- Email: [email protected]
Existential challenges for healthcare data protection in the United States
+Model
ARTICLE IN PRESS
JEMEP-186; No. of Pages 9
Ethics, Medicine and Public Health (2017) xxx, xxx—xxx
Available online at
ScienceDirect www.sciencedirect.com
DOSSIER ‘‘PRIVACY: DEFINITION, PROTECTION AND PROJECTION’’ Thoughts
Existential challenges for healthcare data protection in the United States Des défis existentiels pour la protection des données de santé aux États-Unis N. Terry (Hall Render Professor of Law, Executive Director) Hall Center for Law and Health, Indiana University Robert H. McKinney School of Law, 530, West New York Street, Indianapolis, IN 46202, United States Received 22 November 2016; accepted 28 January 2017
KEYWORDS Big data; GDPR; Healthcare data; HIPAA; Privacy laws; Protection
Summary There are increasing threats to healthcare data protection in the United States. Most federal data privacy laws apply only to specific sectors, such as healthcare, education, communications, or financial services. In the absence of comprehensive data protection legislation there are multiple, sectoral approaches. These privacy laws are noticeably limited in their vertical scope, preferring downstream protections such as confidentiality, security, and breach notification. Hardly any US laws contain upstream requirements that minimize or otherwise limit data collection. The imminent ‘‘EU General Data Protection Regulation’’ (GDPR) is considerably more comprehensive. Horizontally, it applies to all sectors of the economy, all broadly defined ‘‘personal data,’’ and all who control or process data. Vertically, it applies protective standards throughout the lifespan of data. In the US, the primary federal law applying to healthcare data comprises of regulations known as the ‘‘HIPAA Privacy and Security Rules.’’ The HIPAA rules provide considerably weaker protection than the GDPR, although they are far stronger that the protections applicable to other commercial sectors in the US HIPAA has relatively narrow scope, essentially only applying to data held by traditional healthcare providers and applying only downstream protections; confidentiality, security, and breach notification. Notwithstanding its weaknesses, the HIPAA rules are quite detailed and generally well enforced. Thus, HIPAA has created expectations in patients that all their healthcare data are safe. This is no longer the case, either within the HIPAA ‘‘zone’’ or outside of it. First, traditional providers have almost completed their transition from paper to electronic health records, during which they swap the protections inherent in unconnected file rooms for far riskier computerized longitudinal databases. Second, multiple parties outside of healthcare view healthcare data by as having great value; ‘‘big data’’ brokers collect healthcare data or medically-inflected data for their
E-mail address: [email protected] http://dx.doi.org/10.1016/j.jemep.2017.02.007 2352-5525/© 2017 Elsevier Masson SAS. All rights reserved.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
2
ARTICLE IN PRESS N. Terry predictive analytics products, while cybercriminals long since have recognized the profit in stealing health records. Third, consumer electronics companies continue to disrupt healthcare data markets (and data protection) by encouraging consumers to themselves collect and curate data from mobile health apps, wearable devices and the ‘‘internet of things.’’ These challenges to healthcare data protection highlight the fundamental flaws of domain-limited protections and over-reliance on a limited set of protective models. The former because disruptive businesses and technological innovations can make a nonsense of narrowly-defined sectoral protections. The latter because policymakers need a broader array of tools to combat modern challenges while reliance on downstream models intrinsically concedes the correctness of unregulated data collection. The outlook for US healthcare data protection is increasingly bleak. In the aftermath of the 2016 US election, it is quite likely that HIPAA rules will be enforced with less enthusiasm, encouraging an increase in data leaks from the health care system. Further, those victorious in the election are no friends of pro-privacy regulatory agencies and some of their data protection activities may be reined in. It is also extremely unlikely that comprehensive privacy legislation will be passed by the incoming administration. Yet, technological progress and consumer choice almost inevitably will result in increasing amounts of healthcare data being created and processed outside the HIPAA-protected zone. Not surprisingly therefore, healthcare data protection in the US faces a perilous future and one that increasingly will be at odds with the protections offered by its trading partners. © 2017 Elsevier Masson SAS. All rights reserved.
MOTS CLÉS Big data ; GDPR ; Données de santé ; HIPAA ; Lois de protection de la vie privée ; Protection
Résumé Il existe des menaces croissantes à la protection des données de santé aux ÉtatsUnis. La plupart des lois fédérales sur la protection des données ne s’appliquent qu’aux secteurs particuliers tels que la santé, l’éducation, les communications ou les services financiers. En l’absence d’une législation exhaustive sur la protection des données, il existe des approches sectorielles multiples. Ces lois sur la protection de la vie privée sont sensiblement limitées dans leur portée verticale, préférant les protections en aval telles que la confidentialité, la sécurité et la notification de violation. Peu de lois américaines contiennent des exigences en amont qui minimisent ou limitent la collecte de données. Le « règlement général de la protection des données » de l’UE (GDPR), imminent, sera beaucoup plus complet. Horizontalement, il s’applique à tous les secteurs de l’économie, à toutes les « données personnelles » définies largement, et à tous ceux qui contrôlent ou traitent les données. Au niveau vertical, il applique des normes de protection tout au long de la durée de vie des données. Aux États-Unis, la loi fédérale primaire s’appliquant aux données de santé comprend des règlements connus sous le nom de « HIPAA Privacy and Security Rules ». Les règles HIPAA offrent une protection beaucoup plus faible que le GDPR, bien qu’elles soient beaucoup plus fortes que les protections applicables à d’autres secteurs commerciaux aux États-Unis. La portée de l’HIPAA est relativement étroite et s’applique essentiellement aux données détenues par les fournisseurs de soins traditionnels et ne s’applique qu’aux protections en aval : confidentialité, sécurité et notification de violation. Malgré ses faiblesses, les règles de l’HIPAA sont assez détaillées et généralement bien appliquées. En conséquence, HIPAA a créé des attentes chez les patients pour que toutes leurs données de santé soient sûres. Ce n’est plus le cas, ni dans la « zone » HIPAA ni en dehors de celle-ci. Premièrement, les prestataires traditionnels ont presque terminé leur transition du papier vers les dossiers médicaux électroniques, au cours desquels ils échangent les protections inhérentes aux salles de fichiers non reliées à celles des bases de données longitudinales informatiques, beaucoup plus risquées. Deuxièmement, plusieurs parties extérieures à la santé considèrent les données de santé comme ayant une grande valeur. Les courtiers de « grandes données » recueillent des données sur la santé ou des données médicalement orientées pour leurs produits analytiques prédictifs, alors que les cybercriminels ont depuis longtemps reconnu le profit dans le vol des dossiers médicaux. Troisièmement, les sociétés d’électronique grand public continuent de perturber les marchés de données sur la santé (et la protection de ces données) en encourageant les consommateurs à recueillir et à récupérer des données provenant d’applications mobiles de santé, de dispositifs portables et de l’Internet des objets. Ces défis à la protection des données de santé mettent en évidence les failles fondamentales des protections limitées par le domaine et la dépendance excessive à un ensemble limité de modèles de protection. La première parce que les entreprises perturbatrices et les
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States
3
innovations technologiques peuvent faire un non-sens de la protection sectorielle étroitement définie. Ce dernier étant donné que les décideurs politiques ont besoin d’un éventail plus large d’outils pour lutter contre les défis modernes, tandis que la dépendance à l’égard des modèles en aval concède intrinsèquement l’exactitude de la collecte de données non réglementée. Les perspectives pour la protection des données sur la santé aux États-Unis sont de plus en plus sombres. Au lendemain des élections américaines de 2016, il est fort probable que les règles de l’HIPAA seront appliquées avec moins d’enthousiasme, ce qui favorisera une augmentation des fuites de données du système de santé. De plus, ceux qui ont remporté l’élection ne sont pas des amis des organismes de réglementation de la protection de la vie privée et certaines de leurs activités de protection des données peuvent être limitées. Il est également extrêmement improbable qu’une loi sur la protection de la vie privée soit adoptée par l’administration entrante. Pourtant, le progrès technologique et le choix du consommateur entraîneront presque inévitablement une augmentation des quantités de données sur la santé créées et traitées en dehors de la zone protégée HIPAA. Il n’est donc pas étonnant que la protection des données sur les soins de santé aux États-Unis soit confrontée à un avenir périlleux et de plus en plus en contradiction avec les protections offertes par ses partenaires commerciaux. © 2017 Elsevier Masson SAS. Tous droits r´ eserv´ es.
