By Vrushab Gowda
As digital health products proliferate, app developers, hardware manufacturers, and other entities that fall outside Health Insurance Portability and Accountability Act (HIPAA) regulation are collecting vast amounts of biometric information. This burgeoning market has spurred patient privacy and data stewardship concerns.
To this end, two policy nonprofits – the Center for Democracy and Technology (CDT) and the eHealth Initiative (eHI) – earlier this month jointly published a document detailing self-regulatory guidelines for industry. The following piece traces the development of the “Proposed Consumer Privacy Framework for Health Data,” provides an overview of its provisions, and offers critical analysis.
Currents in Data Regulation
The Framework was foreshadowed by two ongoing phenomena.
As a consequence of the widening gap between HIPAA-covered entities and a plethora of new players handling large quantities of health information, some jurisdictions have taken matters into their own hands. The European Union and California, by means of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), respectively, have brought a wide swath of developers under their ambit. Others are close on their heels – the Virginia legislature passed a CCPA-inspired bill last week, which is set to come into force in 2023.
Separately, the federal government has recently moved to implement interoperability features of the 21st Century Cures Act, issuing regulations seeking to promote data sharing unaccompanied by additional consumer privacy safeguards. The Centers for Medicare and Medicaid Services (CMS) now requires federally-funded insurers to establish protocols for integrating clinical and claims data from enrollees’ medical apps. In the same vein, the Office of the National Coordinator for Health Information Technology (ONC) bars providers and health information technology developers from engaging in “information blocking,” under threat of civil monetary penalties.
Likely in response to these twin trends, CDT and eHI established a steering committee to explore non-governmental alternatives to federal oversight, attracting a plethora of industry stakeholders including 23andMe, the American College of Physicians, Fitbit, Google, and Microsoft, among others. This committee convened at multiple points over the course of 2020 to develop the contours of the Framework ahead of its February 2021 release.
A Look Under the Hood
Through the Framework, CDT and eHI sought to provide a set of flexible, tech-neutral guidelines designed to keep pace with rapidly changing industry developments. These would strike a balance between cabining the hitherto minimally restricted use of health information and mitigating future regulatory risk, promoting industry-wide uniformity, and safeguarding consumer privacy.
Broadly speaking, the Framework consists of two major components.
It begins with an extended definitional section outlining the bounds of key terms. It adopts a more expansive construction of “health data” a la GDPR and CCPA, which extends to information reflective of racial/ethnic origin, sexual orientation, and biometric features. The Framework further endeavors to treat “de-identified data” as having been permanently made so, through developers’ public commitments not to seek re-identification and contractual binding of third-parties to do the same.
Secondly, it establishes a series of substantive parameters for health data management. The Framework requires participating entities to adhere to delineated security policies, permit consumers to access, correct, and delete their health information upon request (and to provide an explanation when this is not possible), and share data with consumers in a standardized and readily interoperable format.
Additionally, it advocates for extensive notice and consent procedures, including disclosure of the type of data in question and the rationale for collecting it, alongside a list of recipients and data retention policies. All of these measures are to be presented in a clear, conspicuous, and easily understandable format.
The Framework aims to chart a middle course between the rather lax contemporary regime of federal consumer data regulation and the more stringent provisions of GDPR and the CCPA. How to operationalize this consensus standard is an entirely different matter altogether.
Generating widespread industry compliance may prove a practical stumbling block; some enforcement mechanism is needed to impart a measure of heft, lest they remain mere recommendations. CDT and eHI should issue an imprimatur to companies that have adopted this framework and satisfactorily maintain its standards.
However, it is unclear whether either body – each a nonprofit with programming spanning the broader technology space – bears the financial wherewithal, capacity, or mission to administer such a program. The extensive pre-approval inspection, routine monitoring, and occasional auditing necessary to implement the Framework demand a dedicated structure suited to its implementation. CDT and eHI would be well advised to delegate this duty to a new organization altogether, or better yet, to execute its duties in conjunction with an established certification body, such as ISO or ANSI.
Ultimately, the Framework is a stopgap pending comprehensive federal action, a fact expressly acknowledged by the CEO of eHI herself. Further regulation of consumer health data will likely require legislative authority. But until then, the Framework represents a promising move towards ensuring privacy, transparency, and ethical use of sensitive information in a fast-growing space.