Privacy Matters
Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
- Reproductive health data privacy takes center stage in the legislative conversation as both Senators and the Biden administration make moves to bolster HIPAA protections for patients seeking reproductive healthcare.
- GoodRx is hit with a proposed class action lawsuit over allegations of improper health data sharing practices.
- Several U.S. state legislatures make progress toward passing various forms of consumer privacy legislation.
Leading Stories
Senators Introduce Bill to Bolster HIPAA Protections For Patients Seeking Reproductive Healthcare
Health IT Security (February 16, 2023)
"US Senators Michael Bennet (D-CO) and Mazie Hirono (D-HI) introduced the Secure Access for Essential Reproductive (SAFER) Health Act, which offers strengthened HIPAA protections that would prohibit providers from disclosing patient information relating to abortion or pregnancy loss without patient consent. The SAFER Health Act is the Senators’ response to the Supreme Court’s Dobbs decision, which took away the constitutional right to abortion in the US." Keep reading
- The SAFER Health Act would strengthen HIPAA through a provision modeled after NIH’s Certificates of Confidentiality in the Public Health Service Act.
- In summary, the bill would prohibit HIPAA-covered entities and their business associates from disclosing personal health information related to pregnancy termination or loss in legal proceedings without a valid authorization from the patient. It would apply to such medical information being sought in federal, State, local, or Tribal court cases and investigations.
GoodRx Faces Lawsuit Over Alleged Improper Health Data Sharing Practices
Health IT Security (February 9, 2023)
"GoodRx, along with Meta, Google, and online advertising company Criteo, were hit with a proposed class action lawsuit containing allegations of improper health data sharing practices. GoodRx previously agreed to pay a $1.5 million civil penalty for an alleged violation of the Health Breach Notification Rule. The penalty marked the first time that the Federal Trade Commission (FTC) had taken enforcement action under the Rule." Keep reading
- GoodRx provides drug price comparison, prescription drug discounts, telehealth visits, and other digital health services.
- Healthcare Dive reports compliance experts predict that this enforcement action against GoodRx by the FTC is likely to be the first of many against companies trafficking in user's sensitive medical data.
OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance
HIPAA Journal (February 20, 2023)
"The Department of Health and Human Services’ Office for Civil Rights (OCR) has publicly released two reports that were submitted to Congress that provide insights into data breaches, HIPAA enforcement activity, and the state of HIPAA Privacy and Security Rule compliance for calendar year 2021." Keep reading
Abortion Bans Spur Biden Push to Bolster Patient Privacy Rights
Bloomberg Law (February 15, 2023)
"The Biden administration is working on a proposal to better protect the privacy of patients seeking reproductive health care, a move that follows concerns from providers struggling to offer services amid state abortion restrictions. The Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy by the Department of Health and Human Services Office for Civil Rights comes amid abortion bans in at least 24 states, and follows 2022 agency guidance for health providers to protect patient records when law enforcement requests them." Keep reading
Now for sale: Data on your mental health
The Washington Post (February 13, 2023)
"Capitalizing on the pandemic explosion in telehealth and therapy apps that collect details of your mental health needs, data brokers are packaging that information for resale, a new study finds. There’s no law stopping them." Keep reading
Biden calls for action on privacy rights in State of the Union
Cyberscoop (February 7, 2023)
"President Biden called for stronger limits on the data collected by large tech companies in his State of the Union address Tuesday night, repeating a message from last year’s address about the need to strengthen privacy rights. . . Biden called on Congress to 'pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.'" Keep reading
Experts Expound
Douglas Fridsma, Chief Medical Informatics Officer at Datavant, reflects on how the advent of electronic health records and privacy-preserving record linkage changed the health data landscape, marking the beginning of a “learning health system" along with its privacy challenges and respective privacy-preserving solutions.
