Deven McGraw, Project HealthDesign Regulatory and Assurance Advisory Group, Center for Democracy & Technology
Project HealthDesign grantee teams have long recognized that the robust use by patients of technologies such as personal health records (PHRs) and mobile health applications to improve health and well-being depends on trust. Individuals need assurance that the personal data they collect and share using these technologies will be handled responsibly and with respect for its sensitivity. But health data collected by and shared through consumer-facing technologies is typically not covered by HIPAA or state health privacy laws.
At a roundtable on privacy and security protections for PHRs hosted by the Department of Health and Human Services (HHS) in 2010, Project HealthDesign grantees submitted testimony noting some of the privacy and security issues raised by their projects and the challenge of addressing these issues in an uncertain legal environment. Failure by policy-makers to address this uncertainty chills innovation and places obstacles to widespread consumer adoption of promising health information technologies.
Specifically, the White House sets forth the following “Consumer Privacy Bill of Rights”:
- Individual Control: Consumers have a right to exercise some control over what companies collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for Context: Companies should limit their collection, use and disclosure of personal data to those purposes consistent with the context in which consumers provided the data.
- Security: Companies should maintain reasonable safeguards to control risks such as loss, unauthorized access, and improper disclosure.
- Access and Accuracy: Companies should provide consumers with reasonable access to personal data collected about them and appropriate means to correct inaccuracies.
- Focused Collection: Companies should collect only as much personal data as they need to accomplish the purposes that are consistent with the “Respect for context” principle.
- Accountability: Companies should be accountable to enforcement authorities and consumers for adhering to these principles.
The White House also calls on Congress to enact legislation adopting the Consumer Privacy Bill of Rights as law and providing enforcement authority to both the Federal Trade Commission (FTC) and State Attorneys General. The White House also directs the U.S. Department of Commerce to convene multi-stakeholder groups to negotiate codes of conduct that would implement the Consumer Privacy Bill of Rights in ways tailored to the privacy issues raised by specific industry sectors.
Under the legislative approach advocated by the White House, these codes of conduct – when reviewed and approved by the FTC — would become safe harbors that insulate companies that follow these codes from liability. But even if Congress does not act, these codes of conduct — when companies voluntarily follow them — can be enforced by the FTC, which already has authority to force companies to comply with privacy commitments made to consumers. The Department of Commerce is expected to soon begin convening multi-stakeholder groups to develop the codes of conduct called for in the White House report.
Entities covered by existing federal data privacy laws like HIPAA would be exempt from the new legislation. However, the White House does call for review of whether existing laws could be “simplified” to benefit both consumers and companies.
To what extent would national, consensus-based policy protecting health data collected, used and shared by commercial companies reduce barriers to more widespread adoption of consumer-facing health technologies like PHRs and mobile apps? Share your thoughts in the comments.