Privacy Matters
Privacy Hub's monthly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
- A data breach compromises health information of members of Congress
- Comprehensive state privacy bills continue to advance, notably with SF 262 being approved by the Iowa legislature and now awaiting gubernatorial signature
- On the heels of another major healthcare player's alleged inappropriate sharing of health data, the FTC requests increased budget to make health privacy a priority
Leading Stories
D.C. Data Breach That Included Members of Congress Affected More Than 56,000
The New York Times (March 10, 2023)
"The data of more than 56,000 people, including Social Security numbers and other personal information, was stolen in a hack of the online health insurance marketplace for members of Congress and Washington, D.C., small businesses and residents, officials said in a statement on Friday night. . . District of Columbia officials learned of the attack on the D.C. Health Link marketplace on Monday and 'immediately launched an investigation,' . . . [which] has found that 56,415 customers were affected, and the data stolen includes names, Social Security numbers, dates of birth, health plan information and other personal information, including home addresses, phone numbers, email addresses, ethnicity and citizenship status." Keep reading
Iowa House and Senate Unanimously Vote to Approve Comprehensive Privacy Legislation
Hunton Andrews Kurth (March 17, 2023)
"On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law." Keep reading
Cerebral admits sharing data of nearly 3.2M with third parties amid Senate inquiry
SC Media (March 10, 2023)
"One month after a group of senators launched an inquiry into Cerebral, the mental health subscription platform issued a breach notice to nearly 3.2 million patients that appears to confirm many of the data-sharing claims brought to light in the inquiry. The notice shows the unauthorized disclosure of patient health data began in 2019. Despite the large number of impacted patients, it’s only the second-largest healthcare data breach report so far this year. [Several Senators] accused Cerebral [alongside Monument and Workit] of routinely engaging in third-party data sharing for advertising purposes, without consent from patients and despite promises to users that the data they entered into the platform would remain confidential." Keep reading
- Cerebral said it disabled, reconfigured, or removed online tracking tools from its platform that shared people’s responses to a mental health assessment with third parties such as Meta Platforms, Inc.
- It faces a potential class-action lawsuit that raises critical questions about whether online marketing methods violate legal and ethical standards.
FTC says health privacy key priority in 2024 budget request
Healthcare Dive (March 15, 2023)
"The Federal Trade Commission called out health privacy as a main area of focus — and a reason why it needs more funds — in its 2024 budget request released on Tuesday. The agency has been increasingly aggressive in cracking down on companies trafficking consumers’ sensitive healthcare data, with recent enforcement actions against digital health companies GoodRx and BetterHelp, including multimillion-dollar settlements. [It] wants to further increase its scrutiny on healthcare by strengthening its ability to take on bigger and more complex cases, both to protect consumer privacy and crack down on anticompetitive consolidation in healthcare. . . The FTC’s proposal calls for a $160 million boost in funding for the 2024 fiscal year, which would increase its budget by 37% compared to 2023." Keep reading
Survey: Privacy protections boost consumers' willingness to share health data
Mobile Health News (March 7, 2023)
"A survey of more than 3,500 U.S. adults reveals consent, data transparency, data deletion and oversight may strengthen consumer trust and support socially valuable uses of digital health data." Keep reading
- The 2020 national survey included responses from 3,539 U.S. adults, with an oversampling of Black and Hispanic individuals. It analyzed respondents' willingness to share digital information across 192 scenarios. A conjoint analysis was published in JAMA Network Open.
Experts Expound
As this edition's guest commentator, Vera Mucaj, Chief Scientific Officer at Datavant, delineates two important privacy considerations when linking real world data to clinical trial data.
Clinical trials (CTs), in particular those randomized and controlled, are the gold standard for evidence generation and regulatory decision-making [1], yet they have limitations, including a short duration and a limited number of endpoints [2]. They can become significantly more powerful when longitudinally connected to Real-World Data (RWD: medical claims, electronic health records, lab data, etc.) outside of the trial. Trial - RWD linkage expands what we can learn from a clinical study, like the long-term safety and efficacy of an intervention, well beyond a trial’s completion.
