Principal Deputy National Coordinator for Health IT Genevieve Morris explained that since the original 2011 Model Privacy Notice, there is a larger variety of digital health technologies collecting patient data.
“The winners designed innovative tools that will help make privacy notices easier for consumers to understand, so they can know how and why their health information is being shared,” Morris said.
The challenge was issued in December 2016, calling for developers, designers, health data privacy experts, and any other innovators to come together and use content from the MPN template - PDF to create the tool for individuals.
“The MPN and Challenge reflect ONC’s overall efforts to address the rapid pace of change regarding wearables and other types of health information technology,” ONC stated at the time. “As ONC outlined in a July 2016 report to Congress, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA - PDF, many new businesses use consumer-facing technology to collect, handle, analyze, and share health information about individuals – sometimes without those individuals’ knowledge.”
The MPN is designed to help developers clearly explain their privacy and security policies to users. ONC underlined the fact that it does not mandate specific policies and does not meet HIPAA requirements for notice of privacy practices.
The Challenge winners were the following:
- Jason Cronk and Professor Daniel J. Solove – The first place team most accurately explained which changed terms and language enhance consumer understanding, according to ONC. Their MPN “features a side-by-side, live-updating view allowing application developers to see the MPN as they complete the app’s sections.”
- 1upHealth – The second place team “allows for extensive customization, available in HTML, JSON, and Markdown formats.” It also utilizes a side-by-side view, with data entered able to be checked live to verify websites and formats.
- MadeClear.io – The third place MPN has expandable headers letting developers see their progress. It also “uses alternating background images that help differentiate the sections and colorful icons that add context to the privacy language.”
Earlier in 2016, ONC issued a request for information on the MPN. ONC stressed that it is increasingly important for consumers to understand how their data is being used. Users also need to properly understand a company’s policy is when it comes to data sharing.
Consumers are accessing their clinical and claims data and “are also interacting with fitness and wellness data from devices offered by health technology developers that may not be regulated by HIPAA,” the agency explained in the Federal Registry request.
HIPAA regulations govern how covered entities and business associates maintain, access, use and disclose patient PHI, ONC noted. However, there needed to be a resource for technology developers that are not necessarily subject to HIPAA laws but need to adhere to other federal regulations (i.e. FTC’s Health Breach Notification Rule).
“ONC seeks comment concerning what information practices health technology developers should disclose to consumers and what language should be used to describe those practices in an updated MPN,” the request explained, adding that it was not seeking recommendations on best practices.
Evolving technology and its effect on patient data privacy was also discussed in the ONC’s online tool launched in 2016. ONC collaborated with the FTC, the FDA, and OCR to aid technologists, clinicians, or even patients developing healthcare applications.
“This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users,” ONC Chief Privacy Officer Lucia Savage, J.D. and ONC Senior Health Information Privacy Program Analyst Helen Caton-Peters, MSN, RN wrote in an earlier blog post on the topic.
“Federal laws and regulations originating with FTC, FDA and the OCR all could influence the development of a new health-related product,” the duo continued. “And while these may not be the only applicable federal laws and regulations, they are often important requirements to consider when developing a health-related app.”