EHI Provides Guidance for Protecting non-HIPAA-Covered Health Data

April 01, 2022 - Executives for Health Innovation (EHI) released a report with guidance for protecting non-HIPAA-covered health data held by health tech companies.

In the report, EHI advocated for the adoption of industry-wide self-regulated standards for entities to follow as they await more thorough federal legislation.

“Since the early 2000s, the Health Insurance Portability and Accountability Act (HIPAA) has been the nation’s primary health privacy law, protecting patient data held by the healthcare system – hospitals, doctors, clinics, and health insurers,” EHI stated in a press release.

“But with the explosive proliferation of digital technologies, an ever-increasing amount of health data is generated by consumers themselves. This data is both held and used by companies that are not bound by the obligations of HIPAA, leaving that data largely under-protected and under-regulated.”

With funding from the Robert Wood Johnson Foundation (RWJF), EHI wrote its new report based on the previously developed Consumer Privacy Framework for Health Data, which provides a private-sector, self-regulated solution to health data privacy and accountability issues.

Current legislation regarding health data privacy has not yet caught up to advances in technology. In October, the Federal Trade Commission (FTC) affirmed that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule.

The policy statement raised new considerations about what the FTC considers a data breach to be, what entities can be defined as healthcare providers under the rule, and how federal lawmakers can keep pace with the fast-moving tech industry which has disrupted how consumers manage their health. However, the FTC still has a long way to go to hold health tech companies accountable, EHI argued.

“Although the FTC has used this authority to bring actions against consumer health technology products whose data practices harm consumers, the FTC is not currently set up to be an efficient and nimble privacy enforcer. Its rule-making authority is limited and it lacks adequate resources,” EHI asserted.

EHI’s framework advocates for consumers by holding entities accountable for following certain codes of conduct and shifting the burden of risk onto companies rather than consumers.

“Transparency and consent remain important elements within the Framework, but the detail, length, and density of most company privacy practices make it unrealistic and untenable for consumers to meaningfully research each technology with which they interact, nor understand the terms of use they are asked – or required – to accept before they can use each tool,” EHI reasoned.

Entities that choose to adopt the framework can “enjoy benefits both from an internal compliance perspective and from an external market perspective.”

EHI also recommended that HIPAA-covered entities use the framework in order to establish themselves as trusted industry partners.

“Given the outsized educational role that often falls on providers in particular, whether legally required or not, a program that clearly identifies companies that have already met – and are being held accountable to – stringent data protection practices will provide an enormous benefit to these trusted messengers,” the report noted.

“Rather than having to research the various levels of integrity of the host of digital health tools available to consumers themselves, adding yet another administrative burden to these already over-taxed healthcare entities and individuals, providers and their staffs will have a new tool to help differentiate one app from another and make wise recommendations to their patients.”

The establishment of private sector industry standards alleviates some of the strain and urgency on regulatory bodies to create standards while holding tech companies accountable in this transitional period.