Recently, the Center for Democracy and Technology (CDT) and the eHealth Initiative & Foundation (eHI) issued a draft of a consumer privacy framework for health data to deal with the loopholes in legal protections for consumers’ health data that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).
Under the HIPAA Rules, healthcare companies, healthcare clearinghouses, health plans, and business associates of covered entities need to employ safety measures to protect the confidentiality, availability, and integrity of health information. There are limitations on healthcare data uses and disclosures. Americans have rights on the use of their protected health information (PHI), the disclosure of that information, and access to their health data.
The HIPAA Rules are not applicable to companies that gather, use, save, and transmit different data elements categorized as PHI that are not HIPAA-covered entities or business associates of HIPAA-covered entities.
The Consumer Privacy Framework for Health Data by eHI/CDT is a voluntary, self-regulating program created so member organizations can adopt a set of standards independently designed by means of a multistakeholder process> It protects consumer health information not protected under HIPAA.
The framework consists of a definition of the health information that should be secured along with the criteria and rules to secure that information. The framework puts restrictions on the volume of information gathered, the way health data may be utilized, and consists of a model for making companies responsible for their data collection, usage, and disclosure.
The framework mandates organizations to get affirmative express authorization to collect, process, or share consumer health information and forbids organizations in utilizing consumer health information for any reason besides the reason stated when the information was asked for, and for which consumers provided their authorization.
The healthcare provider must give notice regarding the information collected, processed, or shared. The reason for data collection should be plainly mentioned. In case of any disclosures, the healthcare provider must state to whom the information will be disclosed. The framework additionally discourages using consumer health data for causing hurt or discrimination against a person.
Similar to HIPAA, the framework puts restrictions on the health data collected, shared or processed, which ought to be limited to the minimum required amount to accomplish the reason for which it was obtained.
The framework provides consumers protection under the law with regard to their consumer information. Consumers have the right to get access to the data collected, look at their health data for errors and correct them, or delete them. When technically possible, consumers must have the ability to move their records to another entity. The framework likewise requires participating organizations to set up and carry out reasonable safety guidelines, practices, and processes to be certain that consumer health data is secured.
eHI/CDT would like to gather constructive responses from the public on the Consumer Privacy Framework for Health Data. Responses can be submitted on or before September 25, 2020 on this link.