The eHealth Initiative and the Center for Democracy and Technology have proposed a self-regulatory framework for best practices on handling non-HIPAA covered health data.
Participating entities are required to publicly provide a notice to the individuals that includes:
Another more detailed notice is also required which includes additional provisions such as security practices.
This is meant to curb some current behavioral advertising and commercial product development activities that do not avail themselves of one of the other exceptions like the use of de-identified data.
Prohibition on Discrimination
A participating entity must establish and implement reasonable information security policies, practices and procedures for the protection of consumer health information, taking into consideration:
Terms borrowed directly from Article 32 of the General Data Protection Regulation, but adding specific requirements including:
The framework makes certain exceptions for research, emergencies, compliance with law, detection of fraud etc.