Two digital health organizations have joined forces to develop guidelines to protect health information gathered by consumer-facing mHealth devices.
The Draft Consumer Privacy Framework for Health Data, developed by the eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT), aims to create standards of use for data that isn’t expressly covered by the Health Insurance Portability and Accountability Act (HIPAA). This includes a wide range of telemedicine and mHealth technology designed for consumer use, but which are increasingly being used in clinical programs.
“With the rise of wearable devices, wellness apps, and other online services, huge amounts of information reflecting users’ health are being created and held by entities who are not bound by HIPAA regulations,” Alexandra Reeve Givens, CDT’s president and CEO, said in a press release
“It is nearly impossible for consumers to manage and understand the privacy practices for every entity that collects, uses, or shares data about their health,” she added. “The draft rules we are releasing today set clear limits on the use of consumer health information and raise the bar for corporate practices around the collection and sharing of this sensitive data. Consumers and corporations will benefit from these enhanced privacy protections.”
The 19-page document, available for public feedback through September 26, defined consumer health information as data recorded in any form or medium that “relates to or is used to determine, predict or estimate the past, present or future physical or mental health condition of an individual, or relates to the provision of health care to an individual.”
This includes racial, ethnic, genetic and biometric data sets, as well as data that reflects reproductive health, sexual orientation, disability, sensitive disease conditions and substance abuse.
“This definition intentionally rejects previous notions of ‘health data’ that are limited to the direct provision of health services by a professional,” the document points out. “It also avoids the approach taken by some other voluntary frameworks that create a list of health conditions that qualify for protection. This definition instead focuses on the nature of the information and how it is used. It recognizes that all data can be ‘health data’ if it is used for those purposes, even if it appears unrelated on its face.”
The draft guidelines also offer definitions for affirmative express consent, de-identified data and publicly available information and set ground rules for how organizations collect and use information and inform consumers; how those organizations collect consumer consent to gather that data; and how consumers can protect their health information.
The document comes at a time when interest in consumer-facing mHealth technology is soaring and the market is filled with smartwatches, activity trackers, sensor-embedded clothing and accessories, smart devices in the home and mHealth apps.
While the technology is designed to help consumers manage their own health and wellness, payers and businesses also value the information as a means of tracking and controlling healthcare costs for members and employees.
The healthcare industry is showing interest as well, as health systems look to push care outside the hospital or clinic and into the home, with platforms that highlight remote patient monitoring, chronic care management and preventive health and wellness.
“Momentum is building for new federal privacy legislation, but currently no bills have made significant progress toward being enacted into law,” eHI CEO Jennifer Covich Bordenick said in the press release. “As we wait for a comprehensive law, we can and should do more to better protect consumer privacy in the interim.”