Our current data privacy laws are not protecting individuals enough.
With the rise of cyber threats in healthcare, current data privacy laws for health information do not protect individuals enough, according to an article published in the New England Journal of Medicine.
The Health Insurance Portability and Accountability Act (HIPAA) covers identifiable health information that is held or transmitted by health plans, healthcare providers, clearinghouses and their business associates. But HIPAA does not apply to companies or products that regularly store and handle customer health information, such as social media platforms, mobile health apps and Internet search engines.
Efthimios Parasidis, article co-author and professor at the Ohio State University’s Moritz College of Law, and his co-authors, wrote that the large amounts of data held by digital health innovators raises numerous ethical concerns dealing with the reporting of incidental findings, misuse of private information, reidentification of deidentified data, discrimination and health profiling.
HIPAA does not mandate ethic review for data collection or downstream use. Ethics law is only required if other laws are triggered, usually under the Common Rule or to support medical product applications.
Data concerns can affect clinical care, especially when patients trying to protect their health information avoid care or withhold relevant information from their provider.
For instance, certain life insurers offer contracts that have policyholders wear products that continuously monitor their health, and the information gathered can be used to increase a customer’s premiums.
The authors wrote that like the Belmont Report establishing ethical principles 40 years ago, concerns about data use calls for stakeholders to implement ethical guidance for health data.
Currently, there are some regulations in place to protect personal data, like the General Data Protection Regulation in the European Union and the California Consumer Privacy Act, that highlight notification, consent and deletion rights. But these things are insufficient for ensuring the ethical use of data.
“That system doesn’t work,” Parasidis said. “Very few people read the notice and most people just click agree without knowing what they’re agreeing to.”
Implementing notice and consent is a good starting point, but more measures need to be taken.
Parasidis, along with Elizabeth Pike, director of privacy policy in the Office of the Chief Information Officer at the U.S. Department of House and Human Services, and Deven McGraw, chief regulatory officer at Citizen, wrote that best practices like “privacy by design” principles and “layered notice” promote fairness increase the chances that people will understand the benefits and risks of sharing their data.
Best practices also include using privacy-enhancing default settings and summarizing key data-sharing provisions and linking to more detailed privacy protection information.
The authors wrote that meaningful ethics review could include establishing data ethics officers who consider ethical issues beyond HIPAA, expanding the role of institutional review boards or data and safety monitoring boards, and implementing reviews that focus solely on data ethics.
Review boards could consider the benefits and risks of the data use in question and consider policies governing the access, privacy and security of data.
“Data privacy laws for health information don’t go far enough to protect individuals,” Parasidis said. “We must rethink the ethical principles underlying collection and use of health data to help frame amendments to the law.”
Get the best insights directly to your inbox.
Related
Consumers Are Not Prepared to Handle Cybersecurity Threats, Morphisec Report Finds
Why Experts Think e-Commerce Hacker FIN6 Is Moving Into Healthcare