Introduction Healthcare data protection in the United States faces increasing, potentially existential threats. Technological challenges inside the healthcare domain have never been greater. Traditional providers are completing their transition from paper to electronic health records in the course of which they swap the protections inherent in siloed filing cabinets for computerized longitudinal databases; databases that policymakers increasingly insist should be designed to be shared with patients, other providers and researchers. Third parties increasingly view healthcare data as having great value; big data brokers are scraping up healthcare or medically-inflected data to feed their predictive analytics products while cybercriminals long since have recognized the profit in stealing health records that typically also contain a wealth of financial information. Meanwhile, consumer electronics companies are disrupting healthcare data markets by encouraging consumers to themselves collect and curate data from mobile health apps, wearable devices and the internet of things (IoT). Even comprehensive data protection systems such as those in the European Union can find themselves challenged by new technologies and emerging business models. However, the US lacks any such comprehensive system enjoying data protection models that are as fatally fragmented as its healthcare system. This article seeks to describe and evaluate the current state of US healthcare data, expand on the existential threats to its heretofore-exceptional system of healthcare data protection, briefly analyse some of the proposals to fix the broken system, and evaluate the likelihood of their enactment.
Data protection in the US and EU compared Data protection laws may be compared by examining three key properties; their horizontal reach (the public and private
domains they regulate), their vertical attributes (what data custodian behaviours they regulate), and their enforcement (including investigation and penalties). The EU data protection Directive [1] and its imminent successor the EU General Data Protection Regulation (GDPR) [2] constitute the current gold standard. The GDPR is comprehensive across both horizontal and vertical dimensions. Horizontally, it applies to all sectors of the economy, all broadly defined ‘‘personal data,’’ and all who control or process data. Vertically, it applies Fair Information Practice Principles (FIPPs)-like protective standards throughout the lifespan of data; creation through destruction. At the point of creation, ‘‘upstream’’ where data is collected, the GDPR applies a purpose limitation (data may only be collected for legitimate and specified purposes) and requires data minimization (data collection is limited to what is necessary for the purpose for which they are collected). ‘‘Downstream,’’ where data is processed and disclosed, the GDPR requires fairness, lawfulness and transparency, and applies storage (no longer than necessary), quality, security, integrity and confidentiality limitations. Data subjects are given access, correction, use (such as the right to object to marketing uses), and erasure rights, while data custodians owe duties of accountability and breach notification. Most of these protection properties are noticeably absent from US data laws. First, there is no comprehensive horizontal protection. Although the Federal Trade Commission (FTC) possesses baseline powers under the Fair-Trade Commission Act (FTCA) §5(a) to stop unfair or deceptive practices, these powers are limited to holding accountable entities that fail to comply with their own privacy policies or, belatedly, those that have demonstrably failed to counter multiple data breaches [3]. As acknowledged by a 2012 White House report, the FTCA aside ‘‘most Federal data privacy statutes apply only to specific sectors, such as healthcare, education, communications, and financial services or, in the case of online data collection, to children’’ [4]. In other words, there is no comprehensive data protection model but
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
4
N. Terry
multiple sectoral or domain-specific approaches. Indeed, this ‘‘sectoral approach is emblematic of the lack of a perceptible, cohesive commercial data privacy policy, which creates complexity and costs for businesses and confuses consumers’’ [5]. Not surprisingly, data protection across these different domains varies considerably. Further, and exacerbating this uneven legislative environment, different domains have distinct regulators creating yet more legal indeterminacy and stakeholder confusion. Most domains enjoy no protections above the FTCA baseline or analogous protections provided by state consumer protection statutes. At the federal level, the Federal Communications Commission (FCC) finally is moving to protect broadband customers with strong consent provisions albeit without any requirements for data minimization [6]. The data responsibilities of the financial services sector are regulated by several federal agencies under the Gramm—Leach—Bliley Act (GLBA) [7]. However, GLBA uses a relatively thin, opt-out protective model and does not even apply to all entities that hold consumer financial data, merely a defined list of data custodians. Other rules apply to a (very) short list of additional sectors such as credit reports [8] and video rental records [9]. The vertical attributes of US data laws are quite limited. The FIPPS initially were developed in the US [10] and thereafter advanced by the Federal Trade Commission (FTC) [11]. However, mostly they are absent from contemporary US data laws that regulate private parties. Judged against the GDPR the US data protection system is noticeably incomplete in its vertical scope. This is because common law models, state statutes and federal legislation and regulation generally only utilize downstream protections such as confidentiality, security, and breach notification. Hardly any US laws contain upstream requirements that minimize or otherwise limit data collection.
Healthcare data protection in the US To the outsider US healthcare might appear to be a hybrid private-public care model with even a few Bismarck-like characteristics. In fact, it is essentially a private system. Federal and state government agencies distribute tax-derived healthcare funds through programs such as Medicare and Medicaid, but they distribute them to private entities (physicians, physician groups, managed care organizations, pharmacies, and hospitals) who render private care to patients. Beveridge-like, government-provided direct healthcare is limited to active service personnel and veterans. Indeed, those who are not extraordinarily poor, disabled, or retired will see hardly any government largesse, relying on employer-provided health benefits if they are lucky or the vagaries of the individual market or Affordable Care Act insurance exchanges if they are not. Thus, healthcare data protection overwhelmingly is a function of the limited and diverse rules applicable to the private sector. Substantively, healthcare data protection is both typical of the lamentable state of data protection generally (exemplifying both sectoral and downstream limited constructs) and, in one important way, quite atypical (it is quite robust). This federal law comprises of regulations known as the HIPAA Privacy and Security Rules (HIPAA) [12]. Initially
promulgated in 1999 they have been amended several times, with the most important changes following the passage of the pro-privacy Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 [13].
Narrow applicability HIPAA is typical of US data protection; it is domain-specific and provides only downstream protections. In general, the HIPAA rules protect ‘‘individually identifiable health information’’ [14] held by health care entities [15]. It is this latter limited definition of the regulated domain that is most troublesome. Critically, HIPAA does not define the domain by data type (for example, healthcare data) but by regulating a limited set of traditional healthcare data custodians (essentially health insurers and providers). A few non-healthcare parties that are in contractual relationships with providers (for example, outside counsel) will qualify as ‘‘business associates’’ and will be pulled into the regulatory space. However, most healthcare data controlled or processed by those outside the traditional healthcare environment will not be subject to the HIPAA rules.
