The eHealth Initiative and the Center for Democracy and Technology have proposed a self-regulatory framework for best practices on handling non-HIPAA covered health data.
- Aggregated data and de-identified data: Uses definitions similar to that in the California Consumer Privacy Act (CCPA) requiring a public commitment not to re-identify and contractual obligations to prevent re-identification.
- Health data is defined broadly to (a) cover all data that a participant collects, shares or uses for health purposes. It includes certain sensitive health topics such as biometrics, disability, sexual orientation, substance abuse, etc. There is no carve-out for employee data.
- Publicly available information is defined more broadly than CCPA to also include:
- Information a news media organization publishes to the general public on an unrestricted basis
- Information that in order to access there is a log-in requirement, or a fee of no more than $20 per month or per transaction.
Participating entities are required to publicly provide a notice to the individuals that includes:
- The type of information collected
- The purpose
- The names of all entities/recipients to which information will be disclosed/sold
- The reason for the disclosure
- How the privacy policies change and rights of the individuals
Another more detailed notice is also required which includes additional provisions such as security practices.
- Affirmative consent is required for the collection and use of health data.
- New consent is required for new purposes.
- Consent must be voluntary and cannot be conditioned, cannot be inferred from consumer inaction and must follow a thorough presentation of information.
- Consent must be revocable.
- Entities must provide individuals with a free, clear and easy process for requesting access, correction and deletion of health information.
- Data portability: Where technically feasible, a participating entity shall make available a reasonable means for a consumer to transmit or transfer their health information that is retained by the participating entity to another participating entity in a structured, standardized and machine-readable, interoperable format.
- To the extent that any participating entity’s collection, disclosure or use of consumer health information is already governed by federal, state, and municipal laws or regulations, those legal obligations are not affected by this framework
- Purpose limitation: Participating entities must collect, disclose or use consumer health information for only for the purpose for which the data was originally collected, disclosed, or used for.
- Data minimization: Entitles must limit the amount of consumer health information collected, disclosed or used to only what is necessary to provide the product or feature the consumer has requested.
- Entities must take reasonable efforts to ensure the third parties and service providers with whom it shares consumer health information meet the obligations of this framework.
This is meant to curb some current behavioral advertising and commercial product development activities that do not avail themselves of one of the other exceptions like the use of de-identified data.
- Retention limitation: Entities must maintain consumer health information for a period of time only as long as necessary to carry out the purpose(s) for which the consumer health information was collected. They must delete all consumer health information once there is no longer a valid reason to retain it.
Prohibition on Discrimination
- A participating entity must not collect, disclose, or use consumer health information when making eligibility determinations around housing, employment, healthcare and other critical determinations.
- A participating entity must ensure equal access and accommodation considerations when collecting, disclosing or using consumer health information.
A participating entity must establish and implement reasonable information security policies, practices and procedures for the protection of consumer health information, taking into consideration:
- The nature, scope, and complexity of the activities engaged in by such participating entity
- The sensitivity of any consumer health information at issue
- The current state of the art in administrative, technical and physical safeguards for protecting such information
- The cost of implementing such administrative, technical, and physical safeguards
Terms borrowed directly from Article 32 of the General Data Protection Regulation, but adding specific requirements including:
- A written security policy with respect to the processing of such consumer health information
- The identification of an officer or other individual as the point of contact with responsibility for the management of information security
- A process for identifying and assessing reasonably foreseeable security vulnerabilities
- A process for taking action designed to mitigate against vulnerabilities
- A process for determining if consumer health information is no longer needed and disposing of consumer health information
- A process for overseeing persons who have access to consumer health information
- A process for employee training and supervision for implementation of the policies, practices and procedures
- A written plan or protocol for internal and public response in the event of a breach of security
The framework makes certain exceptions for research, emergencies, compliance with law, detection of fraud etc.