About that Non-HIPAA Health Data - eHI and EDT Propose Self Regulatory Framework

eHealth Initiative and the Center for Democracy and Technology propose a suggested self-regulatory framework for best practices on handling non-HIPAA covered health data. Key principles:

Definitions:

• Aggregated data and de-identified data - uses definitions similar to that in CCPA requiring a public commitment not to re-identify and contractual obligations to prevent reidentification.
• Health data is defined broadly to (a) cover all data that a participant collects, shares, or uses for health purposes. It include certain sensitive health topics such as biometrics; disability; sexual orientation; substance abuse etc. There is no carve out for employee data.
• Publicly available information is defined more broadly than CCPA to also include: (a) video, audio, or internet content published in compliance with the host site’s terms of use and available to the general public on an unrestricted basis; (b) A news media organization publishes to the general public on an unrestricted basis and (c) information to access which there is a log-in requirement, or a fee of no more than $20 per month or per transaction.

Notice:

Participating entities are required to publicly provide a notice to the individuals which includes:

• the type of information collected,
• the purpose,
• the names of all entities/recipients to which information will be disclosed/sold;
• the reason for the disclosure;
• how the privacy policies change and rights of the individuals.

Another more detailed notice is also required which includes additional provision such as: security practices.

Consent:

• Affirmative consent is required for the collection and use of health data.
• New consent is required for new purposes.
• Consent must be voluntary and cannot be conditioned; cannot be inferred from consumer inaction and must follow a thorough presentation of information.
• Consent must be revocable.

Consumer Rights:

• Entities must provide individuals with a free, clear, and easy process for requesting access, correction and deletion of health information.
• Data portability: Where technically feasible, a participating entity shall make available a reasonable means for a consumer to transmit or transfer their health information that is retained by the participating entity to another participating entity in a structured, standardized, and machine-readable interoperable format.

Enforcement / Carveouts:

• To the extent that any participating entity’s collection, disclosure, or use of consumer health information is already governed by Federal, State, and Municipal laws or regulations, those legal obligations are not affected by this framework
• Purpose limitation: Participating entities must collect, disclose, or use consumer health information for only for the purpose for which the data was originally collected, disclosed, or used for;
• Data minimization: Entitles must limit the amount of consumer health information collected, disclosed, or used to only what is necessary to provide the product or feature the consumer has requested,
• Entities must take reasonable efforts to ensure the third parties and service providers with whom it shares consumer health information meet the obligations of this framework.

This is meant to curb some current behavioral advertising and commercial product development activities that do not avail themselves of one of the other exceptions like the use of de-identified data.

• Retention limitation: Entities must maintain consumer health information for a period of time only as long as necessary to carry out the purpose(s) for which the consumer health information was collected; they must delete all consumer health information once there is no longer a valid reason to retain it.

Prohibition on Discrimination:

• A participating entity must not collect, disclose, or use consumer health information when making eligibility determinations around housing, employment, healthcare, and other critical determinations.
• A participating entity must ensure equal access and accommodation considerations when collecting, disclosing, or using consumer health information.

Security Measures:

A participating entity must establish and implement reasonable information security policies, practices, and procedures for the protection of consumer health information, taking into consideration:

• The nature, scope, and complexity of the activities engaged in by such participating entity;
• The sensitivity of any consumer health information at issue;
• The current state of the art in administrative, technical, and physical safeguards for protecting such information; and
• The cost of implementing such administrative, technical, and physical safeguards

Terms borrowed directly from Art 32 of GDPR but adding specific requirements including:

• A written security policy with respect to the processing of such consumer health information.
• The identification of an officer or other individual as the point of contact with responsibility for the management of information security.
• A process for identifying and assessing reasonably foreseeable security vulnerabilities
• A process for taking action designed to mitigate against vulnerabilities
• A process for determining if consumer health information is no longer needed and disposing of consumer health information
• A process for overseeing persons who have access to consumer health information
• A process for employee training and supervision for implementation of the policies, practices, and procedures
• A written plan or protocol for internal and public response in the event of a breach of security

The framework makes certain exceptions for research, emergencies, compliance with law, detection of fraud etc.