Downstream mechanisms The HIPAA privacy rule contains two downstream protective mechanisms. First, it employs a data protection model that seeks to contain the collected data within the healthcare system by prohibiting its migration to non-healthcare parties [16]. This no-disclosure-absent-authorization approach is a regulatory version of the duty of confidentiality. Like the common law breach of confidence tort HIPAA imposes strict liability. However, unlike that tort, HIPAA does not provide a private right of action, instead favouring administrative sanctions. The second protective mechanism found in the HIPAA privacy rule is the duty of data custodians to notify certain stakeholders of a breach [17]. Authorized by the 2009 HITECH Act and finalized by regulation in 2013, breach notification is a quintessentially downstream protective model (and one newly adopted by the GDPR). Indeed, conceptually it is barely a data protection mechanism, given that its premise is that the data are no longer safe. However, breach notification does have some deterrence value. It operates as one of the primary sources of information for investigators about possible HIPAA violations. It also triggers a certain amount of public shaming because the Office for Civil Rights (OCR), HIPAA’s data protection agency, is required to post breach notices affecting 500 or more individuals [18]. The HIPAA security rule requires that covered entities implement ‘‘reasonable and appropriate administrative, technical, and physical safeguards’’ of PHI [19]. The Security rule is short on prescriptive detail; for example, there is no absolute requirement to encrypt health care data either at rest or in motion. Rather, the rule is classic compliance regulation, requiring covered data custodians to perform security risk analyses and build ‘‘best practices’’ safeguards.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States
Surprising but qualified robustness For all its problems HIPAA data protection of the healthcare domain is noticeably more robust than that enjoyed by other domains and thus, to an extent, atypical of US data protection. There are several features of HIPAA that led to this healthcare data protection exceptionalism. First, the HIPAA rules were tailored exclusively to the healthcare system. Indeed, it is likely that HIPAA’s Department of Health and Human Services (HHS) architects were more familiar with the provider relationships, processes, and payments than with data protection models. Thus, the HIPAA rules are well-calibrated to the domain. For example, disclosure limitations and even exceptions from protection generally reflect the needs and processes of healthcare stakeholders, although critics might argue that the balance is tipped more in favour of providers than patients. Both points are illustrated by HIPAA’s primary derogation from its confidentiality rule; a covered entity may, without the patient’s authorization use or disclose PHI for its own treatment, payment, and health care operations activities [20]. Second, while one of most compelling criticisms of the HIPAA rules is that they do not subscribe to or promote any general principles and so lack an educative function, their granular detail generally does provide for a degree of regulatory clarity. Indeed, a distinction can be drawn between the privacy and security rules in this regard; the former is comprehensive, detailed, and prescriptive while the latter relies more on broader requirements and best practices. Third, the 2008 presidential election and, subsequently, the HITECH Act of 2009 brought about important changes to HIPAA enforcement. The Obama administration, committed to increased regulation of the healthcare space (as further evidenced by the passage of the ACA), centralized investigation and enforcement under the Office for Civil Rights and appointed more active investigators to the office. HITECH introduced higher penalties for noncompliance and leveraged state actors to investigate privacy and security breaches. Further, audits and the new breach notification process provided OCR with additional sources of information about data protection lapses. During the eight years of the Obama administration there has been a steady increase in the number of settlements with those out of compliance and a significant increase in settlement amounts [21]. HIPAA, therefore, has some positives. However, it has as many negatives. The privacy rule has some unfortunately porous properties; it allows too much data liquidity within the healthcare system and has generous sharing rules with outside entities such as law enforcement and public health authorities. Further, while HIPAA may have been tailored to healthcare, that was a pre-technology, 1990s model of healthcare when only traditional providers were interested in healthcare data while sharing data with other providers or, heaven forbid, with patients was rare. Similarly, risk factors were lower when HIPAA was introduced; cyberattacks were almost unknown and de-identification was viewed as satisfactory protection for sensitive data. Equally, a student of the GDPR likely would be unimpressed by HIPAA’s narrow reliance on confidentiality, breach notification, and security models of data protection; modern threats to data protection require additional upstream models such as collection
5
limitations based on context or purpose and data minimization.
Existential challenges The somewhat atypical, even exceptional protection afforded healthcare data in the US creates a unique contemporary challenge. Although HIPAA’s robustness is a positive, it creates expectations in patients that all their healthcare data safe, and that is no longer the case either within the HIPAA zone or outside of it. The challenges to healthcare data protection discussed here highlight the fundamental flaws with domain-limited protections and reliance on a limited (and downstream) set of protective models. The former, because disruptive businesses and technological innovations can make a nonsense of narrowly-defined sectoral protections. The latter, because policymakers require a broader array of tools to combat modern challenges while reliance on downstream models intrinsically concedes the correctness of unregulated data collection. As currently constituted, healthcare data protection will face major challenges in the decades ahead, unprepared as it is for genomic research-based precision medicine, and robotics. Contemporary challenges from electronic health records, big data, personal health technologies, and the internet of things illustrate why.
Electronic health records Although telemedicine previously had seen modest implementation, it was the publication of To Err is Human [22] in 2000 that accelerated interest in the broad adoption of health information technologies (HIT). That and subsequent reports from the Institute of Medicine documented a disturbing level of avoidable adverse events and called for improvements in data gathering (adverse event reporting), outcomes research, and the adoption of HIT. Thereafter, computerized order entry, clinical decision support systems, and electronic health records (EHRs) were implemented in a small number of advanced healthcare entities. Beginning in 2004, the Bush administration made a determined effort to accelerate the implementation of EHRs. However, again implementation was only modest, often restricted to large vertically-integrated healthcare systems such as the federal veterans administration. Subsequently, in 2009 the Obama administration introduced the Meaningful Use program providing approximately $30 billion in funds to subsidize the adoption of EHRs by physicians and hospitals [23]. By 2016, over 95% of hospitals were ‘‘meaningfully’’ using EHRs [24], although office-based physicians lagged at only 56% [24]. The adoption of HIT fundamentally changed the data protection risk environment. Paper-records scattered around multiple physician offices posed few privacy or security risks. The threat level rose exponentially when the healthcare industry which had a woeful track record regarding information technologies was charged with protecting computerized longitudinal and remotely accessible records. The Obama administration tacitly recognized this and the HITECH Act that subsidized the EHR program also authorized improvements to the HIPAA privacy and security rules.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
6
N. Terry
Subsequently, tighter rules were enacted, for example, limiting how healthcare providers could use patient data for marketing or fundraising, prohibiting unauthorized sale of PHI, and as previously discussed, breach notification, and increased enforcement [25]. Notwithstanding these reforms, healthcare data protection has not improved noticeably. Thousands of alleged violations are reported to OCR each year [26], while sanctions are seldom visited on minor breach ‘‘repeat offenders’’ [27]. Sanctions for serious breaches of the privacy rule continue to be imposed for relatively obvious transgressions by hospitals such as unauthorized filming of patients by a TV crew, posting of unauthorized patients testimonials, and dumping 71 boxes of patient records outside a retired physician’s home [28]. Providers have also been penalized for failing to enter into business associate agreements [29], while ONC has issued a guidance making clear that covered entities should always have such agreements with their cloud services providers [30]. Increasingly enforcement activities have emphasized violations of the security rule. In part this has been a function of the generally poor state of health care entities’ security and, in particular, the underutilization of encryption. Again, OCR has applied sanctions in relatively obvious cases such as insecure Internet-based document sharing, stolen laptop computers, mislaid thumb drives, and the absence of a firewall [31]. Increasingly, the limited state of health care entities’ security has been highlighted by a dramatic upsurge in the number of healthcare cyberattacks. Healthcare is now the top target for cybercriminals; the records not only contain valuable information in their own right, enabling prescription diversion, but also multiple types of information useful to hackers such as credit card data and social security numbers [32]. Hospitals have also been popular targets for ransomware attacks where malicious code is injected into an entity’s servers to prevent the entity itself from accessing its data until it pays a ransom [33]. OCR even released a HIPAA guidance on the topic confirming that such an attack would be a HIPAA ‘‘security incident’’ and in some cases a notifiable breach [34]. Overall, the upshot is that patient data that is held by traditional healthcare stakeholders and that is subject to HIPAA data protection models increasingly is at jeopardy.
