The CARIN Alliance, a group of more than 60 healthcare and other stakeholders, has released the first draft of a voluntary code of conduct that entities not covered by HIPAA can self-attest to in order to access health data on behalf of consumers.
When personally identifiable health information is shared with applications, that information is considered consumer data and falls outside of the industry's current privacy and security practices under HIPAA. The CARIN code of conduct addresses how healthcare data should be handled by consumer-facing applications under Section 5(a) of the Federal Trade Commission Act, which encourages industry to develop consensus for what is meant by "unfair or deceptive acts or practices."
The CARIN code of conduct is based on the idea that third-party applications need to ensure consumers, or their authorized caregivers, provide informed, proactive consent for how their healthcare data is collected, used, and shared. The CARIN Alliance, which is managed by Leavitt Partners, is encouraging consumer platform companies to adopt the CARIN code of conduct as part of the consumer-facing application's registration and onboarding process.
The U.S. Department of Health & Human Services has recognized that there are issues surrounding how data is used by non-HIPAA entities. HHS convened an October meeting, “Data Min(d)ing: Privacy and Our Digital Identities,” which brought together industry leaders and researchers for presentations about the many ways genetic, wearable and EHR health data is being used.
For instance, James Hazel, Ph.D, J.D., a research fellow at the Center for Biomedical Ethics and Society at the Vanderbilt University Medical Center, presented his research that involved a survey of the privacy policies proffered by U.S. direct-to-consumer genetic testing companies. Beyond offering consumers the services, these companies doing the testing seek to monetize that data through partnerships with pharmaceutical companies and academic researchers. There is also value to government and law enforcement officials – to solve cold cases, for instance.
There is a patchwork of federal and state laws governing disclosure of secondary data usage to consumers, but the industry is largely left to self-regulate, he said. In his survey of 90 companies offering these genetic data services, “10 percent had no policies whatsoever,” he said. About 55 companies had genetic data policies, but there was tremendous variability in policies about collection and use. Less than half had information on the fate of the sample. In terms of secondary use, the majority of policies refer to internal uses of genetic data. However, very few addressed ownership or commercialization. And although almost all made claims to being good stewards of the data, 95 percent did not provide for notification in case of a data breach. The provisions for sharing de-identified data are even less restrictive. Hazel noted that 75 percent share it without additional consent from the consumer.
Hazel’s take-home message: “We saw variability across the industry. Also, we had a group of law students and law professors read the policies and there was widespread disagreement about what they meant,” he said. “Also, nearly every company reserves the right to change the policy at any time, and hardly any company provided for individual notice in event of a change.” He finished his presentation with a question. “What is the path forward? Additional oversight by the Federal Trade Commission? Or allowing industry efforts to take the lead before stepping in?”
The CARIN Alliance released a few prepared statements in support of the code of conduct as an important first step. Deven McGraw, former deputy director for health information privacy at the HHS Office for Civil Rights and current general counsel and chief regulatory officer of Ciitizen, said, "The HIPAA Privacy Rule's individual right of access has long been an empty promise because patients face a long, burdensome and often costly process to get their health records. APIs can be a game changer by enabling individuals, through online applications or services, to easily get their health data, use it, and share it consistent with their needs and values. But concerns about whether these applications, most of which are not covered by HIPAA, will protect the privacy and security of user's health information threaten to place more obstacles between patients and their health data. The CARIN code of conduct, which is enforceable by the FTC against commercial entities who pledge to adhere to it, could go a long way to removing those obstacles."
The CARIN Alliance said it welcomes industry feedback on this initial draft code of conduct from consumers, caregivers, and industry stakeholders which will help inform later versions. To read and comment on the CARIN code of conduct, visit https://carinalliance.com/.
