The Center for Democracy & Technology (CDT) and the Executives for Health Innovation (EHI), formerly eHealth Initiative (eHI), with generous support from the Robert Wood Johnson Foundation have released a proposed Consumer Privacy Framework for Health Data. The Framework responds to increasing concerns about the use of underprotected health data in the absence of federal privacy legislation, an issue magnified by the COVID-19 pandemic.

“Much of the information consumers provide through health, retail, genomics, GPS apps and online is not protected. While federal regulation is urgently needed, the Framework and proposed self-regulatory body are a solid first step to holding companies accountable,” says EHI CEO Jen Covich Bordenick.

CDT President & CEO Alexandra Reeve Givens says, “Frequently, consumers are surprised to find out how their data is used. Our proposal aims to limit use of data about physical and mental health to ways that meet consumer expectations and help organizations stay ahead of the regulatory curve.”

The proposed Framework sets much-needed standards around the collection, disclosure, and use of health data that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA), and aims to limit these practices to purposes consistent with consumer requests and expectations. It also proposes an independent self-regulatory body to hold member companies accountable to those standards.

Katherine Hempstead, senior policy adviser at RWJF, which provided funding for the study, said “Given the lack of federal legislation, the Framework is an important building block toward strengthening consumer privacy.”

The Framework covers a wide range of information used to make inferences or conclusions about a person’s physical or mental health and applies to a spectrum of non-HIPAA-covered entities that collect, disclose, or use consumer health information.

The Framework builds on an earlier draft proposal and is the culmination of a year-long collaborative process that involved dozens of organizations and experts, including clinicians, consumer groups, employers, health plans, hospitals, laboratories, privacy experts, pharmacies, public health agencies, policymakers, and the general public.

“Moving forward, CDT and EHI intend to continue developing the Framework with a particular focus on ensuring that company practices adequately address the unique and often discriminatory uses of health-related information affecting historically marginalized communities and vulnerable populations,” says Givens.

“This is especially urgent given how the pandemic is shining a spotlight on health disparities and discriminatory uses of health-related information,” adds Bordenick.

Download the Phase Two Report: The Case for Accountability: Protecting Health Data Outside the Healthcare System »

eHealth Initiative & Foundation (eHI) released a report in partnership with the Health Care business of LexisNexis Risk Solutions entitled Assessing eHI’s Guiding Principles for Ethical Use of SDOH Data During COVID-19: Examples from the Field. The report describes the ways in which stakeholders collect and utilize social determinants of health (SDOH) data to create targeted interventions for vulnerable populations. 

In 2019, eHI released the Guiding Principles for Ethical Use of Social Determinants of Health Data, which proposed recommendations for the ethical use of SDOH data by healthcare organizations. Today’s report delivers findings from a panel of experts convened from government, health care providers, and community-based organizations, who each presented examples of how the five guiding principles were applied during the COVID-19 pandemic. 

The five guiding principles involve how to ethically:

• Employ SDOH in care coordination
• Recognize risk through analytics
• Map resources and identify gaps
• Assess impact
• Customize interventions and allow individuals to determine the best fit

The report emphasizes the importance of applying the Guiding Principles in ways that are transparent, respectful, and effective. “So many factors can impact a person’s health, factors that go beyond just a clinical diagnosis. We have an obligation to our communities to effectively and ethically apply SDOH analytics to identify those who need additional care services that can dramatically improve their health,” said Josh Schoeller, CEO at the Health Care business of LexisNexis Risk Solutions.

“As we continue to face this unprecedented health challenge, the ethical use of SDOH data improves healthcare and community organizations’ ability to provide the right interventions," said Jen Covich Bordenick, CEO of eHI. “We were pleased to join with LexisNexis Risk Solutions to highlight how organizations have stepped up to meet the needs of communities who are most impacted by the ongoing COVID-19 pandemic. We hope this report provides insights on how to provide whole-person healthcare.

