- The Center for Democracy & Technology released a proposed draft federal privacy bill, centered around a consumer’s right to understanding where their data is located and reasonable access to data upon request.
While the draft pertains to all sectors, there are several elements that relevant to patient data rights. Specifically, CDT proposed that individuals should have the right to dispute the completeness and accuracy of their health record.
Further, it would require organizations to provide individuals with reasonable access to their data, along with the names of outside groups to which the company has sold or licensed the data.
The proposal also redefines health information into three different categories: related to health conditions or healthcare provision, health or wellness services data, or physical examination or testing data. The bill would give the Federal Trade Commission the power to define health information further.
According to CDT, the proposed legislation centers around individual rights and “moves beyond the failed models of notice and choice.” The draft reflects some of the issues presented in the Facebook scandal, where consumers were unaware of how the company was storing and analyzing data.
“Privacy is a fundamental human right. Physical safety, free expression, access to justice, and economic security depend on it,” CDT President, CEO Nuala O’Connor said in a statement. “Yet, under the current patchwork of privacy laws in the U.S., it’s impossible for individuals to understand, let alone manage, the many ways their data is used.”
“For legislation to be more than a band-aid, we have to rethink the relationship between businesses and the people whose data they hold,” Michelle Richardson, Director of CDT’s Privacy & Data Project, said in a statement. “We need to establish sensible limits on data collection, use, and sharing, so that people can entrust their data to companies without accepting unreasonable risk.”
The proposal also gives individuals two fundamental rights that mirror those found in EU’s General Data Protection Regulation: the right to data portability and deletion.
Currently, there is a lot of gray area around data sharing in the healthcare sector, which means patients often struggle to obtain their data and can be charged to receive their medical records.
CDT proposed that individuals can transmit and transfer their data from a business, where appropriate, or download it for their own use. They also suggested the National Institute of Standards and Technology (NIST) convene a working group to advance data portability to meet those goals.
The proposed ‘Right to Deletion,’ would let individuals delete their personal information, and businesses may not make it unreasonably difficult to do so. Under GDPR, EU residents are allowed to request their data and “be forgotten” upon request.
CDT also included exceptions for businesses, such as situations where an individual can’t confirm their identity or a legal limit in place.
“Deletion and correction rights are also limited where a covered entity must retain information for traditional business and security purposes, or deletion would interfere with ongoing research in the public interest,” the proposal authors wrote.
The proposal follows an increasing list of industry stakeholders calling on Congress and the Department of Human Services to shift focus onto consumer data privacy rights.
Last week, American Medical Informatics Association and American Health Information Management Association told a Capitol Hill briefing that HIPAA needs an upgrade to support patient access rights and more easily transmit their data.
In November, AMIA asked the Trump administration to align better health data privacy policies, close regulatory gaps that could endanger data privacy, and to make “consumer-centricity a prerequisite condition” to close HIPAA regulatory gaps.
HHS appears ready to make that shift with its request for information released Monday. HHS and the Office for Civil Rights are asking industry leadership for feedback on how to improve HIPAA guidance, especially around data sharing and care coordination.