Getty Images/iStockphoto

CDT, eHI Share Proposed Consumer Health Data Privacy Framework

The proposed consumer health data privacy framework from eHI and CDT builds on a previous release and is designed to protect health information not covered under HIPAA regulations.

The Center for Democracy & Technology and the eHealth Initiative & Foundation (eHI) released a newly proposed consumer health data privacy framework, which aims to better secure the privacy of health information that falls outside of HIPAA regulations.

The guidance outlines much-needed standards for the collection, disclosure, and use of consumer health data that falls outside of HIPAA. As previously explained by the Department of Health and Human Services, HIPAA does not apply to apps that aren't directly connected to or recommended by providers for use of data sharing, health outcomes, and the like.

Developed with support from the Robert Wood Johnson Foundation, the proposed guidance builds on an earlier release and is meant to address the increasing concerns around underprotected health data in lieu of federal privacy legislation.

These concerns have been severely heightened amid the COVID-19 response, as governments and municipalities rush to develop contract tracing apps and leverage third-party sites to support the vaccine rollout.

In fact, attacks against healthcare web apps have increased 51 percent in the last few months, with a 45 percent increase in exploit attempts against the overall sector. Malicious actors have already successful exploited a vulnerability to modify appointments.

But one of the more concerning risks are the number of privacy issues tied to mHealth apps. Previous reports have found the majority of health and mental health apps routinely share data with third-parties, without transparent policies about the process.

Just this week a damning report showed 30 of the most popular mHealth apps are vulnerable to API attacks and are riddled with privacy concerns. While these apps hold a trove of valuable, sensitive health data, the third-party platforms aren’t covered by HIPAA.

“Much of the information consumers provide through health, retail, genomics, GPS apps and online is not protected,” eHI CEO Jen Covich Bordenick, said in a statement. “While federal regulation is urgently needed, the framework and proposed self-regulatory body are a solid first step to holding companies accountable.”

“Frequently, consumers are surprised to find out how their data is used. Our proposal aims to limit use of data about physical and mental health to ways that meet consumer expectations and help organizations stay ahead of the regulatory curve,” CDT President & CEO Alexandra Reeve Givens, said in the release.

The framework is designed to support the limit of the collection, disclosure, and use of non-HIPAA-related information, in line with consumer requests and expectations. Officials said it also proposes the creation of an independent self-regulatory body, which will hold companies accountable to these standards.

The insights cover a range of data used to support conclusions or inferences about an individual’s physical or mental health and applies to a spectrum of data not covered by the federal privacy rule.

Specifically, it details the substantive standards and rationale for policy decisions, as well as the obligations for entities participating in the collection and processing of consumer health data. The guide suggests the controls needed to ensure the privacy and security of the data, as well.

The insights also highlight the needed transparency and elements for consent, in addition to some exceptions to the proposed standards.

It was designed through a collaborative effort from dozens of entities and industry leaders, including providers, health plans, hospitals, labs, privacy leaders, pharmacies, public health agencies, policymakers, employers, consumer groups, and the general public.

“Moving forward, CDT and eHI intend to continue developing the framework with a particular focus on ensuring that company practices adequately address the unique and often discriminatory uses of health-related information affecting historically marginalized communities and vulnerable populations,” added Givens.

“This is especially urgent given how the pandemic is shining a spotlight on health disparities and discriminatory uses of health-related information,” concluded Bordenick.

Next Steps

Dig Deeper on Health data access & privacy