Background:

In December of 2016, the 21st Century Cures Act was signed into law, and in March 2020, the Office of the National Coordinator for Health Information Technology (ONC) released its 21st Century Cures Final Rule (“Final Rule”) in order to implement key provisions of the law. This Final Rule was set to go into effect on June 30, 2020. However, due to the coronavirus pandemic (COVID-19), the health care industry shifted focus and resources to caring for patients impacted by the virus.

Although ONC previously announced a delay of many compliance deadlines to November 2, 2020, many of the key actors did not feel ready or prepared to comply due to COVID-19. The purpose of this Interim Final Rule (IFC) letter is to outline the newly delayed compliance dates. This will allow actors to continue focusing primarily on combating COVID-19, without the added pressure of meeting strict compliance rules. The flexibility of these dates aims to strike a balance between relieving pressure on actors and care providers, while also working to establish greater interoperability to enhance patient care in a timely manner.

Download the full summary below. 

eHealth Initiative Releases Survey on ONC and CMS Final Rules

Survey Provides Insights on Industry Readiness to Comply with Regulations

The eHealth Initiative (eHI) released the results of a survey on industry readiness to meet the requirements of the ONC Cures Act and CMS Interoperability and Patient Access Final Rules by the applicability date. The survey provides insight into industry awareness of the regulation, impact of COVID-19 on implementation, and readiness to comply.

Key Findings of the Readiness Survey

• Payers, providers, and vendors each identified implementing and maintaining the Patient Access Application Programming Interfaces (APIs) as a top area of concern (43%)
• Providers indicated the greatest impact of COVID-19 on their readiness (57%) in comparison to the other groups
• 47% of the respondents indicated preparedness to meet the applicability date
• The biggest data challenges to overcome are lack of data standardization (47%), lack of technical operability (44%) and shared data quality (44%)
• 44% of respondents identified that readiness is most impacted by the lack of prioritization across the industry due to internal competing priorities
• Payers and providers are most concerned with cost in choosing a vendor, with the former more willing to accept vendor assistance than the latter

“Despite the recent delays that push back the applicability date of many of the requirements in the Final Rules, the results reveal that payers, providers, and vendors have several areas of concern related to readiness,” said Jen Covich Bordenick, Chief Executive Officer of eHI. “For example, providers have been most significantly impacted by the current pandemic, but all stakeholder groups remained concerned about the capability to implement and maintain Patient Access APIs.”

The Federal Trade Commission (FTC) has at least one friend, and no, it is not Mark Zuckerberg -- her name is Alice. On a webinar to explain the eHealth Initiative and Center for Democracy & Technology’s Draft Consumer Privacy Framework for Health Data, eHI’s VP and Senior Counsel Alice Leiter announced that the new framework is an effort to “help out the FTC” so the agency is not overwhelmed by having to police every element of health data that is not regulated by HIPAA. The purpose is to propose a comprehensive consumer health data protection scheme, like GDPR or CCPA, and to complement or go further than other self-regulatory codes of conduct (CARIN Alliance, FTC Best Practices for Mobile Health App Developers, Network Advertising Initiative). The draft tries hard to define the ever-elusive concept of “consumer health data” and proposes specific protections and natural exceptions (i.e., research, to prevent death or injury). With Robert Wood Johnson Foundation funds, this was a serious effort with serious experts contributing serious time -- even the Better Business Bureau is being considered as a possible home for the new membership entity that vets, enrolls, and monitors its members. Maybe take a look at the draft and comment by September 25, 2020 -- just email FTC’s BFF at alice@ehidc.org. Alice may be the best friend the FTC has had in a long time.

Draft Guidelines Introduced to Protect Consumer Data on mHealth Platforms

The Draft Consumer Privacy Framework for Health Data aims to set standards for the collection, use and protection of health data on smartwatches, fitness bands, mHealth apps and other consumer-facing technology.

CDT, eHI Unveil Draft Consumer Health Data Privacy Framework

Drafted in collaboration with providers, tech giants, and advocacy groups, the consumer health data privacy framework provides standards for health data not protected by HIPAA regulations.

The Rise of Telehealth

Telehealth has become a necessity during the pandemic. But its promises to increase access will fall apart if becomes yet another profit center in a consolidated healthcare system.