Protecting consumer health data privacy beyond HIPAA


If you look at the apps on your phone, chances are you have at least one related to your health, and probably several. Whether it’s a mental health app, fitness tracker, connected health device, or something else, many of us are taking advantage of this technology to better track our health in some form or another one. Recent research by the Organization for the Care and Health Apps Review found that 350,000 health apps were available on the market, with 90,000 launched in 2020 alone.

Although these applications have a lot to offer, it is not always clear how the personal information we enter is collected, protected and shared online. Existing healthcare privacy legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), focuses primarily on how hospitals, doctors’ offices, clinics, and insurance companies store data. online health records. The health information that these apps and wearable health data tracking devices collect generally does not enjoy the same legal protections.

Why it’s potentially troubling

Without additional protections in place, companies can share (and potentially monetize) personal health information in ways that consumers may not have authorized or anticipated. As Sara Morrison explains in Recode, “The app economy is based on tracking app users and inferring their behavior to target ads at them. … This means that health apps collect data that we consider to be the most sensitive and personal, but may not protect it as well as it should.

Take GoodRx, for example, an app that helps users save money on prescription drugs by finding price comparisons and coupons. While this app was helping millions of people save money, in early 2020 Consumer Reports discovered that GoodRx was sharing this personal information with technology and marketing companies. And some of that data has been shared further. The company has made changes since then.

Most recently, in 2021, Flo Health was investigated by the Federal Trade Commission (FTC). The FTC alleged in a complaint that “despite express claims of privacy, the company took control of users’ sensitive fertility data and shared it with third parties — a broken promise that left consumers feeling ‘outraged’. “, “victimized” and “raped”. Flo Health and the FTC settled the case with a consent order requiring the company to obtain express affirmative consent from app users before sharing their health information and requesting third parties to delete the data they had obtained.

Current healthcare data protection landscape

Section 5 of the FTC Act empowers the FTC to take enforcement action against unfair or deceptive acts, which means the FTC can only act after the fact if a company’s privacy practices are deceptive or cause undue harm to consumers. While the FTC is doing what it can to make sure apps deliver on their promises to consumers about handling their sensitive health information, the speed at which these health apps are coming to market shows just how important it is. this is a huge challenge.

The President of the FTC speaks on this issue. In April, in her first public remarks on privacy issues since becoming president last year, Lina Khan said the agency would continue to use its existing statutory powers and power to police unfair practices. and data misrepresentations to “take quick and bold action” against companies that misuse or fail to adequately secure consumers’ personal information.

As for the prospects of federal legislation, commentators suggest that comprehensive federal privacy legislation seems unlikely in the near term. States have begun to implement their own solutions to strengthen the protection of consumer-generated health data. California has been at the forefront of state privacy efforts, first with the California Consumer Privacy Act (CCPA) of 2018, and more recently establishing the California Privacy Rights Act (CPRA). Virginia, Colorado, and Utah also recently passed national consumer data privacy legislation, and other states are also considering legislation.

The path to follow

Recently, my organization was selected to implement and host a self-regulatory program for implementing the Consumer Privacy Framework for Health Data, released by the Executives for Health Innovation (EHI) and the Center for Democracy and Technology in February 2021.

I think the most critical step for many companies is to recognize that they collect health data and to become familiar with the legal potholes that exist in the landscape. These companies need to have strong privacy practices in place and should always err on the side of caution.

For example, when collecting and sharing consumer health information of any kind, carefully consider whether your privacy practices require voluntary consent. Without clear guidance on certain non-HIPAA data collections and uses, choosing an opt-out model can have negative downstream effects for your organization.

Be specific about the data you collect. For example, the Digital Advertising Alliance (DAA) Self-Regulatory Principles require voluntary consent for data collection regarding “pharmaceutical prescriptions” or “medical records.” (Disclosure: The BBB National Programs Digital Advertising Accountability Program serves as an accountability agent for DAA, and we are compensated for our work.) and the FTC, in providing privacy best practices to app developers from mobile health, also states that apps or devices that collect health data must obtain “express affirmative consent” from the user before collecting or sharing that data.

In addition to proper consent procedures, companies that collect health data must ensure that their apps and devices that collect consumer health information comply with the FTC’s Health Breach Notification Rule. .

While the pandemic has certainly contributed to an increased reliance on technology to track personal health data, the use of digital technology to help us stay in sync with our health is unlikely to slow down. With any new technology, there is always a period of evaluation by the market and a watchful eye from regulators. By building in stronger privacy protections from the start, companies can avoid having to make changes later in response to future regulations.

Originally published in Forbes.


Comments are closed.