Pramote Lertnitivanit/istock via

CDT, eHI Unveil Draft Consumer Health Data Privacy Framework

Drafted in collaboration with providers, tech giants, and advocacy groups, the consumer health data privacy framework provides standards for health data not protected by HIPAA regulations.

The Center for Democracy and Technology (CDT) and eHealth Initiative and Foundation (eHI) released its draft consumer health data privacy framework designed to define data in need of protection and the rules and standards needed to protect health information not protected by HIPAA. 

The collaboration was funded by a grant through the Robert Wood Johnson Foundation. 

As noted previously by the Department of Health and Human Services, HIPAA does not regulate the health data generated by third-party apps chosen by patients, if the app developer is not tied to the provider or their business associates. 

“If the individual's app – chosen by an individual to receive the individual's requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app,” officials explained. 

In response, several groups have begun work on privacy frameworks to cover these gaps in HIPAA, while awaiting Congressional action for a federal privacy law to increase regulation of consumer-generated health data. 

The CDT- and eHI-drafted Consumer Privacy Framework for Health Data was created with input from healthcare providers, academia, tech companies, and advocacy groups as part of its Steering Committee, including 23andMe, Fitbit, Future of Privacy Forum, Microsoft, Pew Charitable Trusts, Ciitizen, Yale University, American Hospital Association, CVS Health, Google, and Change Healthcare, among others. 

The standards seek to make a shift from outdated notice and consent models, ensure all health information is regulated, and cover all entities that use, disclose, or collect consumer health information.  

The framework also includes a self-regulatory model meant to hold companies accountable to the outlined rules and standards, including third-party audits and enforcement. 

The groups stressed that the framework is not designed to replace existing comprehensive privacy legislation, but to “build consensus on best practices and to do what we can now” to shore up non-HIPAA covered health data while awaiting Congressional action. 

The model pulls from concepts used in the California Consumer Privacy Act and The General Data Protection Regulation, both seen as landmark privacy laws with some of the toughest privacy protections. 

The framework puts clear restrictions on the collection, use, and sharing of data, to remove the burden of privacy risk from consumers, outlining definitions of affirmative express consent, aggregated data, consumer health information, participating entities, de-identified data, and publicly available data. 

“It is nearly impossible for consumers to manage and understand the privacy practices for every entity that collects, uses, or shares data about their health,” Alexandra Reeve Givens, CDT CEO and President, said in a statement. 

“The draft rules we are releasing today set clear limits on the use of consumer health information and raise the bar for corporate practices around the collection and sharing of this sensitive data,” she continued. “Consumers and corporations will benefit from these enhanced privacy protections.” 

Further, regulators and oversight bodies can leverage the drafted rules to “enforce these promises” and better measure compliance. The framework also includes guidance around how consumer health information should be collected and processed, keeping privacy at the forefront, including transparent notices. 

There is also a section that covers consumer controls, empowering individuals with information about their rights in regards to their health information, as well as obligations for participating entities and permissible collection and use practices and data retention. 

CDT and eHI are asking industry stakeholders to provide feedback on the draft by Friday, September 26, 2020. 

“Momentum is building for new federal privacy legislation, but currently no bills have made significant progress toward being enacted into law,” eHI CEO Jennifer Covich Bordenick, said in a statement. “As we wait for a comprehensive law, we can and should do more to better protect consumer privacy in the interim.” 

“With the rise of wearable devices, wellness apps, and other online services, huge amounts of information reflecting users’ health are being created and held by entities who are not bound by HIPAA regulations,” Givens concluded. “We hope this framework serves as a first step to providing greater privacy rights and protections for consumers.”

Next Steps

Dig Deeper on Health data access & privacy