In the first quarter of 2012, two important reports on consumer privacy were issued in Washington: In February, the White House laid out a "Consumer Privacy Bill of Rights" and in March the Federal Trade Commission followed with its report, "Protecting Consumer Privacy in an Era of Rapid Change." Both documents acknowledge that most federal data privacy laws apply only to specific sectors of the economy, such as health care, education, communications and financial services. Both reports call on Congress to enact baseline consumer privacy legislation to fill the gaps and, in the interim, urge companies to voluntarily adopt best practices or model codes of conduct based on fair information practice principles.
Unfortunately, because most health care system entities -- chiefly health care providers and payers -- already are required to comply with baseline health privacy regulations enacted under HIPAA, these reports received little attention from the health care industry.
However, the two reports are in fact very relevant for health care stakeholders, for several reasons. First, the reports do not ignore health data and instead expressly recognize their sensitivity and the risks to a networked economy of failure to protect them.
Second, FTC does have regulatory authority over a number of health care system entities, and the recommendations in the FTC report provide an important signal on the FTC's thinking with respect to the adoption of sound data stewardship practices.
Third, both the FTC and the White House reports encourage all companies that are collecting, using or disclosing personal data about consumers to participate in multistakeholder processes to develop privacy codes of conduct, which will be led by the Department of Commerce's National Telecommunications and Information Administration. Health care entities' failure to participate in multistakeholder efforts relevant to the sharing of health data will exclude them from important conversations that could impact their operations and their relationships with patients.
Finally, both reports express common themes and approaches to privacy that are echoed in recent regulatory guidance targeted at the health care sector. Specifically, the Office of the National Coordinator for Health IT in March 2012 issued guidance to state health information exchange grantees requiring them to develop privacy policies and practices that go beyond mere compliance with HIPAA. This guidance is aligned in many respects with recommendations in both the FTC and White House reports. Key common themes promoted in all three documents are summarized below.
Fair Information Practices Are the Backbone of Privacy
As discussed in more detail below, all three documents include a strong role for consumer or patient choice with respect to the sharing of personal information. However, instead of relying solely on consent to protect privacy, these documents ask data holders to also commit to other elements of the FIPs, including:
- Expressly limiting their collection, use, disclosure and retention of personal data;
- Adopting security safeguards that enforce these limits; and
- Ensuring accountability for adherence to policies and applicable law.
Such a comprehensive approach puts the primary obligation for handling personal data responsibly on collectors and holders of personal data, rather than relying on individuals to fully comprehend all potential uses and disclosures of their personal data.
Meaningful Consent in Context
All three documents reinforce the right of patients to have choices with respect to the collection, use and disclosure of their personal data. However, the documents make clear that when specific individual consent should be required depends on the "context of the interaction" between a business and a consumer. As noted in the FTC report, "whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer's existing relationship with the business, or is required or specifically authorized by law."
The underlying concept, also reflected in the White House report, is that if a particular use or disclosure of consumer data is consistent with the type of service the consumer is being offered or is within the boundaries of the relationship between the business and the consumer, specific consent for that use or disclosure is not necessary. However, for data uses or disclosures that go beyond these parameters, individuals should have the right to consent.
The ONC guidance for HIEs adopts this contextual approach to consent by making a distinction between exchanges that merely facilitate the secure exchange of health information between one provider and another for treatment purposes and HIEs that store or aggregate identifiable health information. Where an HIE serves solely as a secure "information conduit," specific patient consent should not be required (unless it already is required by existing law). In the view of ONC, such sharing from one provider directly to another "is currently within patient expectations." However, "HIEs [that] store, assemble or aggregate data" beyond what might be required to securely route the information to the proper endpoints is outside of what patients typically expect and, therefore, they should have choices regarding whether their identifiable health information is exchanged (or made accessible) through the HIE.
Also of note, all three documents promote that when individuals are provided with the right to consent to a particular information practice, the choice must be understandable, timely, and proportionate to the scale, scope and sensitivity of the information. All three documents refer to this as "meaningful" choice.
Less Identifiable Data Presents Less Risk
All three documents target their privacy recommendations expressly at identifiable information, generally defined as information that can be linked either to an individual or to a specific computer or device. For example, ONC's guidance for HIEs applies only to "individually identifiable health information." The White House's "Consumer Privacy Bill of Rights" applies to commercial uses of "personal data," which is defined as data that are "linkable to a specific individual."
The FTC report similarly applies its framework of privacy recommendations to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device." However, FTC takes the further step of encouraging businesses to use de-identified data by exempting from its privacy framework information that is not "reasonably" identifiable, as long as businesses using such data (1) publicly commit not to re-identify it and (2) prohibit any downstream recipients of such data from re-identifying it.
The report does not include any specific standards for how information is rendered not "reasonably" identifiable. However, the report arguably goes beyond the HIPAA Privacy Rule because it grants an exemption from FTC's privacy framework only where a business refrains from re-identifying the information and binds its downstream data recipients to the same restrictions.
The consistent approach to protecting personal data privacy reflected in these three documents represents a significant step forward in efforts to build and sustain the public's trust in a networked economy. Health care system entities focused largely on HIPAA compliance would be well served to pay attention to these cross-cutting developments.