The American Telemedicine Association has published a set of health data privacy principles to ensure telehealth practices meet standards for patient safety, data privacy, and information security, while advancing patient access and building awareness of telehealth practices.
Key components of the health data privacy principles include:
- Consistency
- Definition of Consumer Health Data
- Health Insurance Portability and Accountability Act (HIPAA)
- Consumer Rights
- Consumer Consent, Sale of Data & Opt-Out
- Enforcement
“As states adopt privacy statutes and regulations, establishing uniformity with existing federal and other state standards would reduce both complexity of compliance and confusion for consumers and companies alike. Privacy laws should allow for innovation and the advancement of technology-assisted care,” said Kyle Zebley, senior vice president, public policy at the ATA in a statement. “The ATA supports efforts to ensure telehealth practices meet standards for patient safety, data privacy, and information security, while advancing patient access and building awareness of telehealth practices. The ATA and the ATA’s Data Work Group believe that the protection of patient data is a prerequisite for connected care and a core principle for our organization.”
Mercer May, director of government affairs at Teladoc Health, who chairs ATA’s Data Work Group’s Privacy Committee, spoke about the new principles during an Aug. 29 ATA webinar.
Speaking about consistency, he noted that 99 percent of the time, he thinks that these issues should be handled at the state level. “This is the 1 percent of time, though, that I truly do believe that a federal framework is warranted and there's one main reason for that, and that is consistency,” May said. “Putting my TelaDoc health hat aside and thinking from a patient's perspective, consistency is incredibly important because a patient wants to know what their rights are, what protections they have in law, and it shouldn't matter based on which state you're in what those protections are. So that's why I think at a very high level, a 50-state federal regulatory scheme makes a lot of sense for an issue such as data privacy.”
Speaking about consumer rights, May said, “the whole point of the ATA putting this together is so that we have a framework we can advocate for that will protect patients.” He said they are seeing states put in place a right to notice. What type of data are you collecting? What are you doing with it? “I think that's incredibly important, because it allows the patient and the consumer to know exactly what it is that is being collected about them, what the data is, and who it's being shared with,” he said.
Another issue is a right to access. Beyond what the provider organization might collect, patients want to be able to see the data and have a right to portability. “Not only do I want to see it, but I want to be able to take that data with me. It's my data and I want to be able to share it with whomever I feel is appropriate,” May said.
In addition, a right to correct is crucial, he said. “It is very important to make sure that records are sound and complete, but also correct,” he said. “Finally, a right to delete. We've seen it across the board in many omnibus privacy bills. A right to delete is an incredibly important thing because it allows me to say ‘no, I don't want my data in company X's hands anymore. I just want it gone.’ The one caveat that I'll put in here is that there are conflicting laws on medical record retention at the state and federal level. So there is a little bit of a balance that has to be put in here when it comes to a right to delete. I think we'll see how this plays out.”
Finally, May touched on enforcement. He noted that there hasn't been a lot of enforcement on this particular issue to date, and the concepts are still a little bit fuzzy. “There are a lot of gray zones here, and I think that there are a lot of folks that are out there, acting in good faith who might not be meeting the level of the legislative law. It seems as though there's a possibility that a private right of action could be abused by certain plaintiff attorneys and class action lawsuits. So for the time being, as we are very much in the early stages of these data privacy laws and enforcement, it makes sense that the state attorneys general should be the folks that are empowered to actually take enforcement actions when these privacy laws are violated.”
