Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
Senators Introduce Bill to Bolster HIPAA Protections For Patients Seeking Reproductive Healthcare
Health IT Security (February 16, 2023)
"US Senators Michael Bennet (D-CO) and Mazie Hirono (D-HI) introduced the Secure Access for Essential Reproductive (SAFER) Health Act, which offers strengthened HIPAA protections that would prohibit providers from disclosing patient information relating to abortion or pregnancy loss without patient consent. The SAFER Health Act is the Senators’ response to the Supreme Court’s Dobbs decision, which took away the constitutional right to abortion in the US." Keep reading
GoodRx Faces Lawsuit Over Alleged Improper Health Data Sharing Practices
Health IT Security (February 9, 2023)
"GoodRx, along with Meta, Google, and online advertising company Criteo, were hit with a proposed class action lawsuit containing allegations of improper health data sharing practices. GoodRx previously agreed to pay a $1.5 million civil penalty for an alleged violation of the Health Breach Notification Rule. The penalty marked the first time that the Federal Trade Commission (FTC) had taken enforcement action under the Rule." Keep reading
OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance
HIPAA Journal (February 20, 2023)
"The Department of Health and Human Services’ Office for Civil Rights (OCR) has publicly released two reports that were submitted to Congress that provide insights into data breaches, HIPAA enforcement activity, and the state of HIPAA Privacy and Security Rule compliance for calendar year 2021." Keep reading
Abortion Bans Spur Biden Push to Bolster Patient Privacy Rights
Bloomberg Law (February 15, 2023)
"The Biden administration is working on a proposal to better protect the privacy of patients seeking reproductive health care, a move that follows concerns from providers struggling to offer services amid state abortion restrictions. The Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy by the Department of Health and Human Services Office for Civil Rights comes amid abortion bans in at least 24 states, and follows 2022 agency guidance for health providers to protect patient records when law enforcement requests them." Keep reading
Now for sale: Data on your mental health
The Washington Post (February 13, 2023)
"Capitalizing on the pandemic explosion in telehealth and therapy apps that collect details of your mental health needs, data brokers are packaging that information for resale, a new study finds. There’s no law stopping them." Keep reading
Biden calls for action on privacy rights in State of the Union
Cyberscoop (February 7, 2023)
"President Biden called for stronger limits on the data collected by large tech companies in his State of the Union address Tuesday night, repeating a message from last year’s address about the need to strengthen privacy rights. . . Biden called on Congress to 'pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.'" Keep reading
When I was the Chief Science Officer at the Office of the National Coordination for Health IT, we had a grand vision for health and health care: By moving patient information from paper records to EHRs, we could use the power of data analytics to enhance health and health care. Having electronic health data meant every patient encounter with the health care system could be used to learn from and enhance the next patient’s care. Adopting electronic health records was the first step in creating the “Learning Health System,” but, at the time, we did not have the tools and technology to support patient privacy in a learning health care system.
Fast forward 12 years, and we now have new technologies that may, for the first time, make the learning health system a reality. The ability to preserve a patient’s privacy while linking records together longitudinally has made it possible to understand a patient’s journey through the health care system and learn patterns that can identify patients at risk for hospitalization or a poor outcome. But with these new possibilities come additional risks. Genetic information, new kinds of data for social determinants of health, and consumer-generated data from apps have made it possible to gain tremendous insight into health behaviors. And new consumer-focused apps means that health data no longer resides only in health care organizations.
These three issues – complex data, health data in non-health organizations, and the market and public perception of privacy preserving solutions– create unique challenges. First, as complex data becomes more common, simple solutions to privacy like the HIPAA safe harbor provisions may be inadequate to protect patient information. The utilization of expert determination to assess the statistical risk of re-identification will be essential as more complex data is used within the learning health system.
Second, it is often assumed that privacy preservation is a one-size fits all solution, but that is rarely the case. Tokenization for record linkages, data enclaves to restrict access and downloads, synthetic data that maintains data associations and relationships, are all examples of technologies that can work in harmony to create user-specific privacy protections. There are significant differences between approaches that can scale to support broad and niche needs, and cases in which one approach may be better than another. These approaches are not—and should not be—in conflict; they need to be harmonized and used in the right situations.
Third, as data moves out of traditional health care organizations, privacy regulations that are fragmented across health care organizations, consumer apps, research investigators, and education present unique risks for patients. This is a problem that will be difficult to fix in a regulatory update but will require comprehensive privacy legislation to create more uniform treatment of sensitive health information.
We have made great strides toward creating a learning health system through electronic health records, novel consumer data sources, and a range of privacy enhancing technologies such as privacy-preserving record linkage, enclaves, and synthetic data. Even with all of these advances, we must always ensure that patient privacy is protected. This will require using all of our privacy preserving techniques – application of sophisticated statistical analysis of datasets to assess reidentification risk, the use of privacy-enhancing technologies that minimize individual patient risk while maximizing society benefit, and through advocating for comprehensive legislation to ensure that patients' data, as part of our learning health system, is kept private and safe.
California Consumer Privacy Act
Illinois Biometric Information Privacy Act
The Federal Trade Commission's Mobile Health App Interactive Tool
Other Consumer Privacy Legislation
HIPAA and Cookies: A Potentially Dangerous Combination
Procopio (February 7, 2023)
Article by Rachel C. Edwards and Julian J.G. Lean
"Websites using data tracking and collection software risk potentially serious consequences under the Health Insurance Portability and Accountability Act of 1996, commonly referred to as 'HIPAA.' In a Bulletin issued December 2022, the U.S. Department of Health and Human Services (HHS) cautioned against the use of cookies, and other data-collection software, that may result in unintended violations of HIPPA. It is anticipated that the HHS Bulletin will apply to a wide array of healthcare and non-healthcare entities (including entities considered either a 'Business Associate' or 'Covered Entity' under HIPAA). This alert is intended to ensure that all entities consider the potential impact of cookies and other tracking technologies when designing websites that interact with patients and drafting privacy and security policies." Keep reading
A healthy dose of consent: Takeaways from the FTC’s GoodRx case
IAPP (February 8, 2023)
"In what the U.S. Federal Trade Commission calls a 'first-of-its-kind' enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness authority in privacy cases, with some important takeaways for privacy programs that handle health-related data. It also asserts a novel application of the HBNR against digital health services, which often fall outside the scope of the Health Insurance Portability and Accountability Act." Keep reading
WHITE PAPER:
Maintaining Consumer Trust in Health Care Through Data Privacy and Secure Patient Access to Health Information
Sirona Strategies (February 15, 2023)
"[Fourteen] leading associations and non-profits representing patients and consumers, clinicians, hospitals, health insurers, and technology companies released a series of recommendations to advance data privacy and ensure patient access to health information while maintaining consumer trust in health care." Keep reading
EVENT:
Energy and Commerce Leaders Announce Hearing on Enhancing Privacy Protections for Americans
House Energy and Commerce Committee (February 22, 2023)
"Today, House Energy and Commerce Committee Chair Cathy Rodgers (R-WA), Committee Ranking Member Frank Pallone, Jr. (D-NJ), Innovation, Data, and Commerce Subcommittee Chair Gus Bilirakis (R-FL), and Subcommittee Ranking Member Jan Schakowsky (D-IL) announced the Innovation, Data, and Commerce Subcommittee will hold a hearing titled 'Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy.'" Keep reading