When I was the Chief Science Officer at the Office of the National Coordination for Health IT, we had a grand vision for health and health care: By moving patient information from paper records to EHRs, we could use the power of data analytics to enhance health and health care. Having electronic health data meant every patient encounter with the health care system could be used to learn from and enhance the next patient’s care. Adopting electronic health records was the first step in creating the “Learning Health System,” but, at the time, we did not have the tools and technology to support patient privacy in a learning health care system.
Fast forward 12 years, and we now have new technologies that may, for the first time, make the learning health system a reality. The ability to preserve a patient’s privacy while linking records together longitudinally has made it possible to understand a patient’s journey through the health care system and learn patterns that can identify patients at risk for hospitalization or a poor outcome. But with these new possibilities come additional risks. Genetic information, new kinds of data for social determinants of health, and consumer-generated data from apps have made it possible to gain tremendous insight into health behaviors. And new consumer-focused apps means that health data no longer resides only in health care organizations.
These three issues – complex data, health data in non-health organizations, and the market and public perception of privacy preserving solutions– create unique challenges. First, as complex data becomes more common, simple solutions to privacy like the HIPAA safe harbor provisions may be inadequate to protect patient information. The utilization of expert determination to assess the statistical risk of re-identification will be essential as more complex data is used within the learning health system.
Second, it is often assumed that privacy preservation is a one-size fits all solution, but that is rarely the case. Tokenization for record linkages, data enclaves to restrict access and downloads, synthetic data that maintains data associations and relationships, are all examples of technologies that can work in harmony to create user-specific privacy protections. There are significant differences between approaches that can scale to support broad and niche needs, and cases in which one approach may be better than another. These approaches are not—and should not be—in conflict; they need to be harmonized and used in the right situations.
Third, as data moves out of traditional health care organizations, privacy regulations that are fragmented across health care organizations, consumer apps, research investigators, and education present unique risks for patients. This is a problem that will be difficult to fix in a regulatory update but will require comprehensive privacy legislation to create more uniform treatment of sensitive health information.
We have made great strides toward creating a learning health system through electronic health records, novel consumer data sources, and a range of privacy enhancing technologies such as privacy-preserving record linkage, enclaves, and synthetic data. Even with all of these advances, we must always ensure that patient privacy is protected. This will require using all of our privacy preserving techniques – application of sophisticated statistical analysis of datasets to assess reidentification risk, the use of privacy-enhancing technologies that minimize individual patient risk while maximizing society benefit, and through advocating for comprehensive legislation to ensure that patients' data, as part of our learning health system, is kept private and safe.
Government Watcher
California Consumer Privacy Act
- Background: The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill, which established a foundation for consumer privacy regulations, was passed by the California State Legislature and signed into law in 2018. In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amends and expands the CCPA.
- Latest Developments:
CPPA Invites Preliminary Comments on Proposed CPRA Rulemaking on Cybersecurity Audits, Risk Assessments and Automated Decisionmaking
Hunton Andrews Kurth (February 13, 2023)
"On February 10, 2023, the California Privacy Protection Agency ('CPPA') issued an Invitation for Preliminary Comments on Proposed Rulemaking on cybersecurity audits, risk assessments and automated decisionmaking, topics that have not yet been addressed by the existing final draft CPRA Regulations." Keep reading
Illinois Biometric Information Privacy Act
- Background: On October 3, 2008, Illinois set forth the Biometric Information Privacy Act in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. Also known as BIPA, the first-of-its-kind law has, since 2008, made Illinois the only state that grants a private right of action to sue over the improper collection and mishandling of biometric data.