variety of industries: marketing products, risk mitigation products, and people search products’’ [29]. Those commercial sources include some data from within the healthcare system. For example, de-identified healthcare data is not protected by HIPAA and may migrate out of the healthcare system (where it might even be reidentified). However, it is inferred data that powers most data products. Some, what are referred to as medicallyinflected data (such as transaction data on health-related goods), are more obviously health-related. But, data brokers leverage all types of data to market health profiles and health scores about individuals. Indeed, data mining permits the creation of proxy health profiles of our medical selves outside of HIPAA-protected space [36]. Health scoring, like the financial scoring that preceded it, suggests a world of data determinism and certainly carries the risk of health or behavioural discrimination. According to the EU Article 29 Working Party, ‘‘[t]he type of analytics application used can lead to results that are inaccurate, discriminatory or otherwise illegitimate. In particular, an algorithm might spot a correlation, and then draw a statistical inference that is, when applied to inform marketing or other decisions, unfair and discriminatory. This may perpetuate existing prejudices and stereotypes, and aggravate the problems of social exclusion and stratification’’ [37]. In the EU, such predictive behavioural analytics would usually require ‘‘free, specific, informed and unambiguous ‘opt-in’ consent. . . for further use [to] be considered compatible’’ [38]. ‘‘Specifically, such consent should be required. . . for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research’’ [29]. No such requirement exists in the US HIPAA does not apply and the FTC’s powers under the Fair Credit Reporting Act (FCRA) are limited [10]. The FTC has called for opt-in legislation, ‘‘requiring that consumer-facing sources obtain consumers’ affirmative express consent before collecting and sharing such information with data brokers’’ [39]. However, as noted below, this and other calls for reform have failed to find legislative traction [40].
Big data
Personal health technologies and the internet of things
Big data health analytics operating within the healthcare system do pose some data protection issues and questions concerning the detailed application of HIPAA (for example, whether outcomes research is covered by healthcare ‘‘operations’’). However, the more controversial problem is how data brokers treat health-related that lies outside the traditional healthcare system and so beyond the reach of HIPAA. According to the FTC, ‘‘data brokers collect information about consumers from a wide variety of commercial, government, and other publicly available sources. In developing their products, the data brokers use not only the raw data they obtain from these sources, . . . but also certain derived data, which they infer about consumers. . .’’ [35]. Thereafter, ‘‘data brokers use this actual and derived data to create three main kinds of products for clients in a wide
Approximately 200,000 mobile health apps are available for download from smartphone app stores [41]. Many interact with ‘‘wearables;’’ fitness and wellness bands, watches, and patches. Analysts have projected a $70 billion market for wearable technology by 2025 [42]. Together these technologies create almost immeasurable streams of fitness and wellness data. Relatively few of these apps or wearables will be developed or supplied by traditional healthcare providers or their business associate partners. As a result, these data generally will not be protected by the HIPAA privacy or security rules [43], notwithstanding the high levels of risks they generate [44]. Unfortunately, many medical app and wearable manufactures offer inadequate privacy policies and their products frequently exhibit basic security flaws.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States The EU Article 29 Data Protection Working Party described the IoT as ‘‘an infrastructure in which billions of sensors embedded in common, everyday devices — ‘things’ as such, or things linked to other objects or individuals — are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities’’ [45]. Increasingly, connected infrastructure and domotics will be parsing or collecting healthcare data. Clearly, there are benefits to such interaction. First, healthrelated personal technologies will be more aware of current state; prescription medicine dispensers might note noncompliance, wearables could detect an elderly wearer’s fall, and research suggests patient care improves when their devices connect with providers [46]. Second, increased interconnectivity will make devices more aware of their user’s environment aiding in the recording of social determinants or identifying a particular health danger; for example, if an asthmatic was about to enter an area with a high level of pollutants. Third, IoT devices working in conjunction with other technologies could trigger certain actions; notifying a caregiver of a malfunctioning elevator in a patient’s building or automatically unlocking an access door upon the arrival of emergency services [47]. Although the IoT shares many of the same data protection problems as personal health technologies [29], policymakers have highlighted concerns about the ‘‘stunning’’ potential of IoT devices for data generation [46] and their possible use for surveillance and profiling [45]. However, perhaps the greatest challenges posed by the IoT are security-related. IoT devices are notoriously insecure [48] and are difficult, maybe impossible to patch [49].
Legislative or regulatory amelioration Reform of the broken US data protection system is difficult. Policymakers have over-committed to downstream rules and, even if ‘‘tweaked,’’ such rules cannot deal with the challenges to healthcare data protection; for example, upstream models would also need to be deployed to require a purpose limitation or achieve some level of data minimization. A specific problem is the current system’s commitment to the disclosure-centric confidentiality model. Confidentiality has some salience when applied to the physician-patient relationship, but does not scale well to healthcare institutions and is based on a fiction when the parties (such a supermarket customer and a data broker) have no preexisting relationship. But, more importantly, the challenge today does not call for an on-off switch (share or not) but the more nuance questions surrounding what can be collected, disclosed or processed for what purposes; questions that require better data protection tools to answer. For related reasons, improving protections offered by regulatory models that, like HIPAA or GLBA, rely on domainspecific data custodians is almost impossible. For example, an ‘‘easy fix’’ might appear to be extending the HIPAA definition of data custodian (‘‘covered entity’’) to include persons outside of traditional health care, such as mobile app developers or data brokers with access to healthcare data. However, not only is there no statutory authority for
7
such a change but also most of the protections thereby triggered would make little sense outside of the traditional healthcare system. Over the last six years, there have been consistent calls for statutory reform from the White House and the FTC. Such reforms would have created a more comprehensive, FIPPS-respecting data protection environment, with vertically and horizontally regulation more closely resembling that of the GDPR [50]. Agencies have also proposed narrower legislation to precisely target some data protection abuses. For example, the Federal Communications Commission (FCC) has issued new regulations requiring optin consent before broadband providers can share sensitive information, including health information [51]. Further, the FTC has recommended immediate legislation to require ‘‘that consumer-facing sources obtain consumers’ affirmative express consent before collecting and sharing such information with data brokers’’ [39]. Absent legislation, data protection for healthcare data left unprotected by HIPAA depends on case-by-case determinations of specific FCRA violations by data brokers [52] the occasional application of the FTC’s more general powers to prohibit deceptive to curtail unfair or deceptive practices [53], or the ‘‘accident’’ of one of the few progressive state data protection laws being applicable [54].
Conclusion Current US law provides exceptional (albeit only downstream) protection for data circulating within the traditional healthcare system. Among its exceptional qualities, the federal health data protection model displays detailed mapping to the healthcare industry and superior enforcement. However, its most exceptional property is that it provides vastly more protection for healthcare data than is enjoyed by other industrial sectors where protections are negligible. Herein lies one of the more significant comparisons with the situation in the EU. The GDPR, like its predecessor Directive, also provides that some special categories of sensitive personal data such as healthcare and genetic data [55] require additional protection or special treatment. The difference, of course, is that the GDPR baseline of protections is so much higher than anything existing in the US. A bleak outlook for US healthcare data protection is growing bleaker. Following the 2016 US election, it is quite possible that there will be a reduction in HIPAA enforcement, making leaks out of the traditional health care system more likely. Further, those victorious in the election are no friends of the FTC or FCC suggesting some of their data protection activities may be reined in. It is also extremely unlikely that comprehensive privacy legislation will be passed by the incoming administration. Yet, technological progress and consumer choice almost inevitably will result in increasing amounts of healthcare data being created and processed outside the HIPAA-protected zone. Not surprisingly therefore, healthcare data protection in the US faces a perilous future and one that increasingly will be at odds with the protections offered by its trading partners.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
8
N. Terry
Disclosure of interest The author declares that he has no competing interest.
