Feds weigh in on IT privacy
Companies challenged to step up privacy efforts
An old American ideal and some new foreign ideas could change the relatively laissez faire approach in the U.S. toward the privacy of personal information. The Federal Trade Commission last week, in a policy paper on online privacy, challenged companies that collect and use personally identifiable information to both step up and voluntarily improve privacy practices and to get ready for recommended legislative constraints.
The FTC challenge came a month after President Barack Obama, in coordination with the Commerce Department, unveiled his Consumer Privacy Bill of Rights, which in turn followed the release in January of a proposed European Union data protection regulation. All three privacy initiatives call for individual consent and control over the collection and use of their identifiable information.
In its 112-page report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, the FTC called on companies to make privacy the “default setting” for commercial data practices, and use the “privacy by design” concept originated by Ontario’s provincial information and privacy commissioner, Ann Cavoukian, to build privacy protections into their applications and services from the start.
The FTC report also said data collectors must be more transparent with consumers about their data practices and consumers should be given choice and control over how their personal information is used.
Consent has been a contentious issue in the healthcare industry since a 2002 HHS rewrite of the Health Insurance Portability and Accountability Act privacy rule, giving hospitals, doctors’ offices and other covered entities “administrative authorization” to disclose patients’ medical records without their consent for treatment, payment and other healthcare operations.
FTC Chairman Jon Leibowitz, in announcing the report, harkened back to the ideas of former Supreme Court Justice Louis Brandeis, author of the 1928 dissenting opinion in Olmstead v. United States, involving the warrantless wiretapping of a Seattle bootlegger. Brandeis argued that the right to privacy was “the most comprehensive of rights and the right most valued by civilized men.” Leibowitz acknowledged that Brandeis could not have envisioned today’s data brokers, but the right to privacy, he said, “remains as relevant and robust to Americans in the 21st century as it was nearly 100 years ago.”
Some of the FTC recommendations would require legislation, including laws affording data security and “baseline” privacy protection, as well as the regulation of data brokers that trade in information of all kinds.
It’s not clear how much effect the FTC can have in the healthcare arena, said Mark Rothstein, a lawyer and director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, who served as chairman of the privacy and confidentiality subcommittee of the National Committee on Vital and Health Statistics.
“Brandeis wrote a lot of majestic opinions that shaped the law for decades, and Olmstead is certainly one of them,” providing the legal framework for a common law right to privacy from technological intrusions, Rothstein said. HHS and its Office for Civil Rights, the chief enforcer of the HIPAA privacy and security rules, “are really treading water and trying to get a handle on what health information exchange is going to mean regarding privacy,” he said.
Deven Mcgraw, who heads the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank, said some of the FTC recommendations could be influential in the healthcare arena, though she noted a major “omnibus” revision of the
HIPAA privacy rule expected soon will have a much wider and more direct impact. The FTC recommendation on “privacy by design” could be embraced by health IT vendors in the future, Mcgraw said. “It’s much easier to build it on the front end than add it onto the back.”
But neither the FTC report nor Obama’s bill of rights pushes for a blanket right of consent, Mcgraw said. “The FTC report does make it very clear that commercial entities should get the consent of the consumer when they’re collecting sensitive data like healthcare information.” But, she said, “The White House report and the FTC’S report are very clear that consent is contextual.”
Europe has had more stringent privacy protections than the U.S., which for commercial data, has none, Mcgraw said, but the new privacy proposals in the U.S. could put it on a path to at least catch up, and perhaps surpass the EU, she said.
For Pam Dixon, founder and executive director the San Diego-based World Privacy Forum, placing the right of consent in the framework of context is “a lovely theory, but what it does is it really erodes privacy from the inside out. What the industry can do is say, ‘the context is this, so we don’t need consent.’” She also said the FTC overly relies on voluntary industry compliance to tame what she called a “wild west” of commercial data handling practices.
Nonetheless, the FTC says the framework applies specifically to “sensitive information,” and while the FTC doesn’t define what that means, examples mentioned include “health information.” “If you handle sensitive data, you’re not out of the (FTC) framework,” despite HIPAA, Dixon said.
Dixon said healthcare should be represented in stakeholder meetings on privacy called for by the FTC, the White House and the Commerce Department. “The days when HIPAA was an island unto itself are now over. The black market for healthcare information has gotten the attention of healthcare regulators. As a result, I don’t think healthcare data is going to remain untouched in this process.”
Jim Pyles, a principal in the Washington law firm, Powers, Pyles, Sutter & Verville, said the FTC framework could establish a dichotomy in which less sensitive consumer information, such as online shopping patterns, enjoys more stringent privacy protections than highly sensitive healthcare information.
The FTC, White House and EU documents envision privacy protections that “attach to the data and apply to whomever handles it,” Pyles said. In contrast, the HIPAA privacy rule “applies only to covered entities and their business associates,” he added. “It’s just silly to not have the privacy protection run with the information.”
Leibowitz: The right to privacy is “as relevant ... to Americans in the 21st century as it was nearly 100 years ago.”