“What we need is more regulation . . . .”
We are awash in digital health data. And we are awash in multiple regulatory schemas designed to protect privacy, security and appropriate access to all this data. Some data is “traditional” health care data governed by the familiar patchwork of federal and state statutes and regulations (rhymes with “HIPAA”). Some are the product of new consumer health tracker devices and apps which are not reached by HIPAA (except for some provided to individuals by health care providers or insurers). Privacy, security, and access is guaranteed with respect to much of the health data not governed by HIPAA thanks to the oversight of the FTC (and cognate state agencies), with a twist: while most specific federal and state health data privacy and security rules are spelled out in detail, the FTC takes a different approach, simply enforcing through individual actions its general consumer protection authority, which bars unfair or deceptive business practices. (There is also the FTC breach notification rule, which parallels the HIPAA breach notification rule, but is applicable to non-covered-entity PHRs.) There is an alphabet soup of other agencies, statutes, frameworks, etc. that have overlapping jurisdiction over these issues as well. ONC recently issued a report to Congress (and shared on its blog) in collaboration with OCR and the FTC, entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA, which considers HIPAA, the FTC Act and something called FIPPS, Fair Information Practice Principles – but does not examine the interplay with state law or with other related federal regulatory structures such as FCRA, COPPA, GLBA, FERPA. FIPPS, by the way, is an overarching statement of principles regarding health data privacy, security and access, dating back to HEW (!) in 1973, including things not necessarily provided for by law, and most recently pulled together in the 2008 ONC Privacy & Security Framework. These principles are:
- Individual access
- Openness and transparency
- Individual choice
- Collection, use and disclosure limitation
- Data quality and integrity
The report is a useful summary of the current state of HIPAA, the FTC Act, the FTC breach notification rule, and FIPPS. It identifies the gaps in coverage that — in an ideal world — Congress would patch, or even undertake a broader rip-and-replace, enacting a comprehensive health data privacy, security and access schema integrating a single approach to PHI governed by HIPAA, data practices covered by the FTC Act, and everything in between and beyond. Don’t hold your breath. Aside from the current congressional logjam, gridlock, or whatever your preferred metaphor may be, consider the fact that we are now embarking upon the general election season, which tends to add an additional layer of grandstanding and substantive paralysis to the usual fever dreams of the Potomac. Consider, too, that in the 43 years folks have been thinking about FIPPS (HEW! That really got to me), we have largely confined ourselves to thinking about FIPPS. The ONC Privacy & Security Framework is reiterated in the ONC’s Interoperability Roadmap – a recently-issued ten-year roadmap to a goal that many believe should have been realized as a part of implementing the Meaningful Use program (enacted as part of the HITECH Act, which also updated HIPAA and added the FTC breach notification rule requirements). Yes, there is greater awareness of the burgeoning volume of health data (HIPAA-regulated PHI and other), there is a growing belief that improving health status and reducing health care costs may well be accelerated through implementation of value-based care systems that rely in part on patient-generated data and a network of digital activity trackers, and there is growing concern that the complexity of health data privacy regulations leaves many of us unprotected in a variety of contexts. I think I am more realist than pessimist when I conclude that, however, well-founded these concerns and proposals may be, comprehensive, sensible, Congressional action in this realm is not imminent. Things are both better and worse than the authors of the report would have us believe. For example, the report seems to elevate the helpfulness of OCR’s enforcement efforts in dealing with over 20,000 cases, noting that significant improvements in the regulated community’s attention to privacy, security, and access have resulted from these undertakings, while minimizing the compliance record of “non-covered entities” or NCEs in the report’s parlance, highlighting a couple of horribles in the PHR department. Well, not to put too fine a point on it, but some of the most respected academic medical centers have had multimillion-dollar fines assessed for their HIPAA privacy and security breaches, and OCR seems to be in the business of perennially issuing clarifications and exhortations regarding the patient access rules. This bespeaks a broad-based attitude towards compliance that is not necessarily better than that of NCEs as a whole. There are good guys and bad guys in both camps. And even the good guys are sometimes undermined by the complexity of the rules, the complexity of the tech, human frailties, and the devilish cleverness of the bad guys. In addition, many NCEs, including many that I advise, have taken it upon themselves to behave as if subject to HIPAA even though they are not. Why? To instill confidence in their operations among at least three distinct audiences: (a) consumers, who are more and more interested in and concerned about the health data privacy policies and practices of their app providers and activity tracker vendors (though, to be sure, they could be more concerned); (b) business partners that may include covered entities and/or business associates under HIPAA that are sensitive to these issues even if not all of their business partners are themselves subject to HIPAA (even by virtue of their relationships with CEs or BAs); and (c) regulators such as the FTC who would likely be just as impressed as OCR by a good story told by a company unfortunate enough to experience an audit, a breach or a complaint investigation – that good story being composed of fully implemented and documented HIPAA-compliant policies and procedures, risk assessments, etc. Don’t forget: There is a lot more protection in place than that afforded by the two sets of rules considered in the report. Are there gaps? Yes: For example, as noted in the report, the FTC Act may not regulate nonprofits or insurance companies under all circumstances, and there is no explicit provision there guaranteeing access. (However, on that latter point, since the FTC Act is interpreted through case law rather than regulation, I would be surprised if an individual right of access to records is long in coming to the world of the FTC.) Are there ways in which things are getting better in the absence of new legislation? Sure. For example, consider the recent collaboration between Fitbit and the Center for Democracy and Technology that involved an examination of the Fitbit internal policies on research. This process infused an already good process with expert advice on data privacy and it may well expand beyond the initial scope of the project. Given Fitbit’s status as a market leader, its efforts in this area are likely to spur similar activity among other activity tracker manufacturers if they wish to retain the confidence of their key constituencies. We will certainly revisit this issue again (and again).