References [1] Ware WH, et al. Records, computers and the rights of citizens. Final report. Washington, D.C: Secretary of Health, Education, and Welfare’s Advisory Committee on Automated Personal Data Systems; 1973. [2] Landesberg M, Levin T, Curtin C, Lev O. Privacy online: a report to congress. Washington, D.C: US Federal Trade Commission; 1998. [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [Available at: http://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=uriserv:OJ.L .2016.119.01.0001.01. ENG&toc=OJ:L:2016:119:TOC]. [4] Directive 95/46/EC. [5] F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236. (3d Cir. 2015). [6] The White House. Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy; 2012 [Available at https://www.whitehouse.gov/sites/default/files/privacyfinal.pdf]. [7] Id, pg 59. [8] US Federal Communications Commission. FCC adopts privacy rules to give broadband consumers increased choice, transparency and security for their personal data; 2016 [Available at http://transition.fcc.gov/Daily Releases/Daily Business/2016/ db1027/DOC-341937A1.pdf]. [9] Gramm-Leach-Bliley Act, Pub. L. No. 106-102, § 501, 113 Stat. 1338, 1436 (1999). [10] 15 U.S.C. § 1681 et seq. [11] Pub. L. No. 100-618, 102 Stat. 3195. [12] HIPAA Administrative Simplification, 45 CFR Parts 160, 162, and 164 (unofficial version, as amended through March 26, 2013). [Available at: http://www.hhs.gov/sites/default/ files/ocr/privacy/hipaa/administrative/combined/hipaasimplification-201303.pdf]. [13] H.R. 1, 111th Cong. (2009). [14] 45 C.F.R. § 164.103. [15] 45 C.F.R. § 160.103. [16] See, e.g., 45 C.F.R. § 164.502. (Uses and disclosures of protected health information). [17] 45 CFR §§ 164.400-414. [18] US Department of Health and Human Services, Office for Civil Rights. Breach portal: notice to the secretary of HHS breach of unsecured protected health information. [Available at: https://ocrportal.hhs.gov/ocr/breach/breach report.jsf]. [19] US Department of Health and Human Services. Summary of the HIPAA security rule. [Available at: http://www.hhs.gov/hipaa/ for-professionals/security/laws-regulations/index.html]. [20] 45 CFR § 164.506. [21] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements/index.html]. [22] Institute of Medicine (US). To err is human: building a safer health system; 1999 [See also Institute of Medicine (US). Crossing the quality chasm: a new health system for the 21st century; 2001].
[23] Terry N. Pit crews with computers: can health information technology fix fragmented care? Houston J Health Law Policy 2014;129:129—89. [24] Office of the National Coordinator for Health Information and Technology. Percent of hospitals, by type, that possess certified health IT; 2016 [Available at: dashboard.healthit.gov/quickstats/pages/certifiedelectronic-health-record-technology-in-hospitals.php]. [25] US Department of Health and Human Services. New rule protects patient privacy, secures health information; 2013 [Available at: http://www.hhs.gov/about/news/2013/01/17/ new-rule-protects-patient-privacy-secures-health-information .html]. [26] US Department of Health and Human Services. Enforcement results by year. [Available at: http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/data/enforcementresults-by-year/index.html]. [27] Ornstein C, Waldman A. Few consequences for health privacy law’s repeat offenders. Propublica 2015 [Available at: https://www.propublica.org/article/few-consequences-forhealth-privacy-law-repeat-offenders]. [28] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements]. [29] Id. [30] US Department of Health and Human Services. Guidance on HIPAA & cloud computing. [Available at: http://www.hhs.gov/ hipaa/for-professionals/special-topics/cloud-computing/ index.html]. [31] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements/]. [32] Rodionova Z. Healthcare is now top industry for cyberattacks, says IBM over 100 million healthcare records were reportedly compromised in 2015. The Independent; 2016 [Available at: http://www.independent.co.uk/news/business/news/ healthcare-is-now-top-industry-for-cyberattacks-says-ibma6994526.html]. [33] See Davis J. Massive Locky ransomware attacks hit US hospitals. Healthcare IT News. 2016 Aug. 19. [Available at: http://www.healthcareitnews.com/news/massive-lockyransomware-attacks-hit-us-hospitals]. [34] HHS OCR. Fact sheet: Ransomware and HIPAA. US Department of Health and Human Services, Office for Civil Rights; 2016 [Available at: http://www.hhs.gov/sites/default/files/ RansomwareFactSheet.pdf]. [35] US Federal Trade Commission. Data brokers: a call for transparency and accountability; 2014 [Available at: https://www. ftc.gov/system/files/documents/reports/data-brokers-calltransparency-accountability-report-federal-trade-commissionmay-2014/140527databrokerreport.pdf]. [36] Terry N. Protecting patient privacy in the age of big data. Univ Missouri Kansas City Law Rev 2013;81:385—415. [37] Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013 at 45. [38] Id., at 46. [39] US Federal Trade Commission. Data brokers: a call for transparency and accountability; 2014. [40] See generally: Nicolas Terry. Navigating the incoherence of big data reform proposals. J Law Med Ethics 2015;43:1. [41] Things are looking app. The Economist; 2016 [Available at: http://www.economist.com/news/business/21694523-mobilehealth-apps-are-becoming-more-capable-and-potentiallyrather-useful-things-are-looking]. [42] Hayward J, Chansin G, Zervos H. Wearable technology 2015-2025: technologies, markets, forecasts. IDTechEx; 2016
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States
[43] [44]
[45]
[46]
[47] [48]
[Available at: http://www.idtechex.com/research/reports/ wearable-technology-2015-2025-technologies-marketsforecasts-000427.asp]. Terry N. Mobile health: assessing the barriers. Chest 2015;147(5):1429—34. See generally: Terry N. Opening remarks for House Energy and Commerce Subcommittee Hearing on Health Care Apps 2016 Jul. 13. [Available at: http://docs.house.gov/meetings/ IF/IF17/20160713/105197/HHRG-114-IF17-Wstate-TerryN20160713.pdf]. Article 29 Data Protection Working Party. Opinion 8/2014 on the on recent developments on the internet of things; 2014 [Available at: http://ec.europa.eu/justice/data-protection/ article-29/documentation/opinion-recommendation/files/ 2014/wp223 en.pdf]. Internet of things. US Federal Trade Commission staff report 2015 Jan. [Available at: https://www.ftc.gov/system/files/ documents/reports/federal-trade-commission-staff-reportnovember-2013-workshop-entitled-internet-things-privacy/ 150127iotrpt.pdf]. See generally: Terry N. Will the internet of things disrupt healthcare? Vand. J. Ent. & Tech. L. (forthcoming 2017). Limer E. How hackers wrecked the internet using DVRs and webcams. Popular Mech 2016 [Available at: http://www.
