We are awash in digital health
data. And we are awash in multiple regulatory schemas designed to
protect privacy, security and appropriate access to all this data. Some
data is “traditional” health care data governed by the familiar
patchwork of federal and state statutes and regulations (rhymes with “HIPAA”).
Some is the product of new consumer health tracker devices and apps
which are not reached by HIPAA (except for some provided to individuals
by health care providers or insurers). Privacy, security and access is
guaranteed with respect to much of the health data not governed by HIPAA
thanks to the oversight of the FTC (and cognate state agencies), with a
twist: while most specific federal and state health data privacy and
security rules are spelled out in detail, the FTC
takes a different approach, simply enforcing through individual actions
its general consumer protection authority, which bars unfair or
deceptive business practices. (There is also the FTC breach notification
rule, which parallels the HIPAA breach notification rule, but is
applicable to non-covered-entity PHRs.) There is an alphabet soup of
other agencies, statutes, frameworks, etc. that have overlapping
jurisdiction over these issues as well.
ONC recently issued a report to Congress (and shared on its blog) in collaboration with OCR and the FTC, entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,
which considers HIPAA, the FTC Act and something called FIPPS, Fair
Information Practice Principles – but does not examine the interplay
with state law or with other related federal regulatory structures such
as FCRA, COPPA, GLBA, FERPA. FIPPS, by the way, is an overarching
statement of principles regarding health data privacy, security and
access, dating back to HEW (!) in 1973, including things not necessarily
provided for by law, and most recently pulled together in the 2008 ONC
Privacy & Security Framework. These principles are:
- Individual access
- Correction
- Openness and transparency
- Individual choice
- Collection, use and disclosure limitation
- Data quality and integrity
- Safeguards
- Accountability
The report is a useful summary of the current state of HIPAA, the FTC
Act, the FTC breach notification rule and FIPPS. It identifies the gaps
in coverage that — in an ideal world — Congress would patch, or even
undertake a broader rip-and-replace, enacting a comprehensive health
data privacy, security and access schema integrating a single approach
to PHI governed by HIPAA, data practices covered by the FTC Act, and
everything in between and beyond.
Don’t hold your breath.
Aside from the current congressional logjam, gridlock, or whatever
your preferred metaphor may be, consider the fact that we are now
embarking upon the general election season, which tends to add an
additional layer of grandstanding and substantive paralysis to the usual
fever dreams of the Potomac. Consider, too, that in the 43 years folks
have been thinking about FIPPS (HEW! That really got to me), we have
largely confined ourselves to thinking about FIPPS. The ONC
Privacy & Security Framework is reiterated in the ONC’s
Interoperability Roadmap – a recently-issued ten-year roadmap to a goal
that many believe should have been realized as a part of implementing
the Meaningful Use program (enacted as part of the HITECH Act, which
also updated HIPAA and added the FTC breach notification rule
requirements). Yes, there is greater awareness of the burgeoning volume
of health data (HIPAA-regulated PHI and other), there is a growing
belief that improving health status and reducing health care costs may
well be accelerated through implementation of value-based care systems
that rely in part on patient-generated data and a network of digital
activity trackers, and there is growing concern that the complexity of
health data privacy regulations leaves many of us unprotected in a
variety of contexts. I think I am more realist than pessimist when I
conclude that, however well-founded these concerns and proposals may be,
comprehensive, sensible, Congressional action in this realm is not
imminent.
Things are both better and worse than the authors of the report would have us believe.
For example, the report seems to elevate the helpfulness of OCR’s
enforcement efforts in dealing with over 20,000 cases, noting that
significant improvements in the regulated community’s attention to
privacy, security and access have resulted from these undertakings,
while minimizing the compliance record of “non-covered entities” or NCEs
in the report’s parlance, highlighting a couple of horribles in the PHR
department. Well, not to put too fine a point on it, but some of the
most respected academic medical centers have had multimillion dollar
fines assessed for their HIPAA privacy and security breaches, and OCR
seems to be in the business of perennially issuing clarifications and
exhortations regarding the patient access rules. This bespeaks a
broad-based attitude towards compliance that is not necessarily better
than that of NCEs as a whole. There are good guys and bad guys in both
camps. And even the good guys are sometimes undermined by the complexity
of the rules, the complexity of the tech, human frailties, and the
devilish cleverness of the bad guys.
In addition, many NCEs, including many that I advise, have taken it
upon themselves to behave as if subject to HIPAA even though they are
not. Why? To instill confidence in their operations among at least three
distinct audiences: (a) consumers, who are more and more interested in
and concerned about the health data privacy policies and practices of
their app providers and activity tracker vendors (though, to be sure,
they could be more concerned); (b) business partners that may include
covered entities and/or business associates under HIPAA that are
sensitive to these issues even if not all of their business partners are
themselves subject to HIPAA (even by virtue of their relationships with
CEs or BAs); and (c) regulators such as the FTC who would likely be
just as impressed as OCR by a good story told by a company unfortunate
enough to experience an audit, a breach or a complaint investigation –
that good story being composed of fully implemented and documented
HIPAA-compliant policies and procedures, risk assessments, etc.
Don’t forget: There is a lot more protection in place than that afforded by the two sets of rules considered in the report.
Are there gaps? Yes: For example, as noted in the report, the FTC Act
may not regulate nonprofits or insurance companies under all
circumstances, and there is no explicit provision there guaranteeing
access. (However, on that latter point, since the FTC Act is interpreted
through case law rather than regulation, I would be surprised if an
individual right of access to records is long in coming to the world of
the FTC.)
Are there ways in which things are getting better in the absence of new legislation? Sure. For example, consider the recent collaboration between Fitbit and the Center for Democracy and Technology
that involved an examination of the Fitbit internal policies on
research. This process infused an already good process with expert
advice on data privacy and it may well expand beyond the initial scope
of the project. Given Fitbit’s status as a market leader, its efforts in
this area are likely to spur similar activity among other activity
tracker manufacturers if they wish to retain the confidence of their key
constituencies.
We will certainly revisit this issue again (and again).
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
Read my award-winning blog, HealthBlawg, where a version of this post first appeared.
You should follow me on Twitter.