However, these linkages need to be conducted under strict privacy considerations. To protect trial participants (the volunteers that make trials possible) and the validity of the results, trials are conducted under strict ethical and operational considerations called Good Clinical Practice (GCP) [3]. GCP guidance ensures participants are informed of the risks and benefits of being in the trial, and that their privacy is protected [4]. On the other side of the equation, researchers should also ensure that RWD that is shared as de-identified, per the HIPAA Privacy Rule, continues to pose low risk of patient re-identification upon linkage to any other data. Thus, when connecting CT to RWD, the industry should have a high bar for privacy and ethics practices. Privacy best practices for CT + RWD linkage include:
1. Informed Consent: A CT+RWD dataset that has gone through the expert determination de-identification process could be considered Non-Human Subject Research, and the de-identified nature of this research is a form of privacy protection for trial participants. However, when possible, we encourage trial sponsors and researchers to incorporate information about these linkages as part of the informed consent process that a participant goes through for the trial. This gives participants the chance to opt in or out of CT+RWD linkage. Trial participants should be informed of the definition of RWD, of how CT+RWD can help improve medical research, and, most importantly, of the fact that these data would be connected in a privacy-preserving way. Studies have shown that patients are comfortable with their data shared for research, especially if the information is de-identified [5, 6].
2. Lowering the risk of re-identification: If researchers aim to link de-identified RWD to clinical trials, then the combined CT+RWD has to also remain de-identified. Given clinical trials usually enroll a small patient population, there’s always a concern that linking RWD for that small population can increase re-identification risk. We have conducted research in this space and have shared some privacy considerations around linking data for small patient populations. These stand true for any small population linkage, but are especially important in CT+RWD applications.
I am very keen to explore what insights will come out of CT+RWD linkages, and to see how this work will be conducted with participant privacy as its first and foremost concern.
Government Watcher
Oklahoma Computer Data Privacy Act + New Hampshire's Senate Bill 255
- Background:
- The Oklahoma Computer Data Privacy Act is a bill that allows a consumer to request disclosure of specific items of personal information a business has collected over prior twelve months, deletion of any personal information collected, and to opt out of the sale of their personal information to third parties; and disallows businesses from selling to a third party the personal information of a consumer who does not opt in to the sale of their information after the effective date of the act.
- New Hampshire's Senate Bill 255 would give consumers the right to confirm whether their data is being collected and stored; obtain a copy of their data from a business; correct any inaccuracies in that data; request that their data be deleted; and opt out of the sale of their data for advertising purposes.
- Latest Developments:
New Hampshire, Oklahoma advance privacy bills
IAPP (March 13, 2023)
"In a 5-0 vote, New Hampshire's State Senate Judiciary Committee recommended Senate Bill 255 should pass with amendments. . . The Oklahoma House advanced House Bill 1030, the Oklahoma Computer Data Privacy Act. The bill's fiscal analysis states the new law relates 'to privacy of computer data, providing protections for the personal information of consumers and enacting guidelines for businesses collecting consumer data information.'" Keep reading
- Background: The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill, which established a foundation for consumer privacy regulations, was passed by the California State Legislature and signed into law in 2018. In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amends and expands the CCPA.
- Latest Developments:
California Privacy Protection Agency Emphasizes Enforcement and Expresses Opposition to Federal Privacy Legislation at March Public Meeting
WilmerHale (March 10, 2023)
"On Friday, March 3, 2023, the California Privacy Protection Agency (CPPA) held a public board meeting . . . [and] emphasized its prioritization of enforcement activities as the Agency continues to grow. This emphasis on enforcement aligns with other developments highlighting the need for companies to bring their privacy programs into compliance with California privacy laws, such as the pending finalization of the California Privacy Rights Act (CPRA) regulations and the California Attorney General’s recent investigative sweep pertaining to mobile applications’ compliance with the California Consumer Privacy Act (CCPA)." Keep reading
Vermont's H.121: "An act relating to enhancing consumer privacy"
- Background: Vermont House's H.121 is a lengthy bill that proposes a number of amendments to Title 9, Chapter 62 of the Vermont Statutes, which generally covers the protection of personal information. It modifies and adds to requirements pertaining to data brokers, adds a new section addressing protection of biometric information, and directs a study to be performed on the issue of public information, amongst other things.