[49]
[50] [51]
[52]
[53]
[54] [55]
9
popularmechanics.com/technology/infrastructure/a23504/ mirai-botnet-internet-of-things-ddos-attack/]. US Federal Communications Commission Staff Report. Internet of things; 2015 [Available at: https://www.ftc.gov/system/ files/documents/reports/federal-trade-commission-staffreport-november-2013-workshop-entitled-internet-thingsprivacy/150127iotrpt.pdf]. Terry N. Navigating the incoherence of big data reform proposals. J Law Med Ethics 2015;43:1. US Federal Communications Commission. Protecting privacy for broadband consumers; 2016 [Available at: https://www. fcc.gov/news-events/blog/2016/10/06/protecting-privacybroadband-consumers]. US Federal Trade Commission. Two data brokers settle FTC charges that they sold consumer data without complying with protections required under the fair credit reporting; 2014. FTCA § 5(a). See e.g., In Re LabMD Inc., https://www.ftc.gov/ enforcement/cases-proceedings/102-3099/labmd-inc-matter; F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236. (3d Cir. 2015). See e.g., Cal. Civil Code §§ 56—56.07. See GDPR Preamble §§ 51—54.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
ARTICLE IN PRESS
JEMEP-186; No. of Pages 9
Ethics, Medicine and Public Health (2017) xxx, xxx—xxx
Available online at
ScienceDirect www.sciencedirect.com
DOSSIER ‘‘PRIVACY: DEFINITION, PROTECTION AND PROJECTION’’ Thoughts
Existential challenges for healthcare data protection in the United States Des défis existentiels pour la protection des données de santé aux États-Unis N. Terry (Hall Render Professor of Law, Executive Director) Hall Center for Law and Health, Indiana University Robert H. McKinney School of Law, 530, West New York Street, Indianapolis, IN 46202, United States Received 22 November 2016; accepted 28 January 2017
KEYWORDS Big data; GDPR; Healthcare data; HIPAA; Privacy laws; Protection
Summary There are increasing threats to healthcare data protection in the United States. Most federal data privacy laws apply only to specific sectors, such as healthcare, education, communications, or financial services. In the absence of comprehensive data protection legislation there are multiple, sectoral approaches. These privacy laws are noticeably limited in their vertical scope, preferring downstream protections such as confidentiality, security, and breach notification. Hardly any US laws contain upstream requirements that minimize or otherwise limit data collection. The imminent ‘‘EU General Data Protection Regulation’’ (GDPR) is considerably more comprehensive. Horizontally, it applies to all sectors of the economy, all broadly defined ‘‘personal data,’’ and all who control or process data. Vertically, it applies protective standards throughout the lifespan of data. In the US, the primary federal law applying to healthcare data comprises of regulations known as the ‘‘HIPAA Privacy and Security Rules.’’ The HIPAA rules provide considerably weaker protection than the GDPR, although they are far stronger that the protections applicable to other commercial sectors in the US HIPAA has relatively narrow scope, essentially only applying to data held by traditional healthcare providers and applying only downstream protections; confidentiality, security, and breach notification. Notwithstanding its weaknesses, the HIPAA rules are quite detailed and generally well enforced. Thus, HIPAA has created expectations in patients that all their healthcare data are safe. This is no longer the case, either within the HIPAA ‘‘zone’’ or outside of it. First, traditional providers have almost completed their transition from paper to electronic health records, during which they swap the protections inherent in unconnected file rooms for far riskier computerized longitudinal databases. Second, multiple parties outside of healthcare view healthcare data by as having great value; ‘‘big data’’ brokers collect healthcare data or medically-inflected data for their
E-mail address: [email protected] http://dx.doi.org/10.1016/j.jemep.2017.02.007 2352-5525/© 2017 Elsevier Masson SAS. All rights reserved.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
2
ARTICLE IN PRESS N. Terry predictive analytics products, while cybercriminals long since have recognized the profit in stealing health records. Third, consumer electronics companies continue to disrupt healthcare data markets (and data protection) by encouraging consumers to themselves collect and curate data from mobile health apps, wearable devices and the ‘‘internet of things.’’ These challenges to healthcare data protection highlight the fundamental flaws of domain-limited protections and over-reliance on a limited set of protective models. The former because disruptive businesses and technological innovations can make a nonsense of narrowly-defined sectoral protections. The latter because policymakers need a broader array of tools to combat modern challenges while reliance on downstream models intrinsically concedes the correctness of unregulated data collection. The outlook for US healthcare data protection is increasingly bleak. In the aftermath of the 2016 US election, it is quite likely that HIPAA rules will be enforced with less enthusiasm, encouraging an increase in data leaks from the health care system. Further, those victorious in the election are no friends of pro-privacy regulatory agencies and some of their data protection activities may be reined in. It is also extremely unlikely that comprehensive privacy legislation will be passed by the incoming administration. Yet, technological progress and consumer choice almost inevitably will result in increasing amounts of healthcare data being created and processed outside the HIPAA-protected zone. Not surprisingly therefore, healthcare data protection in the US faces a perilous future and one that increasingly will be at odds with the protections offered by its trading partners. © 2017 Elsevier Masson SAS. All rights reserved.
MOTS CLÉS Big data ; GDPR ; Données de santé ; HIPAA ; Lois de protection de la vie privée ; Protection
Résumé Il existe des menaces croissantes à la protection des données de santé aux ÉtatsUnis. La plupart des lois fédérales sur la protection des données ne s’appliquent qu’aux secteurs particuliers tels que la santé, l’éducation, les communications ou les services financiers. En l’absence d’une législation exhaustive sur la protection des données, il existe des approches sectorielles multiples. Ces lois sur la protection de la vie privée sont sensiblement limitées dans leur portée verticale, préférant les protections en aval telles que la confidentialité, la sécurité et la notification de violation. Peu de lois américaines contiennent des exigences en amont qui minimisent ou limitent la collecte de données. Le « règlement général de la protection des données » de l’UE (GDPR), imminent, sera beaucoup plus complet. Horizontalement, il s’applique à tous les secteurs de l’économie, à toutes les « données personnelles » définies largement, et à tous ceux qui contrôlent ou traitent les données. Au niveau vertical, il applique des normes de protection tout au long de la durée de vie des données. Aux États-Unis, la loi fédérale primaire s’appliquant aux données de santé comprend des règlements connus sous le nom de « HIPAA Privacy and Security Rules ». Les règles HIPAA offrent une protection beaucoup plus faible que le GDPR, bien qu’elles soient beaucoup plus fortes que les protections applicables à d’autres secteurs commerciaux aux États-Unis. La portée de l’HIPAA est relativement étroite et s’applique essentiellement aux données détenues par les fournisseurs de soins traditionnels et ne s’applique qu’aux protections en aval : confidentialité, sécurité et notification de violation. Malgré ses faiblesses, les règles de l’HIPAA sont assez détaillées et généralement bien appliquées. En conséquence, HIPAA a créé des attentes chez les patients pour que toutes leurs données de santé soient sûres. Ce n’est plus le cas, ni dans la « zone » HIPAA ni en dehors de celle-ci. Premièrement, les prestataires traditionnels ont presque terminé leur transition du papier vers les dossiers médicaux électroniques, au cours desquels ils échangent les protections inhérentes aux salles de fichiers non reliées à celles des bases de données longitudinales informatiques, beaucoup plus risquées. Deuxièmement, plusieurs parties extérieures à la santé considèrent les données de santé comme ayant une grande valeur. Les courtiers de « grandes données » recueillent des données sur la santé ou des données médicalement orientées pour leurs produits analytiques prédictifs, alors que les cybercriminels ont depuis longtemps reconnu le profit dans le vol des dossiers médicaux. Troisièmement, les sociétés d’électronique grand public continuent de perturber les marchés de données sur la santé (et la protection de ces données) en encourageant les consommateurs à recueillir et à récupérer des données provenant d’applications mobiles de santé, de dispositifs portables et de l’Internet des objets. Ces défis à la protection des données de santé mettent en évidence les failles fondamentales des protections limitées par le domaine et la dépendance excessive à un ensemble limité de modèles de protection. La première parce que les entreprises perturbatrices et les
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States
3
innovations technologiques peuvent faire un non-sens de la protection sectorielle étroitement définie. Ce dernier étant donné que les décideurs politiques ont besoin d’un éventail plus large d’outils pour lutter contre les défis modernes, tandis que la dépendance à l’égard des modèles en aval concède intrinsèquement l’exactitude de la collecte de données non réglementée. Les perspectives pour la protection des données sur la santé aux États-Unis sont de plus en plus sombres. Au lendemain des élections américaines de 2016, il est fort probable que les règles de l’HIPAA seront appliquées avec moins d’enthousiasme, ce qui favorisera une augmentation des fuites de données du système de santé. De plus, ceux qui ont remporté l’élection ne sont pas des amis des organismes de réglementation de la protection de la vie privée et certaines de leurs activités de protection des données peuvent être limitées. Il est également extrêmement improbable qu’une loi sur la protection de la vie privée soit adoptée par l’administration entrante. Pourtant, le progrès technologique et le choix du consommateur entraîneront presque inévitablement une augmentation des quantités de données sur la santé créées et traitées en dehors de la zone protégée HIPAA. Il n’est donc pas étonnant que la protection des données sur les soins de santé aux États-Unis soit confrontée à un avenir périlleux et de plus en plus en contradiction avec les protections offertes par ses partenaires commerciaux. © 2017 Elsevier Masson SAS. Tous droits r´ eserv´ es.
