Safeguarding Personal Data: ACP Offers Guiding Principles for Future Privacy Frameworks

In a policy paper published in Annals of Internal Medicine, the American College of Physicians (ACP) called for improvements in the existing health information privacy framework and for expansion of similar privacy guardrails to entities not governed by current laws and regulations.

As the prevalence of telehealth continues to grow in the United States and as technology advancements increase in the field, the number of digital interactions and personal health information generated and collected has kept pace with expansion.

However, the risk of data system breaches and commercialization of data threaten to derail these advances and those goals laid out in the Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996.

According to authors, an expanded privacy framework should ideally “protect personal health information from unauthorized, discriminatory, deceptive, or harmful uses and align with the principles of medical ethics, respect individual rights, and support the culture of trust necessary to maintain and improve care delivery.”

The absence of a single, comprehensive framework for personal health information privacy and uses in the United States complicates this effort and compounds the risk of data misuse.

Although HIPAA is still in place, the act does not apply to entities collecting personal health information like mobile health applications and wearable medical devices. Furthermore, neither the FDA nor the Federal Trade Commission (FTC) regulate the use and exchange of information collected by these devices.

When devising an improved framework, parties should aim to balance individual interests with potential uses of health information to improve care. “Persons need to feel confident that they can receive needed health care and participate in the digital health ecosystem without inappropriate disclosure or use of their information,” researchers wrote, “lest distrust in physicians and the health care system as a whole lead to withholding of pertinent health information with potentially negative clinical consequences.”

To help guide new recommendations on this topic, the Medical Informatics Committee and the Ethics, Professionalism and Human Rights Committee of ACP reviewed available studies, reports, statutes, regulations and other sources on the matter.

The Committees devised six guiding principles on health information privacy, protection and use. They state:

• Protecting privacy and security of personal health information, while providing individual rights to that information, is essential to foster trust, maintain ethical standards, and promote safe delivery of care.
• Increased transparency, public understanding, and improved models of consent about collection, exchange and use of data within existing rules and those outside these rules should be implemented.
• Confidentiality is a fundamental aspect of medical care, and providers have an obligation to adhere to privacy and security protocols.
• Digital technologies should incorporate privacy and security principles and consistent data standards within their designs.
• Enforcement should ensure all entities not covered by HIPAA that interact with personal health data are held accountable for confidentiality, privacy, and security of information.
• New approaches to privacy and security should be tested before implementation and be reevaluated regularly to assess effects in real-world health settings.

Authors also called for federal legislation on protecting personal health information and that an industry-wide consensus is reached on the matter. As interoperability improves and more access to this data is gained, awareness of implications and new individual responsibilities need to play a role in this undertaking.

“Patients must be able to trust in the power of digital health technology and can only truly do so if they feel their private information is being safeguarded on all levels,” said Jacqueline W. Fincher, MD, MACP, the president of ACP. “It is our hope as frontline physicians who use these technologies every day, that the implementation of the recommendations offered in this paper will help ensure more comprehensive health information privacy and security protections.”