Apple watch and fit bit.

Beyond HIPAA: A Proposed Self-Policing Framework for Digital Health Products

By Vrushab Gowda

As digital health products proliferate, app developers, hardware manufacturers, and other entities that fall outside Health Insurance Portability and Accountability Act (HIPAA) regulation are collecting vast amounts of biometric information. This burgeoning market has spurred patient privacy and data stewardship concerns.

To this end, two policy nonprofits – the Center for Democracy and Technology (CDT) and the eHealth Initiative (eHI) – earlier this month jointly published a document detailing self-regulatory guidelines for industry. The following piece traces the development of the “Proposed Consumer Privacy Framework for Health Data,” provides an overview of its provisions, and offers critical analysis.

Read More

Code on computer.

How to Secure Our Digital Health Infrastructure Against Cyber Attacks

By Vrushab Gowda

Our health information infrastructure is highly susceptible to cyber attacks. At the time of writing, the Department of Health and Human Services (HHS) is actively investigating over 700 major breaches over the past 24 months alone.

It is incumbent upon our institutions to proactively guard against these threats, with our federal government leading the charge.

Read More

USB drive

The False Dilemmas of the Fifth Circuit’s HIPAA Ruling

By Leslie Francis

In a caustic opinion issued on January 14, the Fifth Circuit vacated penalties assessed by the U.S. Department of Health and Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center for HIPAA security breaches.

As has happened to many other health care entities, M.D. Anderson had employees who were not careful with their laptops and thumb drives (and the data therein). A laptop with the unencrypted protected health care information of nearly 30,000 patients was stolen. Unencrypted thumb drives with information on another almost 6,000 patients were lost. M.D. Anderson disclosed the security breaches to HHS, which assessed civil monetary penalties for violation of HIPAA’s encryption and disclosure rules. M.D. Anderson then filed a petition for review, which resulted in the Fifth Circuit holding that the agency action was arbitrary and capricious for failure to consider an important aspect of the problem.

Commentators have already pointed out that this decision will reverberate throughout the HIPAA enforcement world. As it does, I hope it is met with scorn, for it trades on the informal logical fallacy of the false dilemma in two noteworthy ways.

Read More

Person typing on computer.

Online Terms of Use for Genealogy Websites – What’s in the Fine Print?

By Jorge L. Contreras

Since genealogy websites first went online, researchers have been using the data that they contain in large-scale epidemiological and population health studies. In many cases, data is collected using automated tools and analyzed using sophisticated algorithms.

These techniques have supported a growing number of discoveries and scientific papers. For example, researchers have used this data to identify genetic markers for Alzheimer’s Disease, to trace an inherited cancer syndrome back to a single German couple born in the 1700s, and to gain a better understanding of longevity and family dispersion.  In the last of these studies, researchers analyzed family trees from 86 million individual genealogy website profiles.

Despite the scientific value of publicly-available genealogy website information, and its free accessibility via the Internet, it is not always the case that this data can be used for research without the permission of the site operator or the individual data subjects.

In fact, the online terms of use (TOU) for genealogy websites may restrict or prohibit the types of uses for data found on those sites.

Read More

Graphical image of a genetic screen merging with algorithmic code

Do You Own Your Genetic Test Results? What About Your Temperature?

By Jorge L. Contreras

The popular direct-to-consumer genetic testing site AncestryDNA claims that “You always maintain ownership of your data.” But is this true?  And, if so, what does it mean?

For more than a century, US law has held that data – objective information and facts – cannot be owned as property. Nevertheless, in recent years there have been increasing calls to recognize property interests in individual health information. Inspired by high profile data breaches and skullduggery by Facebook and others, as well as ever more frequent stories of academic research misconduct and pharmaceutical industry profiteering, many bioethicists and patient advocates, seeking to bolster personal privacy and autonomy, have argued that property rights should be recognized in health data. In addition, a new crop of would-be data intermediaries (e.g., Nebula Genomics, Genos, Invitae, LunaDNA and Hu.manity.org) has made further calls to propertize health data, presumably to profit from acting as the go-betweens in what has been estimated to be a $60-$100 billion global market in health data. Read More