This workgroup is focused on developing the structure that our proposed privacy framework for unregulated health data will take. On our March call, the group voiced general support for moving ahead with a self-regulatory model of some kind, and therefore our April call focused on walking through a number of different self-regulatory structures.

The goal of this workgroup is to develop the content of a framework for unregulated health information. The April meetings focused on specific protections that should apply to covered data. Our upcoming meetings on May 18 and 20 will focus on exceptions to those protections. During the April meetings, the workgroup discussed on how baseline collection, use, and sharing limits of consumer health data should be addressed under the framework. There was also discussion regarding the definition developed during the March meetings. 

Health data – including health used for non-health-related purposes – is not regulated by a single national privacy framework. HIPAA is the primary federal law governing the use and disclosure of protected health information, but HIPAA covers an increasingly smaller slice of the health data pie. Other federal laws may apply, both to data regulated by HIPAA and to data outside of HIPAA’s framework, and states have their own sets of often-more-restrictive laws. In short, the current legal landscape is a patchwork of laws, sometimes overlapping (and at times conflicting), with numerous gaps in comprehensive protections.

As health data liquidity rapidly increases, collection of health and “health-ish” data has dramatically outpaced existing regulatory safeguards. There are a wide variety of new vehicles for patient-directed electronic data exchange from health care providers or health plans to entities not covered by HIPAA, in addition to a sharp rise in consumer- and patient-generated data – including from wearable and remote-monitoring devices and on-demand genetic testing services. This is leading to the ever-growing collection of identifiable and individually attributable data, as well as its mining for a diverse assortment of purposes.

Under Federal civil rights laws and the Robert T. Stafford Disaster Relief and Emergency Act (Stafford Act), FEMA, State, local, Tribal, and Territorial (SLTT) partners, and non-governmental relief and disaster assistance organizations engaged in the “distribution of supplies, the processing of applications, and other relief and assistance activities shall [accomplish these activities] in an equitable and impartial manner, without discrimination on the grounds of race, color, religion, [national origin], sex, age, disability, English proficiency, or economic status.”1 Civil rights laws and legal authorities remain in effect, and cannot be waived, during emergencies. “More than ever, it is crucial that FEMA apply our core values of compassion, integrity, fairness, and respect in service of all Americans during the unprecedented battle against COVID-19,” said FEMA Administrator, Pete Gaynor.

Read the rest of the FEMA Civil Rights Bulletin below.