- Latest Developments:
Vermont Legislature Proposes New Consumer Privacy Legislation
Downs Rachlin Martin PLLC (March 16, 2023)
"To date, five states in the U.S. – California, Virginia, Colorado, Utah, and Connecticut – have enacted such laws, and legislation is pending in at least 14 other states. One of those other states is Vermont, which introduced a new privacy bill earlier this year." Keep reading
New Mexico's Senate Bill 13: the Reproductive & Gender-Affirming Health Care Protection Act
- Background: The Reproductive and Gender-Affirming Health Care Protection Act, sponsored by state Sen. Linda Lopez, D-Albuquerque, protects providers and patients from other states’ efforts to subpoena for provider or patient information as part of an investigation into reproductive or gender-affirming care where that activity is not protected.
- Latest Developments:
Legislation Protecting the Privacy of Patients and Providers and Ensuring No One is Criminalized for Safe and Legal Health Care Passes Senate
Newswires (March 11, 2023)
"Today, Senate Bill 13: the Reproductive & Gender-Affirming Health Care Protection Act, legislation designed to prevent discrimination related to abortion and gender-affirming care, protect the privacy of patients and providers, and ensure no one is criminalized for safe and legal health care, passed the senate (26-16)." Keep reading
Food for Thought
The staggering financial burden of a proposed HIPAA rule
STAT News (March 17, 2023)
"The already beleaguered U.S. health care system is facing a new and costly threat that will affect patient care and ultimately may lead to hospital closures: paying for and processing a torrent of medical record requests. While the news media in 2022 focused on hospitals’ billions of dollars of losses, negative operating margins, and other daunting post-pandemic challenges, a set of costly modifications to the HIPAA Privacy Rule proposed by the Department of Health and Human Services mostly flew under the radar." Keep reading
Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking
FTC (March 16, 2023)
"The Federal Trade Commission recently took enforcement action against GoodRx and BetterHelp, two digital healthcare platforms, for allegedly sharing user health data with third parties for advertising. Both cases highlighted the use of third-party tracking pixels, which enable platforms to amass, analyze, and infer information about user activity. The remedies in GoodRx and BetterHelp include strong provisions like bans that place strict, comprehensive limits on whether and how certain user information may be disclosed for advertising. In GoodRx and BetterHelp, this included a ban on the sharing of health information for any advertising purposes, and the BetterHelp order further bans the disclosure of other personal information for re-targeting. [This is] a deep dive into the technical side of [these two cases]." Keep reading
Exploring Data De-Identification in Healthcare
Health IT Analytics (March 15, 2023)
"Adequately de-identifying healthcare data is critical for health systems, payers, and other stakeholders to ensure HIPAA compliance. However, the advent of newer technologies, such as artificial intelligence (AI) and connected devices, has created questions about ensuring patient privacy while enabling data sharing and access to improve care and drive medical breakthroughs. Suraj Kapa, MD, a cardiac electrophysiologist with Mayo Clinic and chief medical officer for healthcare data privacy startup TripleBlind, sat down with HealthITAnalytics to help shed light on de-identification in healthcare and its relationship with HIPAA compliance, AI, and connected devices." Keep reading
Best of the Rest
STUDY:
State Policy Linked to Improved Data Sharing, Care Quality
Health Leaders (March 9, 2023)
"Policies developed by state legislatures can play a critical role in the adoption of health data sharing, which, in turn, will improve care quality, according to a new study from MIT Sloan School of Management. The MIT Sloan researchers wanted to determine why, despite the high levels of adoption of electronic health records since the 2009 Health Information Technology for Economic and Clinical (HITECH) Act, the actual use of shared data to improve care has sputtered." Keep reading
Reach us at privacymatters.privacyhub@datavant.com