Feds weigh in on IT privacy

Com­pa­nies chal­lenged to step up privacy ef­forts

Modern Healthcare - - FRONT PAGE - Joseph Conn

An old Amer­i­can ideal and some new for­eign ideas could change the rel­a­tively lais­sez faire ap­proach in the U.S. to­ward the privacy of per­sonal in­for­ma­tion. The Fed­eral Trade Com­mis­sion last week, in a pol­icy pa­per on on­line privacy, chal­lenged com­pa­nies that col­lect and use per­son­ally iden­ti­fi­able in­for­ma­tion to both step up and vol­un­tar­ily im­prove privacy prac­tices and to get ready for rec­om­mended leg­isla­tive con­straints.

Health­care privacy ex­perts dis­agree over the ex­tent of the im­pact the FTC frame­work will have on privacy pol­icy in health­care.

The FTC chal­lenge came a month af­ter Pres­i­dent Barack Obama, in co­or­di­na­tion with the Com­merce Depart­ment, un­veiled his Con­sumer Privacy Bill of Rights, which in turn fol­lowed the re­lease in Jan­uary of a pro­posed Euro­pean Union data pro­tec­tion reg­u­la­tion. All three privacy ini­tia­tives call for in­di­vid­ual con­sent and con­trol over the col­lec­tion and use of their iden­ti­fi­able in­for­ma­tion.

In its 112-page re­port, Pro­tect­ing Con­sumer Privacy in an Era of Rapid Change: A Pro­posed Frame­work for Busi­nesses and Pol­i­cy­mak­ers, the FTC called on com­pa­nies to make privacy the “de­fault set­ting” for com­mer­cial data prac­tices, and use the “privacy by de­sign” con­cept orig­i­nated by On­tario’s pro­vin­cial in­for­ma­tion and privacy com­mis­sioner, Ann Cavoukian, to build privacy pro­tec­tions into their ap­pli­ca­tions and ser­vices from the start.

The FTC re­port also said data col­lec­tors must be more trans­par­ent with con­sumers about their data prac­tices and con­sumers should be given choice and con­trol over how their per­sonal in­for­ma­tion is used.

Con­sent has been a con­tentious is­sue in the health­care in­dus­try since a 2002 HHS re­write of the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act privacy rule, giv­ing hos­pi­tals, doc­tors’ of­fices and other cov­ered en­ti­ties “ad­min­is­tra­tive au­tho­riza­tion” to dis­close pa­tients’ med­i­cal records with­out their con­sent for treat­ment, pay­ment and other health­care op­er­a­tions.

FTC Chair­man Jon Lei­bowitz, in an­nounc­ing the re­port, harkened back to the ideas of for­mer Supreme Court Jus­tice Louis Bran­deis, au­thor of the 1928 dis­sent­ing opin­ion in Olm­stead v. United States, in­volv­ing the war­rant­less wire­tap­ping of a Seat­tle boot­leg­ger. Bran­deis ar­gued that the right to privacy was “the most com­pre­hen­sive of rights and the right most val­ued by civ­i­lized men.” Lei­bowitz ac­knowl­edged that Bran­deis could not have en­vi­sioned to­day’s data bro­kers, but the right to privacy, he said, “re­mains as rel­e­vant and ro­bust to Amer­i­cans in the 21st cen­tury as it was nearly 100 years ago.”

Some of the FTC rec­om­men­da­tions would re­quire leg­is­la­tion, in­clud­ing laws af­ford­ing data se­cu­rity and “base­line” privacy pro­tec­tion, as well as the reg­u­la­tion of data bro­kers that trade in in­for­ma­tion of all kinds.

It’s not clear how much ef­fect the FTC can have in the health­care arena, said Mark Roth­stein, a lawyer and di­rec­tor of the In­sti­tute for Bioethics, Health Pol­icy and Law at the Univer­sity of Louisville School of Medicine, who served as chair­man of the privacy and con­fi­den­tial­ity sub­com­mit­tee of the Na­tional Com­mit­tee on Vi­tal and Health Sta­tis­tics.

