Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
- Several new state privacy bills are introduced as federal bill stalls in the House
- Biden calls on lawmakers to pass bipartisan legislation to rein in Big Tech
- Hacking was behind the great majority of healthcare data breaches in 2022
My Health, My Data: New Bill Aims to Protect Health Data in Washington
Fox Rothchild (January 11, 2023)
"A new Washington State bill works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data. The bill provides heightened protections for Washingtonian’s health data by requiring additional disclosures and consumer consent regarding the collection, sharing, and use of such information. It also empowers consumers with the right to have their health data deleted, prohibits the selling of consumer health data and makes it unlawful to utilize a geofence around a facility that provides health care services." Keep reading
Biden urges Congress to pass bipartisan tech legislation in WSJ op-ed
CNN (January 11, 2023)
"President Joe Biden called on members of Congress Wednesday to set aside partisan differences and pass groundbreaking legislation to rein in Big Tech, focusing on digital privacy, antitrust and the industry’s liability shield, Section 230 of the Communications Decency Act. In a Wall Street Journal op-ed, Biden said that despite making some progress on increasing tech industry oversight, the US government has run up against the limits of its statutory authority. . . Biden urged lawmakers to 'limit targeted advertising and ban it altogether for children,' a proposal linked to a key bipartisan privacy bill unveiled in the last Congress." Keep reading
Healthcare CISOs Form Health3PT Council to Improve Third-Party Risk Management
Health IT Security (January 11, 2023)
"More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation. Third-party risk management remains a top challenge for healthcare security practitioners. In fact, the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors." Keep reading
Patient Data Access is Insufficient for 60% of Healthcare Consumers
Patient Engagement HIT (January 19, 2023)
"Providing patients with easy access to their health information can improve patient engagement. Yet, recent findings revealed that 60 percent of consumers don’t have adequate patient data access, according to a survey conducted by Propeller Insights on behalf of Carta Healthcare, which was obtained via email. The survey of a little more than 1,000 United States patients showed that patients have a strong interest in their own medical records and prioritize providers that offer greater patient data access." Keep reading
- Propeller Insights is a market research company.
- Carta Healthcare is a healthcare data analytics company.
Hacking Accounted For Nearly 80% of Healthcare Data Breaches Last Year
Health IT Security (January 23, 2023)
"Nearly 80 percent of healthcare data breaches reported to the HHS Office for Civil Rights (OCR) in 2022 were attributed to hacking and IT incidents, Fortified Health Security noted in its '2023 Horizon Report,' signifying a 45 percent increase from just five years ago. What’s more, 70 percent of reported breaches (impacting more than 500 individuals each) affected healthcare providers, with business associates and health plans making up a much smaller portion of the total number of impacted entities. In total, 51.4 million healthcare records were breached in 2022, compared to 49.4 million in 2021." Keep reading
- Fortified Health Security is a cybersecurity company that focuses on protecting patient data.
This edition’s guest comment comes from Ofer Mendelevitch, Co-Founder & Chief Technology Officer of Syntegra and specialist in creating high-fidelity, high-privacy synthetic healthcare data. Ofer reflects on the privacy implications of synthetic data and how generative AI is applied to achieve these improvements in privacy. Datavant recently announced a partnership with Syntegra.
Privacy protection technology has historically focused on methods to redact or transform real data in order to mitigate privacy risks. Synthetic data offers a new approach: use generative AI to create artificial data that closely resembles a real dataset in both format and statistical properties, creating a dataset that provides the same information with orders of magnitude lower disclosure risk than typical de-identification. This novel use of generative AI can break the traditional tradeoff between data utility and privacy, enabling broader data use, reduced friction / governance, and even access to new datasets.
De-identified datasets have a one-to-one relationship between records in the dataset and real people, resulting in some residual risk of triangulation and other inference attacks that may compromise patient privacy. Synthetic healthcare data breaks this relationship by learning the clinical patterns from the entire real dataset, and then using those learned relationships to generate any number of synthetic patient records that maintain the statistical patterns in the real data, yet cannot be mapped to real individuals, resulting in powerful privacy protection. This leads to strikingly low disclosure risks for advanced synthetic data generation models, which can be verified by privacy experts.
Healthcare leaders and innovators have long recognized the need for a strong foundation in data, as well as the high friction in current approaches to accessing and sharing such data, making it expensive, slow and with residual risks. Synthetic data offers a new path forward – one with better privacy and easier access.
The following are a select few of the various state privacy bills recently introduced.
- Background: This Indiana State consumer data protection bill, which would allow [Indiana consumers] to find out what data companies are keeping and ask said companies to delete their data or not use it for purposes like targeted advertising, passed unanimously in the Senate in February 2022. However, it failed to pass the House of Representatives a month later.
- Latest Developments:
Indiana state senators make data privacy bill a top priority
CBS4 (January 20, 2023)
"State Sen. Liz Brown (R-Fort Wayne) has reintroduced a bill that would allow [Indiana consumers] to find out from companies what data they’re collecting and how it’s being used. [They] would also have the right to ask companies to delete their information or not use it for certain purposes." Keep reading
Biometric Data Privacy Laws:
Maryland's HB 33: Commercial Law – Consumer Protection – Biometric Data Privacy, Mississippi's HB 467: Biometric Identifiers Privacy Act, and New York Assembly Bill 1362: the Biometric Privacy Act
- Maryland's HB 33 would require private entities that hold biometric data to develop and publish policies, establish a retention schedule and data destruction guidelines within certain timeframes. There are exceptions to the policy requirements for businesses only using biometrics from employees or for internal operations.
