Close up of a computer screen displaying code

What Google Isn’t Saying About Your Health Records

By Adrian Gropper

Google’s semi-secret deal with Ascension is testing the limits of HIPAA as society grapples with the future impact of machine learning and artificial intelligence.

I. Glenn Cohen points out that HIPAA may not be keeping up with our methods of consent by patients and society on the ways personal data is used. Is prior consent, particularly consent from vulnerable patients seeking care, a good way to regulate secret commercial deals with their caregivers? The answer to a question is strongly influenced by how you ask the questions.

Read More

Filing archives cabinet on a laptop screen

The Right Lesson from the Google-Ascension Patient Privacy Story

By I. Glenn Cohen

As has been well reported in the media, there is a controversy brewing over nonprofit hospital chain Ascension sharing millions of patient records with Google for their project codenamed “Nightingale.” (very Batman, if you ask me!) Most of the discussion so far, and the answers have not yet become pellucid, concerns whether the hospital and Google complied with HIPAA.

 

This is important, don’t get me wrong, but it is important that conversation not ignore a more important question: Read More

Diverse crowd of adults on a bus, all using smartphones

ACCESS Act Points the Way to a Post-HIPAA World

By Adrian Gropper

The October 22 announcement starts with: “U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) will introduce the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, bipartisan legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.”

Although the scope of this bill is limited to the largest of the data brokers (messaging, multimedia sharing, and social networking) that currently mediate between us as individuals, it contains groundbreaking provisions for delegation by users that is a road map to privacy regulations in general for the 21st century.

Read More

Photograph from above of a health care provider taking a patient's blood pressure.

Diving Deeper into Amazon Alexa’s HIPAA Compliance

By Adriana Krasniansky

Earlier this year, consumer technology company Amazon made waves in health care when it announced that its Alexa Skills Kit, a suite of tools for building voice programs, would be HIPAA compliant. Using the Alexa Skills Kit, companies could build voice experiences for Amazon Echo devices that communicate personal health information with patients. 

Amazon initially limited access to its HIPAA-updated voice platform to six health care companies, ranging from pharmacy benefit managers (PBMs) to hospitals. However, Amazon plans to expand access and has identified health care as a top focus area. Given Thursday’s announcement of new Alexa-enabled wearables (earbuds, glasses, a biometric ring)—likely indicators of upcoming personal health applications—let’s dive deeper into Alexa’s HIPAA compliance and its implications for the health care industry.
Read More

Photograph of a doctor in blue scrubs overlaid with an illustration of a padlock

Nudges or Shoves in the Secondary Use of Health Data: What is the More Desirable Approach? (Part 2)

By Marcelo Corrales Compagnucci, Janos Meszaros & Timo Minssen

This post is the second part in a two-part series about nudge theory, health data, and the U.K.’s National Data Opt-out System. You can read the first part here

Governments are always actively trying to improve their health care systems, and the secondary use of health data is one way of reaching this goal effectively. The secondary use of health data involves the use of health care data collected for a new purpose, such as research and policy planning. This data is usually collected from hospitals and health care systems – large databases containing administrative, medical, health care, and personal data from patients.

Read More

Technical illustration of a respirator device

Why Medical Device Regulation?

By Carmel Shachar

The Petrie-Flom Center’s 2020 annual conference, Innovation and Protection: The Future of Medical Device Regulation, co-sponsored by the University of Copenhagen’s Center for Advanced Studies in Biomedical Innovation Law and the University of Arizona Health Law Program, was inspired by a growing sense that there is a need to reconsider our regulatory approach to medical devices as they become increasingly complex. Not only are medical devices becoming more mechanically complex, but they are also increasingly merging with digital technologies to expand capabilities.

