While much of the attention of the privacy policy community in Washington, D.C. has been focused on the two reports issued in December 2010 by the Federal Trade Commission and the Department of Commerce, a third government report has received far less press attention, but may have a greater impact on U.S. business and consumers. The work of the President’s Council of Advisors on Science and Technology (“PCAST”) and its Health Information Technology Working Group, the report, “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” was released by the White House on December 8, 2010.
The report focuses on the promise of information technology for health treatment and research, noting the considerable investment in the area by industry and the federal government (the American Recovery and Reinvestment Act of 2009 alone provides nearly $36 billion for health information technology). The real thrust of the report, however, is the lack of uptake – “Despite this great promise, the impact of IT on healthcare over the past decade has so far been modest”– and recommendations for what to do about it.
To achieve the promise of health IT, the report recommends moving from a system oriented around “records” to one oriented around individual “data elements:”
“…the best way to manage and store data for advanced data-analytical techniques is to break data down into the smallest individual pieces that make sense to exchange or aggregate. These individual pieces are called “tagged data elements,” because each unit of data is accompanied by a mandatory “metadata tag” that describes the attributes, provenance, and required security protections of the data.”
Tagged data elements could then be shared across institutions through a “universal exchange language,” that the federal government would create standards for and that industry would develop and deploy.
Based on these recommendations alone, the report would be significant, because if implemented, these recommendations would change the structure of IT in the largest industrial sector in the United States.
But the report goes on to address privacy explicitly and in apparently contradictory ways.
On the one hand, the report stresses the need to enact “strong, persistent, privacy safeguards.” According to the report, consent must be part of those safeguards. “An individual’s right to have some meaningful choice in how their information is shared is one important component of a comprehensive set of protections. Where such choices are provided, either in law or by policy, they must be persistently honored.”
The report repeatedly lauds the value of data tagging as a way of recording “patient privacy preferences” that could then control subsequent use of the tagged data elements. “An exchange language based on tagged data elements allows for privacy rules and policies to be more effectively implemented; it also allows for more finer grained individual privacy preferences to be more persistently honored.”
Then, on the following page, the report recommends moving beyond the HIPAA Privacy Rule to free up health research from the bureaucratic burdens of patient choice. Citing to a 2009 report by the Institute of Medicine that recommended minimizing the role of individual consent for the use of protected health information in health research, the PCAST report urges that the Privacy Rule “should be reformulated so that they ensure both patient privacy and patient benefit from medical research, in a world where medical data are increasingly in electronic form and where there is a growing need for real-time or near-real-time aggregated data to improve healthcare.”
The irony could hardly be more stark. The Institute of Medicine report to which PCAST cites, concluded that “a universal requirement for informed consent would impede important health research and lead to biased, ungeneralizable results, to the detriment of society.” Meanwhile, “[t]he Privacy Rule, as currently defined and operationalized in practice, does not provide effective privacy safeguards for information-based research because of an over-reliance on informed consent, rather than comprehensive privacy protections.”
In short, within two pages, the PCAST report recommends both amending HIPAA to permit greater access to protected health information to facilitate research, and implementing data-tagging that would allow each individual to impose his or her own unique conditions on the terms under which access might be allowed.
Whichever view of privacy and consent prevails, the impact on privacy policy is likely to be significant, especially since there are already indications from The Office of the National Coordinator for Health Information Technology that they take the PCAST recommendations, which come from the Executive Office of the President, very seriously.
If the PCAST report is implemented in a way that focuses more on its recommendation that the Privacy Rule be revised to focus less on consent in an effort to facilitate effective, affordable and timely health treatment and research, this would be consistent with a recent series of government reports, including the Federal Trade Commission’s privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” and the Department of Commerce’s Green Paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” And the Institute of Medicine also clearly recognizes the limits of choice as a tool for protecting privacy. As stated in the Institute’s report, “consent (authorization) itself cannot achieve the separate aim of privacy protection” because “obligations to safeguard privacy, such as security, transparency, and accountability, are independent of patient consent. In fact, preventing the secondary use of personal data is the only privacy obligation that consent can potentially address.”
If, on the other hand, the PCAST report is interpreted to focus more on the recommendation that granular privacy preferences be coded in data tags that would guide the use of individual data elements indefinitely, this would run contrary to these reports and significantly change the way U.S. policy approaches privacy protection.
Moreover, the experience with notice and choice to date suggests that basing privacy protection on “more finer grained individual privacy preferences” that would be “more persistently honored” would be unworkable. In the face of the extraordinary proliferation of health-related information, it seems unrealistic to expect that individuals, who already overwhelmingly ignore privacy notices and choice opportunities, are going to have the time, expertise or interest to express even more detailed preferences.
The report is now in the hands of the National Coordinator, who has the responsibility for implementing it.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code