CDT and EHI Release Proposed Consumer Privacy Framework for Unprotected Health Data

Privacy & Cybersecurity

  • Privacy & Cybersecurity

    Exploring the ways in which we are protecting the privacy, security, and confidentiality of patient information.  

CDT and EHI Release Proposed Consumer Privacy Framework for Unprotected Health Data

February 9, 2021

The Center for Democracy & Technology (CDT) and the Executives for Health Innovation (EHI), formerly eHealth Initiative (eHI), with generous support from the Robert Wood Johnson Foundation have released a proposed Consumer Privacy Framework for Health Data. The Framework responds to increasing concerns about the use of underprotected health data in the absence of federal privacy legislation, an issue magnified by the COVID-19 pandemic.

“Much of the information consumers provide through health, retail, genomics, GPS apps and online is not protected. While federal regulation is urgently needed, the Framework and proposed self-regulatory body are a solid first step to holding companies accountable,” says EHI CEO Jen Covich Bordenick.

CDT President & CEO Alexandra Reeve Givens says, “Frequently, consumers are surprised to find out how their data is used. Our proposal aims to limit use of data about physical and mental health to ways that meet consumer expectations and help organizations stay ahead of the regulatory curve.”

The proposed Framework sets much-needed standards around the collection, disclosure, and use of health data that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA), and aims to limit these practices to purposes consistent with consumer requests and expectations. It also proposes an independent self-regulatory body to hold member companies accountable to those standards.

Katherine Hempstead, senior policy adviser at RWJF, which provided funding for the study, said “Given the lack of federal legislation, the Framework is an important building block toward strengthening consumer privacy.”

The Framework covers a wide range of information used to make inferences or conclusions about a person’s physical or mental health and applies to a spectrum of non-HIPAA-covered entities that collect, disclose, or use consumer health information.

The Framework builds on an earlier draft proposal and is the culmination of a year-long collaborative process that involved dozens of organizations and experts, including clinicians, consumer groups, employers, health plans, hospitals, laboratories, privacy experts, pharmacies, public health agencies, policymakers, and the general public.

“Moving forward, CDT and EHI intend to continue developing the Framework with a particular focus on ensuring that company practices adequately address the unique and often discriminatory uses of health-related information affecting historically marginalized communities and vulnerable populations,” says Givens.

“This is especially urgent given how the pandemic is shining a spotlight on health disparities and discriminatory uses of health-related information,” adds Bordenick.

Download the Phase Two Report: The Case for Accountability: Protecting Health Data Outside the Healthcare System »