As this decade begins, Americans are increasingly apprehensive about the privacy of their personal information. A recent survey found that approximately four out of five Americans are concerned about how their data is used, think the risks of companies’ collection of their data outweigh the benefits and believe they have little control of their data.1
Nowhere is this issue more important than in regard to health data, a type of information that can contain extremely personal details about an individual. Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is the primary law that protects health data in the United States. But HIPAA was adopted in a world where most health data was held either by or on behalf of traditional healthcare providers or health plans.
Today, companies that operate mobile apps, search engines, social media platforms and health-oriented websites have more health information about many of their users than a hospital has about most of its patients. Yet these technology companies typically are not subject to HIPAA or other health privacy laws. The amount of health information held by these companies continues to increase in volume and importance by the day.
In fact, new federal regulations, released March 9, 2020, will be a catalyst for unprecedented interoperability between patient medical records and health insurance claims information and consumer-oriented digital technologies, blurring the lines—along with consumer understanding—between when health data is protected under HIPAA and when it is not. These regulations and other government initiatives will require health plans and healthcare providers to make health data available to individuals through apps that generally fall outside the scope of HIPAA regulation.
Without a framework to regulate the use and disclosure of such information, this data is at risk of misuse. Further, a lack of trust can cause consumers to take steps to block the sharing of their data, even when such disclosure is for legitimate purposes such as the receipt of sought-after services or the support of important public interest initiatives, such as medical research.
While greater liquidity of health data holds out the promise of tremendous public good, the potential for harm from exploitation of this data2 is very high, as such data can be sensitive, can be potentially embarrassing, and can enable various types of discrimination. As ever-increasing amounts of health data are being collected, aggregated, sold and mined by Internet search engines, marketing agencies and commerce-oriented business ventures, it is critical for consumers to understand and have control over how their health data is used.
In spring 2019, with support from the Robert Wood Johnson Foundation (RWJF), Manatt convened a roundtable of health policy, provider and industry leaders focused on lessons learned in the ten years since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The roundtable also addressed what the government’s role should be in facilitating health data liquidity to help improve medical care, lower costs and empower consumers. General agreement exists that HITECH did significantly advance the more widespread adoption of electronic medical records and lay a foundation for easier exchange of information, but that patients often face impediments to gaining full access to their own health data. While healthcare data interoperability efforts have focused to date largely on provider and administrative services, health data liquidity is evolving to enable consumers to have greater access to and to be better stewards of their health data. This changing paradigm is creating new industry partnerships, including through development of standards-based application programming interfaces (APIs).
One outgrowth of the roundtable was a comment letter jointly authored by the six former national coordinators for health information technology submitted to the Office of the National Coordinator (ONC) and the Centers for Medicare & Medicaid Services (CMS) in support of then-proposed (now final, though with implementation delayed due to the COVID-19 pandemic) regulations to advance interoperability and promote consumer-facing APIs. The letter raised privacy as a critical issue that had to be addressed to support meaningful data exchange and called on policymakers and industry leaders to develop a consumer privacy framework in parallel with broader interoperability efforts.3
Given this context, with funding from RWJF, the Center for Democracy and Technology (CDT) and the eHealth Initiative (eHI) are jointly convening a Steering Committee of experts and leaders representing healthcare, technology, and advocacy groups and consumers to take proactive steps to protect the privacy of health data that falls outside the bounds of current health privacy laws. The Steering Committee aims to identify steps to advance a privacy framework that promotes accountability and transparency, provides meaningful protection to consumers with respect to the use of their health data, and creates a level playing field for companies that act responsibly with respect to protecting their users’ data.
RWJF also engaged Manatt to research—and provide support for the Steering Committee in understanding—the gaps in existing health data privacy protections and the implications these gaps may have for industry data use and consumer privacy and to catalog potential options for developing and implementing a new framework governing the collection, use and disclosure of health data, including self-regulatory models that rely on public-private partnerships.
The Impact of the Pandemic
In a new white paper funded by RWJF, Manatt examines the current holes in privacy protections, the data use implications for both the industry and consumers, and options for developing a framework for collecting, using and disclosing health data. The paper was completed prior to the life-changing events of the global COVID-19 pandemic. The world has changed in both salient and subtle ways that none of us could have predicted just a few months ago.
