Health Information Portability and Accountability Act
Subscribe to Health Information Portability and Accountability Act's Posts

Consumer Health Information Update from Both Sides of the Atlantic

As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.

One of the key questions raised during the FTC’s CHI seminar is: “what is consumer health information”?  Information gathered during traditional medical encounters is clearly health-related.  Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community.  But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased).  Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information.  Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.

Notably, the FTC is not the only regulatory body struggling with how to define CHI.  On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”

The EU’s efforts to define CHI underscore the importance of understanding CHI.  The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information.  The US does not currently provide universal protections for personally identifiable information.  The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps.  These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.

The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data  – and the need for specific legislation on CHI-related  apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.”  But, [...]

Continue Reading




Incorporating Risk Analysis Into Your HIPAA Strategy

In building a stout privacy and security compliance program that would stand up well to federal HIPAA audits, proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. But an important piece of that equation is performing consistent risk analyses.

McDermott partner, Edward Zacharias, was interviewed by HealthITSecurity to discuss these topics and more.

Read the full interview.




Thinking Outside the HIPAA Box

On Wednesday, May 7, the Federal Trade Commission (FTC) held the third of its Spring Seminars on emerging consumer privacy issues.  This session focused on consumer-generated health information (CHI).  CHI is data generated by consumers’ use of the Internet and mobile apps that relates to an individual’s health.  The “H” in CHI defies easy definition but likely includes, at minimum, data generated from internet or mobile app activity related to seeking information about specific conditions, disease/ medical condition management tools, support and shared experiences through online communities or tools for tracking diet, exercise or other lifestyle data.

In the United States, many consumers (mistakenly) believe that all of their health-related information is protected, at the federal level, by the Health Information Portability and Accountability Act (HIPAA).  HIPAA does offer broad privacy protections to health-related information, but only to identifiable health information received by or on behalf of a “covered entity” or a third party working for a covered entity.  Covered entities are, essentially, health plans and health care providers who engage in reimbursement transactions with health plans (referred to as “Protected Health Information” or “PHI”). When HIPAA was enacted in 1996, PHI was the primary type of health information, but CHI, which is generally not also PHI, has changed that.  As FTC Commissioner Julie Brill noted her in her opening remarks, CHI is “health data stored outside the HIPAA silo.”

Without the limitations imposed by HIPAA, online service providers and mobile apps generally (except where state law requires differently) can treat CHI like other digital non-health data that they collect from consumers.  As a result, the FTC expressed concerned that CHI may be aggregated, shared and linked in ways that consumers did not foresee and may not understand.

The panelists at the FTC discussed the difficulty in defining CHI, and whether and how it is different from other kinds of data collected from consumers.  One panelist noted that whether a consumer considers his or her CHI sensitive is highly individualized.  For example, are the heart rate and exercise data collected by mobile fitness apps sensitive? Would the answer to this question change if these data points were linked with other data points that began to suggest other health or wellness indicators, just as weight?  Would the answer change if that linked data was used to predict socioeconomic status that is often linked to certain health, wellness and lifestyle indicators or used to inform risk rating or direct to consumer targeted advertising?

Panelists also discussed the larger and more general question of how to define privacy in a digital economy and how to balance privacy with the recognized benefits of data aggregation and data sharing.  These questions are compounded by the difficulty of describing data as being anonymized or de-identified – foundational principles in most privacy frameworks – because the quality of being “identifiable” in the digital economy may depend on the proximity of a piece of data to other pieces of data.

Though the “how” and “what” of additional [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021