“Bran­deis wrote a lot of ma­jes­tic opin­ions that shaped the law for decades, and Olm­stead is cer­tainly one of them,” pro­vid­ing the le­gal frame­work for a com­mon law right to privacy from tech­no­log­i­cal in­tru­sions, Roth­stein said. HHS and its Of­fice for Civil Rights, the chief en­forcer of the HIPAA privacy and se­cu­rity rules, “are re­ally tread­ing water and try­ing to get a han­dle on what health in­for­ma­tion ex­change is go­ing to mean re­gard­ing privacy,” he said.

Deven Mcgraw, who heads the Health Privacy Project at the Cen­ter for Democ­racy and Tech­nol­ogy, a Washington think tank, said some of the FTC rec­om­men­da­tions could be in­flu­en­tial in the health­care arena, though she noted a ma­jor “om­nibus” re­vi­sion of the

HIPAA privacy rule ex­pected soon will have a much wider and more di­rect im­pact. The FTC rec­om­men­da­tion on “privacy by de­sign” could be em­braced by health IT ven­dors in the fu­ture, Mcgraw said. “It’s much eas­ier to build it on the front end than add it onto the back.”

But nei­ther the FTC re­port nor Obama’s bill of rights pushes for a blan­ket right of con­sent, Mcgraw said. “The FTC re­port does make it very clear that com­mer­cial en­ti­ties should get the con­sent of the con­sumer when they’re col­lect­ing sen­si­tive data like health­care in­for­ma­tion.” But, she said, “The White House re­port and the FTC’S re­port are very clear that con­sent is con­tex­tual.”

Europe has had more strin­gent privacy pro­tec­tions than the U.S., which for com­mer­cial data, has none, Mcgraw said, but the new privacy pro­pos­als in the U.S. could put it on a path to at least catch up, and per­haps sur­pass the EU, she said.

For Pam Dixon, founder and ex­ec­u­tive di­rec­tor the San Diego-based World Privacy Forum, plac­ing the right of con­sent in the frame­work of con­text is “a lovely the­ory, but what it does is it re­ally erodes privacy from the in­side out. What the in­dus­try can do is say, ‘the con­text is this, so we don’t need con­sent.’” She also said the FTC overly re­lies on vol­un­tary in­dus­try com­pli­ance to tame what she called a “wild west” of com­mer­cial data han­dling prac­tices.

Nonethe­less, the FTC says the frame­work ap­plies specif­i­cally to “sen­si­tive in­for­ma­tion,” and while the FTC doesn’t de­fine what that means, ex­am­ples men­tioned in­clude “health in­for­ma­tion.” “If you han­dle sen­si­tive data, you’re not out of the (FTC) frame­work,” de­spite HIPAA, Dixon said.

Dixon said health­care should be rep­re­sented in stake­holder meet­ings on privacy called for by the FTC, the White House and the Com­merce Depart­ment. “The days when HIPAA was an is­land unto it­self are now over. The black mar­ket for health­care in­for­ma­tion has got­ten the at­ten­tion of health­care reg­u­la­tors. As a re­sult, I don’t think health­care data is go­ing to re­main un­touched in this process.”

Jim Pyles, a prin­ci­pal in the Washington law firm, Pow­ers, Pyles, Sut­ter & Verville, said the FTC frame­work could es­tab­lish a di­chotomy in which less sen­si­tive con­sumer in­for­ma­tion, such as on­line shop­ping pat­terns, en­joys more strin­gent privacy pro­tec­tions than highly sen­si­tive health­care in­for­ma­tion.

The FTC, White House and EU doc­u­ments en­vi­sion privacy pro­tec­tions that “at­tach to the data and ap­ply to whomever han­dles it,” Pyles said. In con­trast, the HIPAA privacy rule “ap­plies only to cov­ered en­ti­ties and their busi­ness as­so­ciates,” he added. “It’s just silly to not have the privacy pro­tec­tion run with the in­for­ma­tion.”

GETTY IMAGES

Lei­bowitz: The right to privacy is “as rel­e­vant ... to Amer­i­cans in the 21st cen­tury as it was nearly 100 years ago.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.