Privacy Hub's monthly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
D.C. Data Breach That Included Members of Congress Affected More Than 56,000
The New York Times (March 10, 2023)
"The data of more than 56,000 people, including Social Security numbers and other personal information, was stolen in a hack of the online health insurance marketplace for members of Congress and Washington, D.C., small businesses and residents, officials said in a statement on Friday night. . . District of Columbia officials learned of the attack on the D.C. Health Link marketplace on Monday and 'immediately launched an investigation,' . . . [which] has found that 56,415 customers were affected, and the data stolen includes names, Social Security numbers, dates of birth, health plan information and other personal information, including home addresses, phone numbers, email addresses, ethnicity and citizenship status." Keep reading
Iowa House and Senate Unanimously Vote to Approve Comprehensive Privacy Legislation
Hunton Andrews Kurth (March 17, 2023)
"On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law." Keep reading
Cerebral admits sharing data of nearly 3.2M with third parties amid Senate inquiry
SC Media (March 10, 2023)
"One month after a group of senators launched an inquiry into Cerebral, the mental health subscription platform issued a breach notice to nearly 3.2 million patients that appears to confirm many of the data-sharing claims brought to light in the inquiry. The notice shows the unauthorized disclosure of patient health data began in 2019. Despite the large number of impacted patients, it’s only the second-largest healthcare data breach report so far this year. [Several Senators] accused Cerebral [alongside Monument and Workit] of routinely engaging in third-party data sharing for advertising purposes, without consent from patients and despite promises to users that the data they entered into the platform would remain confidential." Keep reading
FTC says health privacy key priority in 2024 budget request
Healthcare Dive (March 15, 2023)
"The Federal Trade Commission called out health privacy as a main area of focus — and a reason why it needs more funds — in its 2024 budget request released on Tuesday. The agency has been increasingly aggressive in cracking down on companies trafficking consumers’ sensitive healthcare data, with recent enforcement actions against digital health companies GoodRx and BetterHelp, including multimillion-dollar settlements. [It] wants to further increase its scrutiny on healthcare by strengthening its ability to take on bigger and more complex cases, both to protect consumer privacy and crack down on anticompetitive consolidation in healthcare. . . The FTC’s proposal calls for a $160 million boost in funding for the 2024 fiscal year, which would increase its budget by 37% compared to 2023." Keep reading
Survey: Privacy protections boost consumers' willingness to share health data
Mobile Health News (March 7, 2023)
"A survey of more than 3,500 U.S. adults reveals consent, data transparency, data deletion and oversight may strengthen consumer trust and support socially valuable uses of digital health data." Keep reading
Clinical trials (CTs), in particular those randomized and controlled, are the gold standard for evidence generation and regulatory decision-making [1], yet they have limitations, including a short duration and a limited number of endpoints [2]. They can become significantly more powerful when longitudinally connected to Real-World Data (RWD: medical claims, electronic health records, lab data, etc.) outside of the trial. Trial - RWD linkage expands what we can learn from a clinical study, like the long-term safety and efficacy of an intervention, well beyond a trial’s completion.
However, these linkages need to be conducted under strict privacy considerations. To protect trial participants (the volunteers that make trials possible) and the validity of the results, trials are conducted under strict ethical and operational considerations called Good Clinical Practice (GCP) [3]. GCP guidance ensures participants are informed of the risks and benefits of being in the trial, and that their privacy is protected [4]. On the other side of the equation, researchers should also ensure that RWD that is shared as de-identified, per the HIPAA Privacy Rule, continues to pose low risk of patient re-identification upon linkage to any other data. Thus, when connecting CT to RWD, the industry should have a high bar for privacy and ethics practices. Privacy best practices for CT + RWD linkage include:
1. Informed Consent: A CT+RWD dataset that has gone through the expert determination de-identification process could be considered Non-Human Subject Research, and the de-identified nature of this research is a form of privacy protection for trial participants. However, when possible, we encourage trial sponsors and researchers to incorporate information about these linkages as part of the informed consent process that a participant goes through for the trial. This gives participants the chance to opt in or out of CT+RWD linkage. Trial participants should be informed of the definition of RWD, of how CT+RWD can help improve medical research, and, most importantly, of the fact that these data would be connected in a privacy-preserving way. Studies have shown that patients are comfortable with their data shared for research, especially if the information is de-identified [5, 6].
2. Lowering the risk of re-identification: If researchers aim to link de-identified RWD to clinical trials, then the combined CT+RWD has to also remain de-identified. Given clinical trials usually enroll a small patient population, there’s always a concern that linking RWD for that small population can increase re-identification risk. We have conducted research in this space and have shared some privacy considerations around linking data for small patient populations. These stand true for any small population linkage, but are especially important in CT+RWD applications.
I am very keen to explore what insights will come out of CT+RWD linkages, and to see how this work will be conducted with participant privacy as its first and foremost concern.
Oklahoma Computer Data Privacy Act + New Hampshire's Senate Bill 255
Vermont's H.121: "An act relating to enhancing consumer privacy"
New Mexico's Senate Bill 13: the Reproductive & Gender-Affirming Health Care Protection Act
The staggering financial burden of a proposed HIPAA rule
STAT News (March 17, 2023)
"The already beleaguered U.S. health care system is facing a new and costly threat that will affect patient care and ultimately may lead to hospital closures: paying for and processing a torrent of medical record requests. While the news media in 2022 focused on hospitals’ billions of dollars of losses, negative operating margins, and other daunting post-pandemic challenges, a set of costly modifications to the HIPAA Privacy Rule proposed by the Department of Health and Human Services mostly flew under the radar." Keep reading
Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking
FTC (March 16, 2023)
"The Federal Trade Commission recently took enforcement action against GoodRx and BetterHelp, two digital healthcare platforms, for allegedly sharing user health data with third parties for advertising. Both cases highlighted the use of third-party tracking pixels, which enable platforms to amass, analyze, and infer information about user activity. The remedies in GoodRx and BetterHelp include strong provisions like bans that place strict, comprehensive limits on whether and how certain user information may be disclosed for advertising. In GoodRx and BetterHelp, this included a ban on the sharing of health information for any advertising purposes, and the BetterHelp order further bans the disclosure of other personal information for re-targeting. [This is] a deep dive into the technical side of [these two cases]." Keep reading
Exploring Data De-Identification in Healthcare
Health IT Analytics (March 15, 2023)
"Adequately de-identifying healthcare data is critical for health systems, payers, and other stakeholders to ensure HIPAA compliance. However, the advent of newer technologies, such as artificial intelligence (AI) and connected devices, has created questions about ensuring patient privacy while enabling data sharing and access to improve care and drive medical breakthroughs. Suraj Kapa, MD, a cardiac electrophysiologist with Mayo Clinic and chief medical officer for healthcare data privacy startup TripleBlind, sat down with HealthITAnalytics to help shed light on de-identification in healthcare and its relationship with HIPAA compliance, AI, and connected devices." Keep reading
STUDY:
State Policy Linked to Improved Data Sharing, Care Quality
Health Leaders (March 9, 2023)
"Policies developed by state legislatures can play a critical role in the adoption of health data sharing, which, in turn, will improve care quality, according to a new study from MIT Sloan School of Management. The MIT Sloan researchers wanted to determine why, despite the high levels of adoption of electronic health records since the 2009 Health Information Technology for Economic and Clinical (HITECH) Act, the actual use of shared data to improve care has sputtered." Keep reading