A position paper from the American College of Physicians (ACP) called for legislation to shore up privacy protections for personal health information in the growing digital health landscape.
“Persons need to be able to know and control how the health system and other entities access, use, and disclose their personal health information and trust that their data is protected; physicians need to know that information is protected and be able to trust that information is complete and accurate… Federal legislation on and industry-wide consensus around protecting personal health information, including from discriminatory, deceptive, and harmful uses, is necessary,” Brooke Rockwern, MPH, and colleagues from the American College of Physicians wrote in the Annals of Internal Medicine. “As interoperability between health IT systems and access to personal health information improves, awareness of the implications of this improved access and new expectations and responsibilities of individuals, physicians and other clinicians, and all other entities engaged in personal health information collection and exchange are needed.”
Rockwern and colleagues pointed out that the most extensive privacy protections for individuals’ health information fall under HIPAA, but those protections only impact information held or collected by HIPAA-covered entities such as clinicians, health plans, health care clearinghouses, and their business associates, and they do not extend to “the expanding ecosystem of noncovered entities collecting personal health information, including mobile health applications (mHealth apps), wearable medical devices, social media platforms, internet search engines, and many others.”
Many of these technologies fall under section 5 of the Federal Trade Commission (FTC) Act, which gives technology developers “broad latitude” to use and disclose the personal health information collected through their devices, “so long as it is not misleading persons or causing substantial injury to them or the marketplace.”
The problem, the authors explained, is that there are currently no measures in place to help consumers know and control when and how their personal information is being accessed, used, and disclosed.
“Persons need to feel confident that they can receive needed health care and participate in the digital health ecosystem without inappropriate disclosure or use of their information, lest distrust in physicians and the health care system as a whole lead to withholding of pertinent health information with potentially negative clinical consequences,” they argued.
And the Covid-19 pandemic has highlighted these issues, Rockwern and colleagues noted—the proliferation of apps and technology designed to assist public health surveillance “elevate existing concerns around collection and use of personal health information via mHealth apps not covered under existing privacy rules.”
The ACP outlined six principles for health information privacy, protection, and use:
- “Principle 1: ACP believes that protecting the privacy and security of personal health information collected both within and outside the health care system—while providing individual rights to that information—is essential for fostering trust in the evolving digital health care system, maintaining ethical standards and respect for persons, and promoting the safe delivery of health care.
- “Principle 2: ACP supports increased transparency and public understanding and improved models of consent about the collection, exchange, and use of personal health information within existing HIPAA rules as well as for entities collecting, exchanging, and using personal health information outside the health care system.
- “Principle 3: ACP believes that the confidentiality of personal health information is a fundamental aspect of medical care, and physicians and other clinicians have an obligation to adhere to appropriate privacy and security protocols to protect individual privacy.
- “Principle 4: ACP believes that health IT and other digital technologies, including personalized digital health products, should incorporate privacy and security principles within their design as well as consistent data standards that support privacy and security policies and promote safety.
- “Principle 5: ACP supports oversight and enforcement to ensure that all entities not currently subject to HIPAA rules and regulations and that interact with personal health information are held accountable for maintaining confidentiality, privacy, and security of that information.
- “Principle 6: ACP believes that new approaches to privacy and security measures should be tested before implementation and regularly reevaluated to assess the effect of these measures in real-world health care settings.”
“Development and testing of health IT standards to facilitate privacy protections and consent as information is exchanged is extremely important,” they concluded. “In addition, widespread public education campaigns that empower individuals and physicians to make individualized decisions about the use of personal health information will support the culture of trust that is necessary to improve health care.”
John McKenna, Associate Editor, BreakingMED™
Cat ID: 507
Topic ID: 505,507,502,728,791,507,800,730,192,61,809,925