Devices’ increasing complexity raises questions as to whether our regulatory pathways for medical devices are appropriate for ensuring safety and efficacy. The New York Times in a May 4, 2019 Editorial Opinion indicated that they believed the answer is no—that our current regulatory system, especially the 510(k) pathway and limited post-market surveillance, risk patient lives and health. The European Council is implementing new medical device regulations in May 2020 and 2022 to address similar concerns around safety and effectiveness in the EU. Both American and European regulators are struggling to find the best way to oversee the new hybrid medical devices that incorporate both hardware and software, as well as stand-alone algorithms.

Read More

Graphical image of a genetic screen merging with algorithmic code

Do You Own Your Genetic Test Results? What About Your Temperature?

By Jorge L. Contreras

The popular direct-to-consumer genetic testing site AncestryDNA claims that “You always maintain ownership of your data.” But is this true?  And, if so, what does it mean?

For more than a century, US law has held that data – objective information and facts – cannot be owned as property. Nevertheless, in recent years there have been increasing calls to recognize property interests in individual health information. Inspired by high profile data breaches and skullduggery by Facebook and others, as well as ever more frequent stories of academic research misconduct and pharmaceutical industry profiteering, many bioethicists and patient advocates, seeking to bolster personal privacy and autonomy, have argued that property rights should be recognized in health data. In addition, a new crop of would-be data intermediaries (e.g., Nebula Genomics, Genos, Invitae, LunaDNA and Hu.manity.org) has made further calls to propertize health data, presumably to profit from acting as the go-betweens in what has been estimated to be a $60-$100 billion global market in health data. Read More

Zoom in of a dashboard focusing on the "App Store" widget

Nobody Reads the Terms and Conditions: A Digital Advanced Directive Might Be Our Solution

Could Facebook know your menstruation cycle?

In a recent Op-ed Piece, “You Just Clicked Yes. But, Do you Know Terms and Conditions of that Health App?,” I proposed that a mix of factors have given rise to the need to regulate web-based health services and apps. Since most of these applications do not fall under the Health Insurance Portability and Accountability Act (HIPAA), few people actually read through the Terms and Conditions, and also, the explosive growth of web-based health applications, the need for solutions is dire. Read More

Robotic hand placing metal cylinder in the circular hole of a wooden box, which also has a square and triangle-shaped hole

What We Lost When We Lost Google ATEAC

By Joanna Bryson

In a few weeks, the Advanced Technology External Advisory Council (ATEAC) was scheduled to come together for its first meeting. At that meeting, we were expected to “stress test” a proposed face recognition technology policy. “We were going to dedicate an entire day to it” (at least 1/4 the time they expected to get out of us.) The people I talked to at Google seemed profoundly disturbed by what “face recognition” could do. It’s not the first time I’ve heard that kind of deep concern – I’ve also heard it in completely unrelated one-on-one settings from a very diverse set of academics whose only commonality was working at the interface of machine learning and human computer interaction  (HCI). It isn’t just face recognition. It’s body posture, acoustics of speech and laughter, the way a pen is used on a tablet, and (famously) text. Privacy isn’t over, but it will never again be present in society without serious, deliberate, coordinated defense. Read More

What Should Happen to our Medical Records When We Die?

By Jon Cornwall

In the next 200 years, at least 20 billion people will die. A good proportion of these people are going to have electronic medical records, and that begs the question: what are we going to do with all this posthumous medical data? Despite the seemingly logical and inevitable application of medical data from deceased persons for research and healthcare both now and in the future, the issue of how best to manage posthumous medical records is currently unclear.

Presently, large medical data sets do exist and have their own uses, though largely these are data sets containing ‘anonymous’ data. In the future, if medicine is to deliver on the promise of truly ‘personalized’ medicine, then electronic medical records will potentially have increasing value and relevance for our generations of descendants. This will, however, entail the public having to consider how much privacy and anonymity they are willing to part with in regard to information arising from their medical records. After all, enabling our medical records with the power to influence personalized medicine for our descendants cannot happen without knowing who we, or our descendants, actually are.  Read More