eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA

The eHealth Initiative (eHI) and the Center for Democracy & Technology (CDT) have joined forces to develop a new consumer privacy framework for health data not covered by Health Insurance Portability and Accountability Act Rules.

Personally identifiable health data collected, stored, maintained, processed, or transmitted by HIPAA-covered entities and their business associates is subject to the protections of the HIPAA Privacy and Security Rules. If the same data is collected, stored, maintained, processed, or transmitted by a non-HIPAA covered entity, those protections are not required by law.

Currently health data is collected, stored, and transmitted by health and wellness apps, wearable devices, and informational health websites, but without HIPAA-like protections the privacy of consumer health data is put at risk.

eHI and CDT have received funding for the new initiative, Building a Consumer Privacy Framework for Health Data, from the Robert Wood Johnson Foundation. They have already formed a Steering Committee for Consumer Health Privacy consisting of experts and leaders from healthcare, technology, privacy advocacy groups, and consumer groups. The Steering Committee will discuss the steps required to ensure the privacy of health data not covered by HIPAA privacy laws and will review various approaches to deal with the complexities of protecting non-HIPAA-covered health data.

“Our unique focus is evaluating ‘health-ish’ data that is not protected by HIPAA or other health privacy laws,” explained Jennifer Covich Bordenick, Chief Executive Officer of eHI. “It is critical that we bring a broad and inclusive array of collaborators to the table to work through some of the key concerns.”

The first meeting of the Steering Committee took place in Washington DC on February 11, 2019 and was attended by a diverse group of participants including 23andMe, American College of Physicians, American Hospital Association, American Medical Association, Ascension, Change Healthcare, Electronic Frontier Foundation, Elektra Labs, Fitbit, Future of Privacy Forum, Hispanic Technology and Telecom Partnership, Hogan Lovells, Microsoft, National Partnership for Women & Families, Salesforce, Under Armour, UnitedHealth Group, Waldo Law Offices, Wellmark Blue Cross and Blue Shield, and Yale University.

Further Steering Committee meetings will take place throughout 2020 and smaller workgroups will be formed to work on specific aspects of the privacy framework. eHI and CDT are encouraging privacy experts, consumer groups, and companies that manage wearable, genomic, and social media data to engage with the project.

“Consumers are increasingly skeptical of how their data is being used, with health-related data being especially sensitive,” said Lisa Hayes, Interim Co-Chief Executive Officer of CDT. “Our hope is that this framework is a first step to providing greater privacy rights and protections for consumers who want to take advantage of innovative digital health and wellness services.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.