Over the coming weeks and months, patients, policymakers, healthcare providers and technology companies alike will have to grapple with challenging questions related to the power and promise of—but also the potential for harm from—digital technologies to support public health efforts to manage and contain the spread of lethal viruses; to quickly identify and provide targeted, vital supports for those affected, especially our most vulnerable residents; to support efforts to address health disparities; and to support efforts to safely resume much needed but delayed medical care, reopen our economy and resume our daily lives. The same digital exchange and aggregation of identifiable consumer data coupled with sensitive health information that can do so much for the greater public good can also have devastating consequences for individual lives if not afforded adequate privacy and security safeguards.
The COVID-19 pandemic puts the immense value of interoperable health data—across healthcare providers, insurance plans, settings of care and patients—squarely in the spotlight. Indeed, in just early March, the federal government released its regulations to promote greater data liquidity and prevent “information blocking” among data stewards and technology vendors. The concept behind these rules is to more quickly, easily and without artificial barriers get patients’ own health information into their hands via digital app-based technologies and to ensure exchange of more data across health plans and caregivers. But these rules did not extend privacy protections to patient data once released to technology developers and app vendors, instead relying on the market and general consumer protection laws.
The premise of Manatt’s new paper is that while more comprehensive federal privacy regulations are a worthy goal and may come in the future, alternate or additional paths for setting and enforcing strong privacy protections should be considered in parallel to protect consumer privacy related to their health data, including review of efforts from other industries. The health data industry is changing so rapidly and available electronic data pertaining to an individual’s health status is growing at such an exponential pace, the lengthy and complex legislative process cannot keep up with the increasingly critical need to have strong and comprehensive consumer privacy protection for health data. The failure to do so will likely result in a complex patchwork of competing state-level regulations that will be difficult if not impossible to comply with or enforce…or worse.
While the paper does not directly focus on the new data privacy questions that continue to arise due to the pandemic, we believe the issues, considerations and questions it raises are all the more salient today and that the imperative to advance a meaningful consumer data privacy framework is more critical than ever.
Click here to download a free copy of the complete white paper, “A Shared Responsibility: Protecting Consumer Health Privacy in an Increasingly Connected World.”
1 Pew Research Center, Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.
2 While there are many ways to parse and define health data, for the purposes of this paper, we contemplate a broad view inclusive of many types of digital information that relates to the physical or mental health of an individual or to the provision of health and wellness services to an individual that can be identified and attributed to that individual. However, we note particular concern for data that is currently subject to protections under HIPAA that loses that status once authorized by a patient/consumer to be released to a third party, such as an app vendor.
Examples of health data that might be considered in developing recommendations for a more robust privacy framework include (potentially among others):
- Patient information related to medical diagnosis and treatment, including health records, medical notes, lab test results, prescriptions, referrals and medical bills, among other elements, such as might typically be generated and recorded by entities within the healthcare system.
- Health-related data created, recorded or gathered by or from patients (or caregivers) to help address a health concern or interest, which may include, for example, biometric data, symptoms, remote monitoring using home health equipment, data from wellness applications or wearable devices, genomic analyses and health histories.
- Data relating to a specific health concern that is housed in a private registry and/or included in a health survey.
- Consumer online activity and behavioral data that could potentially be correlated to clinical conditions, such as consumer Internet search histories (such as those relating to health or medical-related topics); social media posts, “likes” and comments; participation in mobile text programs related to physical or behavioral health; and retail behavior and purchasing trends.
- Some stakeholders and analyses have also suggested that health-related data could include so-called online “proxy” data or information that may be mined to inform a picture of health status, such as residential data including ZIP code and housing status, geolocation data, socioeconomic factors, and information on the social determinants of health and data from the Internet of Things (such as smart home devices).
3 https://www.healthaffairs.org/do/10.1377/hblog20190604.428654/full/. Excerpt: “The proposed interoperability rules and the ONC Health IT Certification Program further federal efforts to ensure that electronic health information is available and can be securely and safely shared to improve the health and care of the American public. We believe it is of utmost importance to implement these proposed interoperability rules as quickly as possible to propel the healthcare industry forward by finally enabling the meaningful flow of data. In and of themselves, these rules do not, however, fully address patient and consumer privacy protections. In parallel, we recommend that CMS and ONC, together with other relevant agencies and departments (such as the Department of Health and Human Services (HHS) Office of Civil Rights and the Federal Trade Commission) and private-sector colleagues, develop a companion consumer privacy framework.
Consumers should clearly understand how their data is being used by third-party APIs and how to exercise their consent options. A process should be put in place to ensure appropriate privacy protections are in place for consumers as the API market develops.”