Data Gathered From Electronic Personal Health Services Provides Regulatory Challenges, Experts Say
Information collected by certain personal health records vendors, health-related IoT technologies and applications, and employee health services can create regulatory challenges and gray areas, especially for Health Insurance Portability and Accountability Act (HIPAA) compliance, said healthcare and technology experts Monday night during an FCBA CLE event.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Cora Han, FTC Division of Privacy and Identity Protection senior attorney, said the commission has begun to see the medical records of individuals move online more frequently, which was prompted by initiatives of the Department of Health and Human Services (HHS). Consumers are able to download their personal health records and are "increasingly generating and controlling more information outside of the traditional provider context," she said. As a result of the trend, a significant amount of data goes back and forth between provider and consumer, Han said, and while the new technology is enabling innovative services, it can raise a host of privacy and security issues, which has become a focus of the FTC.
Han said the FTC has a breach notification rule for personal health record vendors, PHR-related services and service providers, but it's applicable only for non-HIPAA-covered entities, and the nonencrypted electronic information they hold. "It's a fairly narrow rule, but it's possible that as things are evolving there will be more and more entities that actually fall within the scope of the rule," Han said. She said the rule can be viewed as a sister rule to HHS's breach notification rule. Consumers have some concerns about the sharing of personal health data, and worry that it might be distributed to a third party outside the realm of the health initiative and used for advertising purposes, Han said.
"When you have different copies of data that move between holders," privacy rules could depend on who is holding the data, said Michelle De Mooy, Center for Democracy and Technology consumer privacy deputy director. De Mooy said employers offering healthcare programs using electronic health devices that track data are placed in an interesting spot in terms of HIPPA compliance and data ownership. A program that doesn't meet the definition of medical care wouldn't be subject to HIPAA guidelines, so personal employee data collected under the program would be subject to the individual companies' privacy policies. "In terms of personal health data, employee wellness programs pose a unique legal challenge, but also a challenge in terms of determining what’s sensitive in what context and how that’s able to be protected," De Mooy said. "A vast amount" of wearable companies don't have privacy policies, she said, and often have broad use and disclosure policies.
Jules Polonetsky, Future of Privacy Forum executive director, said data has been democratized, for better or worse, and PHR vendors pose an interesting challenge because some claim to be HIPAA-compliant or have similar privacy policies but aren't actually under HIPAA rules. Hosting platforms such as Apple and Google have taken off the table a lot of the controversial practices and uses of personal health data, such as advertising and marketing, and provide contracts to developers that write in privacy restrictions, he said. Hank Fanberg, Christus Health technology advocacy and innovation director, said his company won't do business with a developer that isn't compliant with HIPAA. The backlash of privacy issues will ultimately fall on the health system or provider, he said, so it's important for health companies to understand what their vendors are doing.