How are emerging types of data governed by Privacy Laws? What are the key risks?

The healthcare space has been supported by the rapid development of new technologies such as smartphone and wearables, gene sequencing, and risk prediction. These emerging data types have great value, but they also pose unique challenges that policymakers and practitioners must consider. There are three forms of data that pose considerable privacy risks and currently do not have adequate protections. Understanding these risks can help establish better privacy protection strategies and inform how the healthcare system manages the growing use of non-traditional data types. 

Genomic Data

The rapid rise of genomic data in personalized healthcare decision-making has been enabled by companies like 23andMe, Ancestry.com, and MyHeritage. More widespread clinical genomics testing has also increased the availability of genetic data. The largest four genomics companies alone had received DNA samples from more than 26 million consumers as of January 2019. Much of this data still falls outside of the purview of HIPAA and is not regulated by research-driven data use arrangements that place limits on how data is used and disclosed. This situation poses several risks, which include: 

Risks:

  • Disclosure and its Impacts on Relatives: While the disclosure of most Protected Health Information (PHI) can impact the individual, genomic data can also impact family members related to the individual whose genetic makeup is analyzed. Federal rules and regulations, including HIPAA, do not address risks posed to relatives. Genomic data has already been used in criminal cases to identify relatives of people who have provided DNA samples to commercial companies. Similarly, genomic data can be used to trace blood relatives of people whose DNA has been tested without those relatives’ consent. 
  • Confusion Over Value and Use: Genomics companies routinely emphasize the value of their diagnostic capabilities and abilities to identify rare conditions in patients. These marketing tools may make patients more willing to provide their DNA to these companies. However, consumers may find that genomics companies provide less information and cover fewer genetic risks than they anticipated, or provide information without the full context. For example, a consumer may believe that she will never develop breast cancer because she has tested negative for a specific mutation, even though she may still be at risk for breast cancer from other causes

How is this data’s privacy protected by law?

Consumer-Generated Data from Non-Covered Entities

Consumer-generated data is health-related data collected from products and devices used by consumers, including data from the Internet of Things, and social media data. This information can come from your Fitbit tracker, your smartphone, or other devices that may use location data or take biometric data

Risks

  • Lack of Data Minimization: A general principle for ensuring privacy is data minimization – the goal of using the minimal amount of data for a particular purpose. While this principle is not applicable to treatment information due to the specific nature of researchers, it is an appropriate goal for consumer-generated data. However, consumer-generated health data often includes extraneous information with unnecessary personal details and does not meet the requirements of data minimization. Although some of this data may have implications for an individual’s health, additional data points may not be essential to the patient but may be sent to third party providers for their own purposes. 
  • Location and Consent: Smartphone apps, in particular, often have location-sharing built into their functionality, which could potentially gather information without the individual’s knowledge that it is being collected or about how it will be used.
  • Unregulated Technology Companies: There are a number of routes by which consumer-generated data could be regulated including HIPAA, the FTC, and the FDA’s rules on medical devices. As discussed above, HIPAA applies only to healthcare companies and providers that are considered covered entities or business associates, and may not cover other companies that gather consumer-generated data. The FTC has taken actions that penalize improper uses of consumer-generated health data but has not established clear guidelines about when to apply these penalties. Lastly, the FDA has released guidelines on mobile medical health applications for industry but places less priority on “low-risk devices,” so companies that gather consumer-generated data may not have to register their products with the FDA.

How is this data’s privacy protected by law?

  • Consumer-generated data may fall outside of the purview of HIPAA if it is collected by technology companies that are not covered entities, are not regulated through their relationship with covered entities, and are not subject to clear guidelines from the FTC. HIPAA does specify that “business associates” of covered entities such as healthcare providers are subject to the same regulations on their use of health data as covered entities. However, if a company independently collects consumer-generated data, it may legally be able to use the data or sell it for commercial third party use in various ways. Some companies that are not covered entities or business associates under HIPAA have already released consumer-generated data to companies like Facebook and Google. 

Social Determinants of Health

The social determinants of health (SDOH), including such factors as income, education, and housing, are a promising area of population data attracting increased interest from researchers, providers, and patients. For example, some research suggests that a person’s ZIP code is actually more predictive of adverse health outcomes than that person’s genetic code. HHS Secretary Alex Azar noted that the social determinants of health “would be important to HHS even if all we did was healthcare services…but in our very name and structure, we are set up to think about all the needs of vulnerable Americans, not just their healthcare needs.” While the benefits of SDOH data include reducing costs and improving patient care, several Roundtable participants noted a potential risk in the use of this data. 

Risks

  • Profiling and Redlining: As healthcare companies increasingly use the social determinants to better support diagnosis and treatment, it’s also possible that these same companies could engage in healthcare “redlining” and exclude or profile communities that they identify as high-risk areas. Alternatively, individuals may be directly profiled for residing in a high-risk ZIP Code, which could affect the quality of their treatment. These generalized assumptions could lead to unequal distribution of care and limit some groups’ medical options.

How is this data’s privacy protected by law?

  • SDOH Data often is gathered from two key sources: individual-level SDOH data that is collected by a primary care provider or medical professional, or community-level SDOH data that can be identified through public or private sources. (see the High-Value Data Types definitions and glossary section of the website for more information). For community-level data, many federal, state, and local government agencies and civil society organizations openly publish SDOH data on factors such as income, education, and other factors at the community level. This data may be available at the county, city, ZIP Code, or Census tract level, and can be analyzed together with individual-level health data to better predict individual and population risk. While personal EHR data is currently governed by HIPAA regulations, community-level data comes from a different set of sources and falls outside the scope of HIPAA. However, when that data is assigned or integrated with individual health records, it becomes covered by the rules and standards put forth by the HIPAA privacy and security rules.