- Latest Developments:
Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years
Sidley (February 10, 2023)
"Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute." Keep reading
The Federal Trade Commission's Mobile Health App Interactive Tool
- Background & Latest Development:
New FTC Guidance for Mobile Health Apps
Sidley (February 7, 2023)
"Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. " Keep reading
Other Consumer Privacy Legislation
- Background: Illinois's HB 3910 (the state's Consumer Privacy Act), Indiana's SB 5 (which proposes to amend state law governing trade regulation to set data protection requirements for private entities controlling personal data), New York's A01362 a.k.a. Senate Bill 04457 (which focuses on biometric data privacy), Virginia's SB 1087 (which would establish requirements for medical testing companies to safeguard genetic data), and Texas's HB 1844 (which would establish a comprehensive framework for controlling and processing the personal data of Texas residents) are all different kinds of consumer privacy bills.
- Latest Developments:
- Multiple US states advance privacy legislation; Illinois House fails to pass Consumer Privacy Act
IAPP (February 10, 2023)
"Several U.S. state legislatures made progress toward passing various forms of consumer privacy legislation in the past week, while another state-level consumer privacy bill failed to garner support in Illinois." Keep reading - Texas State Representative Introduces Comprehensive State Privacy Bill Draft
Hunton Andrews Kurth (February 9, 2023)
"On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act ('VCDPA'). The bill could make Texas the sixth U.S. state to enact major privacy legislation." Keep reading
- Multiple US states advance privacy legislation; Illinois House fails to pass Consumer Privacy Act
Food for Thought
HIPAA and Cookies: A Potentially Dangerous Combination
Procopio (February 7, 2023)
Article by Rachel C. Edwards and Julian J.G. Lean
"Websites using data tracking and collection software risk potentially serious consequences under the Health Insurance Portability and Accountability Act of 1996, commonly referred to as 'HIPAA.' In a Bulletin issued December 2022, the U.S. Department of Health and Human Services (HHS) cautioned against the use of cookies, and other data-collection software, that may result in unintended violations of HIPPA. It is anticipated that the HHS Bulletin will apply to a wide array of healthcare and non-healthcare entities (including entities considered either a 'Business Associate' or 'Covered Entity' under HIPAA). This alert is intended to ensure that all entities consider the potential impact of cookies and other tracking technologies when designing websites that interact with patients and drafting privacy and security policies." Keep reading
- Rachel C. Edwards and Julian J.G. Lean are Associates focusing on corporate law and healthcare, respectively, at Procopio.
A healthy dose of consent: Takeaways from the FTC’s GoodRx case
IAPP (February 8, 2023)
"In what the U.S. Federal Trade Commission calls a 'first-of-its-kind' enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness authority in privacy cases, with some important takeaways for privacy programs that handle health-related data. It also asserts a novel application of the HBNR against digital health services, which often fall outside the scope of the Health Insurance Portability and Accountability Act." Keep reading
Best of the Rest
WHITE PAPER:
Maintaining Consumer Trust in Health Care Through Data Privacy and Secure Patient Access to Health Information
Sirona Strategies (February 15, 2023)
"[Fourteen] leading associations and non-profits representing patients and consumers, clinicians, hospitals, health insurers, and technology companies released a series of recommendations to advance data privacy and ensure patient access to health information while maintaining consumer trust in health care." Keep reading
EVENT:
Energy and Commerce Leaders Announce Hearing on Enhancing Privacy Protections for Americans
House Energy and Commerce Committee (February 22, 2023)
"Today, House Energy and Commerce Committee Chair Cathy Rodgers (R-WA), Committee Ranking Member Frank Pallone, Jr. (D-NJ), Innovation, Data, and Commerce Subcommittee Chair Gus Bilirakis (R-FL), and Subcommittee Ranking Member Jan Schakowsky (D-IL) announced the Innovation, Data, and Commerce Subcommittee will hold a hearing titled 'Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy.'" Keep reading
- WHAT: A hearing to discuss enhancing Americans’ privacy and data security protections, strengthening online safety, and boosting American innovation.
- DATE & TIME: Wednesday, March 1, 2023 at 8:30 am ET
- LOCATION: 2123 Rayburn House Office Building
Reach us at privacymatters.privacyhub@datavant.com
