AMIA calls for tighter coordination of data privacy rules
Specifically, the AMIA wants a more integrated approach to how policies aimed at both the "health sector" and "consumer sector" are defined.
WHY IT MATTERS
A patchwork of consumer and patient privacy policies already exists in healthcare, AMIA told the National Telecommunications and Information Administration this week.
The group, which exists as part of the Department of Commerce, was seeking comments about ways to simultaneously advance and protect both consumer privacy and technology innovation.
It was looking for advice around organizational transparency, user control over personal information, reasonable minimization of data collection, organizational security practices, user access and correction, organizational risk management, and organizational accountability.
THE LARGER TREND
AMIA told the NTIA that its comments are informed by long experience with twin healthcare policies.
"In representing the nation’s biomedical and health informatics professionals, our views are necessarily tethered to our experience with the Health Insurance Portability and Accountability Act of 1996 and the Federal Protections for Human Subjects Research, also known as the Common Rule," AMIA CEO Doug Fridsma wrote.
"These health and research 'sector' specific rules dictating the data rights and responsibilities of patients, clinicians, participants, and researchers should serve as important and informative inputs to this conversation on consumer data privacy. This is not to suggest that either HIPAA or the Common Rule should apply to the consumer data ecosystem," he explained.
"Rather, as the line between consumer and medical information systems and devices continues to blur, the administration must strive to craft concordant privacy policies across both health and consumer data ecosystems," Fridsma added.
AMIA made the point was that differences in the interpretation of HIPAA have led to big variations in how it's applied. The Trump administration should seek to balance the need for both process- and outcome-oriented policies, since "over-emphasis on vague or difficult-to-measure outcomes without guidance on process will result in the failings of HIPAA – wide variation in interpretation and inconsistent implementation."
(HIPAA, meanwhile – which has been in place for more than 20 years, since the days of paper records, long predating some of the most revolutionary health and consumer technology – also seems perhaps poised for a refresh. This week, The Department of Health and Human Services' Office of Civil Rights advanced a HIPAA request for information on to the Office of Management and Budget.)
AMIA reiterated its support for patients always having access to their data – and also advocated extending that principle to other sectors of the economy, such as consumer technology. It also asked closing regulatory gaps that endanger data privacy, such as various health-related technologies that still exist outside the scope of HIPAA.
Toward that end, it also asked the Federal Trade Commision to come up with a consumer data strategy that "supports trust, safety, efficacy, and transparency across the proliferation of commercial and nonproprietary information resources" and develop an "ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations."
ON THE RECORD
"We applaud the administration for initiating this long overdue conversation," said Fridsma in a statement. "Just as we strive to ensure that patients have access to and control over their data, we must strive to deliver the same for consumers. The administration should learn from the health sector and develop improved privacy policies across all sectors of the economy."