Introduction Healthcare data protection in the United States faces increasing, potentially existential threats. Technological challenges inside the healthcare domain have never been greater. Traditional providers are completing their transition from paper to electronic health records in the course of which they swap the protections inherent in siloed filing cabinets for computerized longitudinal databases; databases that policymakers increasingly insist should be designed to be shared with patients, other providers and researchers. Third parties increasingly view healthcare data as having great value; big data brokers are scraping up healthcare or medically-inflected data to feed their predictive analytics products while cybercriminals long since have recognized the profit in stealing health records that typically also contain a wealth of financial information. Meanwhile, consumer electronics companies are disrupting healthcare data markets by encouraging consumers to themselves collect and curate data from mobile health apps, wearable devices and the internet of things (IoT). Even comprehensive data protection systems such as those in the European Union can find themselves challenged by new technologies and emerging business models. However, the US lacks any such comprehensive system enjoying data protection models that are as fatally fragmented as its healthcare system. This article seeks to describe and evaluate the current state of US healthcare data, expand on the existential threats to its heretofore-exceptional system of healthcare data protection, briefly analyse some of the proposals to fix the broken system, and evaluate the likelihood of their enactment.
Data protection in the US and EU compared Data protection laws may be compared by examining three key properties; their horizontal reach (the public and private
domains they regulate), their vertical attributes (what data custodian behaviours they regulate), and their enforcement (including investigation and penalties). The EU data protection Directive [1] and its imminent successor the EU General Data Protection Regulation (GDPR) [2] constitute the current gold standard. The GDPR is comprehensive across both horizontal and vertical dimensions. Horizontally, it applies to all sectors of the economy, all broadly defined ‘‘personal data,’’ and all who control or process data. Vertically, it applies Fair Information Practice Principles (FIPPs)-like protective standards throughout the lifespan of data; creation through destruction. At the point of creation, ‘‘upstream’’ where data is collected, the GDPR applies a purpose limitation (data may only be collected for legitimate and specified purposes) and requires data minimization (data collection is limited to what is necessary for the purpose for which they are collected). ‘‘Downstream,’’ where data is processed and disclosed, the GDPR requires fairness, lawfulness and transparency, and applies storage (no longer than necessary), quality, security, integrity and confidentiality limitations. Data subjects are given access, correction, use (such as the right to object to marketing uses), and erasure rights, while data custodians owe duties of accountability and breach notification. Most of these protection properties are noticeably absent from US data laws. First, there is no comprehensive horizontal protection. Although the Federal Trade Commission (FTC) possesses baseline powers under the Fair-Trade Commission Act (FTCA) §5(a) to stop unfair or deceptive practices, these powers are limited to holding accountable entities that fail to comply with their own privacy policies or, belatedly, those that have demonstrably failed to counter multiple data breaches [3]. As acknowledged by a 2012 White House report, the FTCA aside ‘‘most Federal data privacy statutes apply only to specific sectors, such as healthcare, education, communications, and financial services or, in the case of online data collection, to children’’ [4]. In other words, there is no comprehensive data protection model but
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
4
N. Terry
multiple sectoral or domain-specific approaches. Indeed, this ‘‘sectoral approach is emblematic of the lack of a perceptible, cohesive commercial data privacy policy, which creates complexity and costs for businesses and confuses consumers’’ [5]. Not surprisingly, data protection across these different domains varies considerably. Further, and exacerbating this uneven legislative environment, different domains have distinct regulators creating yet more legal indeterminacy and stakeholder confusion. Most domains enjoy no protections above the FTCA baseline or analogous protections provided by state consumer protection statutes. At the federal level, the Federal Communications Commission (FCC) finally is moving to protect broadband customers with strong consent provisions albeit without any requirements for data minimization [6]. The data responsibilities of the financial services sector are regulated by several federal agencies under the Gramm—Leach—Bliley Act (GLBA) [7]. However, GLBA uses a relatively thin, opt-out protective model and does not even apply to all entities that hold consumer financial data, merely a defined list of data custodians. Other rules apply to a (very) short list of additional sectors such as credit reports [8] and video rental records [9]. The vertical attributes of US data laws are quite limited. The FIPPS initially were developed in the US [10] and thereafter advanced by the Federal Trade Commission (FTC) [11]. However, mostly they are absent from contemporary US data laws that regulate private parties. Judged against the GDPR the US data protection system is noticeably incomplete in its vertical scope. This is because common law models, state statutes and federal legislation and regulation generally only utilize downstream protections such as confidentiality, security, and breach notification. Hardly any US laws contain upstream requirements that minimize or otherwise limit data collection.
Healthcare data protection in the US To the outsider US healthcare might appear to be a hybrid private-public care model with even a few Bismarck-like characteristics. In fact, it is essentially a private system. Federal and state government agencies distribute tax-derived healthcare funds through programs such as Medicare and Medicaid, but they distribute them to private entities (physicians, physician groups, managed care organizations, pharmacies, and hospitals) who render private care to patients. Beveridge-like, government-provided direct healthcare is limited to active service personnel and veterans. Indeed, those who are not extraordinarily poor, disabled, or retired will see hardly any government largesse, relying on employer-provided health benefits if they are lucky or the vagaries of the individual market or Affordable Care Act insurance exchanges if they are not. Thus, healthcare data protection overwhelmingly is a function of the limited and diverse rules applicable to the private sector. Substantively, healthcare data protection is both typical of the lamentable state of data protection generally (exemplifying both sectoral and downstream limited constructs) and, in one important way, quite atypical (it is quite robust). This federal law comprises of regulations known as the HIPAA Privacy and Security Rules (HIPAA) [12]. Initially
promulgated in 1999 they have been amended several times, with the most important changes following the passage of the pro-privacy Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 [13].
Narrow applicability HIPAA is typical of US data protection; it is domain-specific and provides only downstream protections. In general, the HIPAA rules protect ‘‘individually identifiable health information’’ [14] held by health care entities [15]. It is this latter limited definition of the regulated domain that is most troublesome. Critically, HIPAA does not define the domain by data type (for example, healthcare data) but by regulating a limited set of traditional healthcare data custodians (essentially health insurers and providers). A few non-healthcare parties that are in contractual relationships with providers (for example, outside counsel) will qualify as ‘‘business associates’’ and will be pulled into the regulatory space. However, most healthcare data controlled or processed by those outside the traditional healthcare environment will not be subject to the HIPAA rules.
