Could 2011 Be a Big Year for Consumer Privacy?

Deven McGraw, Health Privacy Project Director, Center for Democracy & Technology

A number of developments at the end of 2010 suggest that 2011 could be an important year in the advancement of consumer personal information protections, which would include health information protections.

• The Department of Health and Human Services (HHS) Office of the National Coordinator (ONC) hosted a day-long roundtable, “Personal Health Records – Understanding the Evolving Landscape,” on December 3, 2010. The roundtable explored the current state and evolving nature of personal health records (PHRs), the value of PHRs to consumers, and privacy and security protections for PHRs.
  
  Three Project HealthDesign principal investigators submitted to the ONC comments demonstrating that a lack of comprehensive protections on PHR data, uncertain application of the law and failure of current law to keep up with technological innovation all hinder progress toward innovative care approaches that leverage innovations in information technology. This testimony will inform a congressionally mandated report on privacy and security protections for entities not covered by HIPAA (which includes many PHRs); this HHS PHR report is expected to be issued in 2011.

• Two days before the PHR Roundtable, the Federal Trade Commission (FTC) issued a comprehensive report on consumer privacy, “Protecting Consumer Privacy in an Era of Rapid Change.” The report was based in part on a series of public roundtables the FTC hosted in 2009 and 2010. In the report, the FTC notes the growing collection of consumer personal data (particularly on the Internet), consumers’ limited understanding of data collection practices and inability to make meaningful choices about them, the importance of privacy to consumers, the significant benefits that result from the increased flow of consumer data, and the blurring distinction online between personally identifiable information and information purported to be “anonymous” or de-identified.
  
  In response, they proposed a new framework for addressing the use of consumer data, both online and offline. This framework has three main components:
  1. Businesses should embrace a full complement of fair information practices and build consumer privacy protections into their everyday business practices (also known as “privacy by design”).
  2. Consumers should have more simplified, streamlined choices about how their data is accessed, used and disclosed.
  3. Businesses should increase the transparency of their data practices.

          The FTC is accepting comments on this report until February 18, 2011.

• Two weeks after the FTC released its consumer privacy report, the U.S. Department of Commerce (DoC) released its own report, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” This report calls for the U.S. to improve its privacy protection framework and better align itself with global data protection initiatives. DoC also calls for a framework based on a full set of fair information practice principles. Those principles would then be used to create industry-specific codes of conduct that would be developed through negotiations with multiple stakeholders.
  
  The report recommends that any new commercial data privacy framework not conflict with existing laws that provide important protections, such as laws governing the health industry and the financial sector. The report also called for “nationally consistent” security breach notification laws.
  
  DoC is accepting comments on this report until January 28, 2011. Submit comments via e-mail.

At a minimum, these reports indicate a renewed federal focus on privacy protections for consumer data. The reports also suggest that privacy initiatives could garner congressional attention, and that the private sector could also become more engaged in developing strong, voluntary codes of conduct. All of this activity is occurring just as the HITECH meaningful use incentive program begins in earnest, ensuring that a focus on the use and protection of personal health data will remain front and center in 2011.