Health Data Must Be Protected, CDT’s Senior Counsel Cautions

Last month, Healthcare Innovation reported on the Centers for Medicare & Medicaid Services (CMS) announcement that the White House, in collaboration with tech leaders, is committing to creating a patient-centric healthcare ecosystem. According to the news release, “The Administration’s efforts focus on two broad areas: promoting a CMS Interoperability Framework to easily and seamlessly share information between patients and providers and increasing the availability of personalized tools so that patients have the information and resources they need to make better health decisions.” Additionally, “CMS unveiled voluntary criteria for trusted, patient-centered, and practical data exchange that will be accessible for all network types—health information networks and exchanges, Electronic Health Records (EHR), and tech platforms.”

Andrew Crawford, from the nonpartisan nonprofit Center for Democracy & Technology (CDT), responded to the announcement by stating that improving health tech interoperability can reduce frustrating inefficiencies, but cautioned, however, that health data is some of the most sensitive information people share — and that it must be protected responsibly. Healthcare Innovation recently followed up with Andrew Crawford, who is a Senior Counsel with CDT’s Data and Privacy Project.

Could you talk a bit about the White House announcement on the health data initiative?

There are a couple of big principles here that they're focusing on. One is trying to relieve some burdens from patients. The kind of examples they gave during the announcement focused on alleviating administrative burdens on patients and making it easier for patients to have access to their health records.

What I want to make sure accompanies all those increased kinds of access and reduced administrative burdens is that there's still robust security and privacy protections around health data. There's no kind of governing rule set for how that health data is going to be handled by those for-profit companies. It's really on each individual consumer, each patient, to do their homework and read the privacy and the terms of use that each of those companies puts out to learn how their health data is going to be handled, what it's going to be used for.

In the announcement, when they encourage folks to engage more with those third-party apps, with the wearables, with the fitness apps, with the dietary apps, I worry that folks might not appreciate the privacy protection that their data enjoys when their doctor holds it. It’s different when it's held by an app developer, a website developer, or a device manufacturer. That's one of the concerns I had: the increased sharing without privacy principles associated with the sharing of health data with non-HIPAA covered entities. How is the government going to be involved here -- is the federal government going to have access to a lot more health data that is being collected? If so, who in the government is going to have access to it, and how are they going to use it? I think there's just a bunch of unanswered questions in that space.

Some skeptics say that the current administration doesn't care enough about privacy. What is your impression?

I think that the announcement didn't have a lot to say about privacy and security of data. They said a lot of this would be opt-in. I'm not quite sure what elements of this are opt-in, and how all that would work. I wish there were more explanation and more information out there for all of us to digest and make better decisions about how we might or might not engage with this new initiative.

What other areas are specifically not covered by HIPAA?

HIPAA is this unique law where the data protections don't attach to the data set; they attach and apply to HIPAA-covered entities. Let's say I've got a blood work panel that I had my primary care physician do for me. When my doctor holds the results of that, HIPAA is going to apply and they're going to be able to use it to treat me. They can't use that information for anything else. I, as the patient, have the power to get access to those records, and I can, for instance, store them on an app on my phone. If the app I decide to store that record in is not offered by my doctor or an insurance company, but is from some app developer that I found in the App Store, then it’s unlikely they're going to be covered by HIPAA. They're not in the provision of healthcare. So literally the exact same record when it's held by my doctor has HIPAA privacy protections, but when it's held by a third party app, the way that app is going to treat my data, meaning how it's going to collect it, how it's going to use it, who it might share it with, is all going to be disclosed in the terms of service and the privacy policy. Folks don't necessarily have a lot of time to read all of those. These policies can be pretty dense. They can be long. They're often written by lawyers for lawyers. It's not necessarily the easiest thing for everybody to parse through and completely understand what's happening, digest, and figure out if this is something that they are comfortable with.

Non-HIPAA covered entities could be a wearable like a fitness tracker, a fitness app, a health or a diet app on the phone, or other more general websites.

Do you have any thoughts about solutions to this?

At the federal level, we need a comprehensive privacy law, and for it to be impactful, we have to move beyond the current notice and consent-based privacy regime.
The current burden falls on each of us as an individual customer to do our homework and figure out if the technology we interact with every day is something that we're comfortable with collecting, using, and sharing our data. We need to move beyond that in a federal comprehensive bill to something that is much more focused on collection and use limitations, and frankly, those should be focused on the specific product or service a consumer has requested. The data collection and the data ecosystem around that should be focused on providing that product or service and not really anything else, especially when it comes to sensitive data sets like health data, such as DNA, biometrics, and geolocation data. We really need some strong collection, use, and sharing limitations around those data sets. Without them, folks can at least be troubled when they learn that the app they use every day has been collecting their geolocation and sharing it with a data broker, for instance. Folks don't like that, and sometimes it can result in real harm.

There was a case out of California that involved Meta and Flo, and a jury found that User data was being shared with Meta in a way that ran against the stated policies of the app, and folks weren't happy about that, to say the least.

What are some positive developments that you are seeing?

The goals are solid. We want to make sure that folks can have access to affordable, good-quality healthcare and not spend all their time doing administrative tasks and fighting to get their records. The more information your healthcare provider has, the better the care they're going to be able to provide.

I would love to see more focus on the privacy and the security elements that need to accompany those data sets. Without rules about how that data can and can't be used folks might be more reluctant to share their information, and that could lead to suboptimal care.

What are your thoughts on what might happen in the coming years regarding this?

I'm eager to see how it all plays out. I hope that we'll continue to move towards a federal privacy law that includes protections around sensitive data sets like health and biometric data.

We've seen versions of a comprehensive federal bill in the prior two congresses. I'd like to see that momentum continue and hopefully get a strong bill again and hopefully have it advance through Congress and into law. And as we wait for that, I think it's important that states continue to take the lead and pass comprehensive privacy laws.