying on sensitive medical information, privacy experts’ work takes into account not only the data itself, but also the entire data environment: who the anticipated recipient is, what other data sources are available, how the data is going to be used, what other data the data is going to be combined with, who the data will be shared with, etc. Each of these aspects has an impact on what avenues of disclosure are realistically possible, and expert determinations include appropriate conditions under which each dataset continues to abide by HIPAA standards.
The privacy expert will make this determination at a point in time. It is then the responsibility of various parties involved to ensure the conditions are and continue to be met, and to re-evaluate the risk setting from time to time. Hence, it is imperative that all entities handling health data embed privacy into their everyday thinking, making it an integral part of all business decisions, in the same way a medical professional will always act with the patient’s physical and mental safety and well-being in mind.
Dr. Baier expounds further on a following edition of Privacy Matters.
The California Privacy Rights Act
European Union-U.S. Data Privacy Framework
PODCAST:
HIMSSCast: A corporate counsel's perspective on data breaches
Healthcare IT News (December 11, 2022)
"In this special episode, recorded live in Boston at the HIMSS Healthcare Cybersecurity Forum, Roshal Marshall of McKesson discusses [perspectives on data breaches: how she works with chief information security officers and other IT leaders, advice on ensuring compliance, managing incident response, handling litigation and more]. [Other issues discussed include] emerging challenges around artificial intelligence and algorithmic integrity, the 21st Century Cures and information blocking rules – and other data governance and compliance challenges." Keep reading