Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA

Share this article on:

The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data.

Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply.

The eHI/CDT Consumer Privacy Framework for Health Data is a voluntary, self-regulatory program “designed to hold member companies to a set of standards separately developed through a multistakeholder process” and covers consumer health data not covered by HIPAA.

The framework includes a definition of the health data which must be protected as well as the standards and rules to protect that information. The framework places limits on the amount of data collected, how health data can be used, and includes a model for holding companies accountable for data collected, used, and disclosed.

The framework requires companies to obtain affirmative express consent to collect, use, or disclose consumer health data and prohibits companies from using consumer health data for any purpose other than the reason for which the information was requested, and for which consumers gave their consent.

Notice must be provided about the information collected, used or disclosed, the purpose for data collection must be clearly stated, and if there will be any disclosures, to whom disclosures will be made. The framework also prohibits the use of consumer health information for causing harm or discrimination against an individual.

Like HIPAA, the framework calls for limits to be placed on the health information collected, disclosed or used, which should be restricted to the minimum necessary amount to achieve the purpose for which it has been collected.

The framework gives consumers rights with respect to their consumer data, including the right to access the information collected, check health information for errors, have errors collected, and have health information deleted. If technically feasible, consumers should be able to have their data transferred to another participating entity. The framework also calls for participating entities to establish and implement reasonable security policies, practices, and procedures to ensure consumer health information is protected.

eHI/CDT are seeking constructive public feedback on the Consumer Privacy Framework for Health Data. Comments will be accepted until Friday, September 25, 2020.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On