WANAN YOSSINGKUM/istock via Gett

eHI, CDT Partner on Consumer Privacy Framework for Health Data

Following a push to address gaps in HIPAA, eHI and CDT are collaborating on the development of a consumer privacy framework for health data not protected under the regulation.

eHealth Initiative and the Center for Democracy and Technology (CDT) are partnering on the development of a consumer privacy framework for health data not currently protected by HIPAA.

The Building a Consumer Privacy Framework for Health Data is designed to address those gaps, including those from wearable devices and informational online sites.

eHI and CDT put together a committee of leaders from healthcare, technology, advocacy groups, and consumers, including privacy experts and consumer groups, to discuss proactive steps to address health data privacy for information currently not regulated by privacy laws.

The committee will review potential approaches to address both the complexity and the right method to define that type of data, along with preferences for potential pathways moving forward. The group met earlier this week to begin work on the project.

Participants included 23andMe, Wellmark Blue Cross Blue Shield, Fitbit, Future of Privacy Forum, Microsoft, Pew Charitable Trusts, Ciitizen, Yale University, Children’s National Hospital, American Hospital Association, CVS Health, Salesforce, Under Armour, Google, and Change Healthcare, among a host of others.

“Our unique focus is evaluating ‘health-ish’ data that is not protected by HIPAA or other health privacy laws,” Jennifer Covich Bordenick, eHI CEO, said in a statement. “It’s critical that we bring a broad and inclusive array of collaborators to the table to work through some of the key concerns.”

“Consumers are increasingly skeptical of how their data is being used, with health-related data being especially sensitive” Lisa Hayes, interim co-CEO of CDT, said in a statement. “Our hope is that this framework is a first step to providing greater privacy rights and protections for consumers who want to take advantage of innovative digital health and wellness services.”

Smaller workgroups and the steering committee will meet throughout the year to develop aspects of the framework. Interested stakeholders who want more information or feedback are encouraged to do so through eHI.

The announcement comes after a growing push from industry stakeholders to address gaps in HIPAA for health data generated by consumer-chosen apps. The Department of Health and Human Services reminded covered entities in April that health apps patients select on their own are not regulated by the privacy regulation.

As a result, there’s a questions as to how well that data is protected. The privacy of health apps has been a driving push behind those wanting HHS to delay the release of its interoperability and information blocking rules, given their reliance upon APIs and health apps not covered by HIPAA.

The former Privacy Chief of the Office of the National Coordinator recently reminded the sector that it’s Congress, and not ONC, that has the authority to enact laws to protect health app data.

Congress has been working to develop privacy laws designed to protect consumer privacy and enable individuals to have more control over their data, as well as considering a federal privacy law to address the increased privacy risks of the digital age.

Next Steps

Dig Deeper on Health data access & privacy