Non-HIPAA Health Data: eHI And EDT Propose Self-Regulatory Framework

Fox Rothschild LLP
Contact

Fox Rothschild LLP

The eHealth Initiative and the Center for Democracy and Technology have proposed a self-regulatory framework for best practices on handling non-HIPAA covered health data.

Key principles:

Definitions

  • Aggregated data and de-identified data: Uses definitions similar to that in the California Consumer Privacy Act (CCPA) requiring a public commitment not to re-identify and contractual obligations to prevent re-identification.
  • Health data is defined broadly to (a) cover all data that a participant collects, shares or uses for health purposes. It includes certain sensitive health topics such as biometrics, disability, sexual orientation, substance abuse, etc. There is no carve-out for employee data.
  • Publicly available information is defined more broadly than CCPA to also include:
    • Video, audio, or internet content published in compliance with the host site’s terms of use and available to the general public on an unrestricted basis
    • Information a news media organization publishes to the general public on an unrestricted basis
    • Information that in order to access there is a log-in requirement, or a fee of no more than $20 per month or per transaction.

Notice

Participating entities are required to publicly provide a notice to the individuals that includes:

  • The type of information collected
  • The purpose
  • The names of all entities/recipients to which information will be disclosed/sold
  • The reason for the disclosure
  • How the privacy policies change and rights of the individuals

Another more detailed notice is also required which includes additional provisions such as security practices.

Consent

  • Affirmative consent is required for the collection and use of health data.
  • New consent is required for new purposes.
  • Consent must be voluntary and cannot be conditioned, cannot be inferred from consumer inaction and must follow a thorough presentation of information.
  • Consent must be revocable.

Consumer Rights

  • Entities must provide individuals with a free, clear and easy process for requesting access, correction and deletion of health information.
  • Data portability: Where technically feasible, a participating entity shall make available a reasonable means for a consumer to transmit or transfer their health information that is retained by the participating entity to another participating entity in a structured, standardized and machine-readable, interoperable format.

Enforcement/Carveouts

  • To the extent that any participating entity’s collection, disclosure or use of consumer health information is already governed by federal, state, and municipal laws or regulations, those legal obligations are not affected by this framework
  • Purpose limitation: Participating entities must collect, disclose or use consumer health information for only for the purpose for which the data was originally collected, disclosed, or used for.
  • Data minimization: Entitles must limit the amount of consumer health information collected, disclosed or used to only what is necessary to provide the product or feature the consumer has requested.
  • Entities must take reasonable efforts to ensure the third parties and service providers with whom it shares consumer health information meet the obligations of this framework.

This is meant to curb some current behavioral advertising and commercial product development activities that do not avail themselves of one of the other exceptions like the use of de-identified data.

  • Retention limitation: Entities must maintain consumer health information for a period of time only as long as necessary to carry out the purpose(s) for which the consumer health information was collected. They must delete all consumer health information once there is no longer a valid reason to retain it.

Prohibition on Discrimination

  • A participating entity must not collect, disclose, or use consumer health information when making eligibility determinations around housing, employment, healthcare and other critical determinations.
  • A participating entity must ensure equal access and accommodation considerations when collecting, disclosing or using consumer health information.

Security Measures

A participating entity must establish and implement reasonable information security policies, practices and procedures for the protection of consumer health information, taking into consideration:

  • The nature, scope, and complexity of the activities engaged in by such participating entity
  • The sensitivity of any consumer health information at issue
  • The current state of the art in administrative, technical and physical safeguards for protecting such information
  • The cost of implementing such administrative, technical, and physical safeguards

Terms borrowed directly from Article 32 of the General Data Protection Regulation, but adding specific requirements including:

  • written security policy with respect to the processing of such consumer health information
  • The identification of an officer or other individual as the point of contact with responsibility for the management of information security
  • process for identifying and assessing reasonably foreseeable security vulnerabilities
  • A process for taking action designed to mitigate against vulnerabilities
  • A process for determining if consumer health information is no longer needed and disposing of consumer health information
  • A process for overseeing persons who have access to consumer health information
  • A process for employee training and supervision for implementation of the policies, practices and procedures
  • A written plan or protocol for internal and public response in the event of a breach of security

The framework makes certain exceptions for research, emergencies, compliance with law, detection of fraud etc.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.