Advocacy groups representing clinicians, hospitals, health insurers and technology companies have released a new report that reveals the challenges facing data-sharing practices consumer data and industry privacy.
The recommendations stem from a meeting in December 2022 in which 14 nonprofit associations discussed challenges to existing health data privacy regulatory frameworks. The American Hospital Association, the Blue Cross Blue Shield Association and the Federation of American Hospitals are among the industry groups involved in the effort.
These recommendations come as federal regulators are showing growing interest in how healthcare companies are sharing and using consumer data. On February 1, the Federal Trade Commission banned digital health company GoodRx from sharing personal health data with third parties and fined the company $1.5 million.
Here are some lessons and recommendations from this industry report:
- A variety of privacy laws govern the privacy of health data. This makes it difficult to aggregate multiple sources and draw inferences about multiple populations, organizations, and governments. In addition, the privacy frameworks created by the Health Insurance Portability and Accountability Act and other regulatory measures are often not enforced.
- Digital health applications are generally not covered by HIPAA entities. There are many privacy laws that narrowly govern some of the activities some digital health companies engage in, such as protecting children or requiring consumer financial products to explain how consumer data sharing. But stakeholders say much of the data collected and shared by digital health companies remains unregulated and is not covered by HIPAA or any other law. In some cases, states have moved to create their own laws.
- Privacy standards need to be harmonized. This patchwork of legislation has created confusion between consumers and suppliers. The groups called on the federal government to develop and harmonize common standards around the sharing and security of consumer health information. There have been several attempts by Congress over the past few years to strengthen and harmonize privacy laws in the healthcare sector, but none have been passed into law. Industry groups have issued their own guidelines.
- Consumers and suppliers must be educated. Consumers are often misled when their information is protected by HIPAA or privacy regulations. Stakeholders said consumers as well as providers should be informed about how their data is shared or stored on these apps.
- More public-private partnerships. Government stakeholders at the federal and state levels should work with industry groups to improve privacy laws around sharing consumer health data. Stakeholders said in the report will not create an additional burden on consumers or organizations covered by HIPAA.
This story first appeared in Digital Health Business & Technology.