- Mississippi's HB 467 would require private organizations to develop and publish policies for the biometric data they hold, including a retention schedule and data destruction policy. It would also require written consent from biometric data subjects. Employee biometrics can be collected, but with restrictions, such as on the retention of data that could be used to track them.
- New York's AB 1362 establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.
- Latest Developments:
- Maryland and Mississippi lawmakers consider biometric data protection bills
Biometric Update (January 16, 2023)
"Maryland’s state legislature has introduced a biometric data privacy act, in one of several moves at the state level towards increasing data privacy regulation. . . [while] Mississippi State Legislature has introduced the Biometric Identifiers Privacy Act to regulate the collection and use of biometrics by private sector entities." Keep reading
- US state privacy developments: Connecticut, Mississippi, New York and more
IAPP (January 20, 2022)
"New York Assembly Bill 1362, the Biometric Privacy Act, was introduced and referred to the Committee on Consumer Affairs and Protection." Keep reading
- Maryland and Mississippi lawmakers consider biometric data protection bills
- Background: This bill aims to protect the privacy of transgender youth in California by requiring the courts to seal any petition for a change of gender or sex identifier filed by a minor.
- Latest Developments:
CA bill aims to protect transgender youths' privacy
The Bay Area Reporter (January 11, 2023)
"Legislation [was] introduced this week by gay Assemblymember Chris Ward (D-San Diego). . . Ward announced January 10 that he had filed Assembly Bill 223, which has been titled the Transgender Youth Privacy Act." Keep reading
Food for Thought
The Value of Synthetic Data in Healthcare
Datavant (January 18, 2023)
Article by Jonah Leshin and Quinn Johns
"Over the past several years, advances in machine learning have given rise to new privacy-enhancing technologies for healthcare that have the capacity to. . . [enable] increased data utility without compromising privacy. Synthetic data has the potential to be a critical technology in this space, as it enables representative patient data with inherent privacy protection. Moreover, best practice synthetic data generation processes provide the user with privacy controls that are configurable and quantifiable. Core, decades-old risk assessment principles provide necessary context for evaluating synthetic data. The application of these principles to synthetic data form a privacy framework that makes possible a range of previously unattainable use cases." Keep reading
- Jonah Leshin, Ph.D., is the Head of Privacy Research at Privacy Hub by Datavant.
- Quinn Johns leads Emerging Privacy Solutions at Datavant.
Managing Privacy Risks to Advance Health Equity through Dissemination of Disaggregated Data
Network for Public Health Law (January 10, 2023)
Article by Stephen Murphy
"Dissemination of data disaggregated by race and ethnicity is an important step in advancing health equity. However, the public dissemination of datasets that include race and ethnicity raises important legal considerations around privacy, primarily around re-identification. Re-identification refers to the ability to use data from a de-identified dataset to identify individuals. Modifications to the released data can reduce re-identification risks while maximizing the data’s utility." Keep reading
- Stephen Murphy is a Senior Attorney at Network for Public Health Law.
- Daniel Barth-Jones, M.P.H., Ph.D., who contributed his expertise to this article, is a Principal Privacy Expert at Privacy Hub by Datavant.
Benefits of HIPAA for Healthcare Organizations
HIPAA Journal (January 12, 2023)
Editorial by Steve Alder
"HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages." Keep reading
- Steve Alder is the Editor-in-Chief of HIPAA Journal.
Best of the Rest
Decoding Digital Health: Trans-Atlantic Transfers of Health Data
Ropes & Gray (January 12, 2023)
"The Ropes & Gray Decoding Digital Health podcast series discusses the digital health industry and related legal, business and regulatory issues. In this episode, Digital Health Initiative co-lead and health care partner, Christine Moundas, interviews health care partner and member of the digital health group, David Peloquin. They discuss the legal challenges and potential solutions that health care and life sciences companies face when transferring health data from Europe to the U.S." Keep reading
- David Peloquin is a Partner in the health care group at Ropes & Gray. He holds a J.D. from Yale Law School.
Disaggregation of Public Health Data by Race & Ethnicity: A Legal Handbook
Network for Public Health Law (December 14, 2022)
"Detailed race and ethnicity data in public health is needed to adequately identify, assess, and address health inequities and structural racism, yet this type of data is often not utilized because of misunderstandings around the legality of collecting and sharing it. To assist public health practitioners and attorneys across state, Tribal, and local governments in the use of data to advance health equity, the Network has produced a legal handbook that addresses the role of law in collecting and disseminating public health data disaggregated by race and ethnicity." Keep reading
- Disaggregated data has been gathered from multiple sources; compiled into aggregate data—i.e., summaries of data—typically for the purposes of public reporting or statistical analysis; and then broken down into more specific sub-categories.
- Daniel Barth-Jones, M.P.H., Ph.D., and Principal Privacy Expert at Privacy Hub by Datavant, contributed his expertise to the making of this handbook.
Reach us at firstname.lastname@example.org
And, while you're at it, subscribe to it.