Downstream mechanisms The HIPAA privacy rule contains two downstream protective mechanisms. First, it employs a data protection model that seeks to contain the collected data within the healthcare system by prohibiting its migration to non-healthcare parties [16]. This no-disclosure-absent-authorization approach is a regulatory version of the duty of confidentiality. Like the common law breach of confidence tort HIPAA imposes strict liability. However, unlike that tort, HIPAA does not provide a private right of action, instead favouring administrative sanctions. The second protective mechanism found in the HIPAA privacy rule is the duty of data custodians to notify certain stakeholders of a breach [17]. Authorized by the 2009 HITECH Act and finalized by regulation in 2013, breach notification is a quintessentially downstream protective model (and one newly adopted by the GDPR). Indeed, conceptually it is barely a data protection mechanism, given that its premise is that the data are no longer safe. However, breach notification does have some deterrence value. It operates as one of the primary sources of information for investigators about possible HIPAA violations. It also triggers a certain amount of public shaming because the Office for Civil Rights (OCR), HIPAA’s data protection agency, is required to post breach notices affecting 500 or more individuals [18]. The HIPAA security rule requires that covered entities implement ‘‘reasonable and appropriate administrative, technical, and physical safeguards’’ of PHI [19]. The Security rule is short on prescriptive detail; for example, there is no absolute requirement to encrypt health care data either at rest or in motion. Rather, the rule is classic compliance regulation, requiring covered data custodians to perform security risk analyses and build ‘‘best practices’’ safeguards.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States
Surprising but qualified robustness For all its problems HIPAA data protection of the healthcare domain is noticeably more robust than that enjoyed by other domains and thus, to an extent, atypical of US data protection. There are several features of HIPAA that led to this healthcare data protection exceptionalism. First, the HIPAA rules were tailored exclusively to the healthcare system. Indeed, it is likely that HIPAA’s Department of Health and Human Services (HHS) architects were more familiar with the provider relationships, processes, and payments than with data protection models. Thus, the HIPAA rules are well-calibrated to the domain. For example, disclosure limitations and even exceptions from protection generally reflect the needs and processes of healthcare stakeholders, although critics might argue that the balance is tipped more in favour of providers than patients. Both points are illustrated by HIPAA’s primary derogation from its confidentiality rule; a covered entity may, without the patient’s authorization use or disclose PHI for its own treatment, payment, and health care operations activities [20]. Second, while one of most compelling criticisms of the HIPAA rules is that they do not subscribe to or promote any general principles and so lack an educative function, their granular detail generally does provide for a degree of regulatory clarity. Indeed, a distinction can be drawn between the privacy and security rules in this regard; the former is comprehensive, detailed, and prescriptive while the latter relies more on broader requirements and best practices. Third, the 2008 presidential election and, subsequently, the HITECH Act of 2009 brought about important changes to HIPAA enforcement. The Obama administration, committed to increased regulation of the healthcare space (as further evidenced by the passage of the ACA), centralized investigation and enforcement under the Office for Civil Rights and appointed more active investigators to the office. HITECH introduced higher penalties for noncompliance and leveraged state actors to investigate privacy and security breaches. Further, audits and the new breach notification process provided OCR with additional sources of information about data protection lapses. During the eight years of the Obama administration there has been a steady increase in the number of settlements with those out of compliance and a significant increase in settlement amounts [21]. HIPAA, therefore, has some positives. However, it has as many negatives. The privacy rule has some unfortunately porous properties; it allows too much data liquidity within the healthcare system and has generous sharing rules with outside entities such as law enforcement and public health authorities. Further, while HIPAA may have been tailored to healthcare, that was a pre-technology, 1990s model of healthcare when only traditional providers were interested in healthcare data while sharing data with other providers or, heaven forbid, with patients was rare. Similarly, risk factors were lower when HIPAA was introduced; cyberattacks were almost unknown and de-identification was viewed as satisfactory protection for sensitive data. Equally, a student of the GDPR likely would be unimpressed by HIPAA’s narrow reliance on confidentiality, breach notification, and security models of data protection; modern threats to data protection require additional upstream models such as collection
5
limitations based on context or purpose and data minimization.
Existential challenges The somewhat atypical, even exceptional protection afforded healthcare data in the US creates a unique contemporary challenge. Although HIPAA’s robustness is a positive, it creates expectations in patients that all their healthcare data safe, and that is no longer the case either within the HIPAA zone or outside of it. The challenges to healthcare data protection discussed here highlight the fundamental flaws with domain-limited protections and reliance on a limited (and downstream) set of protective models. The former, because disruptive businesses and technological innovations can make a nonsense of narrowly-defined sectoral protections. The latter, because policymakers require a broader array of tools to combat modern challenges while reliance on downstream models intrinsically concedes the correctness of unregulated data collection. As currently constituted, healthcare data protection will face major challenges in the decades ahead, unprepared as it is for genomic research-based precision medicine, and robotics. Contemporary challenges from electronic health records, big data, personal health technologies, and the internet of things illustrate why.
Electronic health records Although telemedicine previously had seen modest implementation, it was the publication of To Err is Human [22] in 2000 that accelerated interest in the broad adoption of health information technologies (HIT). That and subsequent reports from the Institute of Medicine documented a disturbing level of avoidable adverse events and called for improvements in data gathering (adverse event reporting), outcomes research, and the adoption of HIT. Thereafter, computerized order entry, clinical decision support systems, and electronic health records (EHRs) were implemented in a small number of advanced healthcare entities. Beginning in 2004, the Bush administration made a determined effort to accelerate the implementation of EHRs. However, again implementation was only modest, often restricted to large vertically-integrated healthcare systems such as the federal veterans administration. Subsequently, in 2009 the Obama administration introduced the Meaningful Use program providing approximately $30 billion in funds to subsidize the adoption of EHRs by physicians and hospitals [23]. By 2016, over 95% of hospitals were ‘‘meaningfully’’ using EHRs [24], although office-based physicians lagged at only 56% [24]. The adoption of HIT fundamentally changed the data protection risk environment. Paper-records scattered around multiple physician offices posed few privacy or security risks. The threat level rose exponentially when the healthcare industry which had a woeful track record regarding information technologies was charged with protecting computerized longitudinal and remotely accessible records. The Obama administration tacitly recognized this and the HITECH Act that subsidized the EHR program also authorized improvements to the HIPAA privacy and security rules.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
6
N. Terry
Subsequently, tighter rules were enacted, for example, limiting how healthcare providers could use patient data for marketing or fundraising, prohibiting unauthorized sale of PHI, and as previously discussed, breach notification, and increased enforcement [25]. Notwithstanding these reforms, healthcare data protection has not improved noticeably. Thousands of alleged violations are reported to OCR each year [26], while sanctions are seldom visited on minor breach ‘‘repeat offenders’’ [27]. Sanctions for serious breaches of the privacy rule continue to be imposed for relatively obvious transgressions by hospitals such as unauthorized filming of patients by a TV crew, posting of unauthorized patients testimonials, and dumping 71 boxes of patient records outside a retired physician’s home [28]. Providers have also been penalized for failing to enter into business associate agreements [29], while ONC has issued a guidance making clear that covered entities should always have such agreements with their cloud services providers [30]. Increasingly enforcement activities have emphasized violations of the security rule. In part this has been a function of the generally poor state of health care entities’ security and, in particular, the underutilization of encryption. Again, OCR has applied sanctions in relatively obvious cases such as insecure Internet-based document sharing, stolen laptop computers, mislaid thumb drives, and the absence of a firewall [31]. Increasingly, the limited state of health care entities’ security has been highlighted by a dramatic upsurge in the number of healthcare cyberattacks. Healthcare is now the top target for cybercriminals; the records not only contain valuable information in their own right, enabling prescription diversion, but also multiple types of information useful to hackers such as credit card data and social security numbers [32]. Hospitals have also been popular targets for ransomware attacks where malicious code is injected into an entity’s servers to prevent the entity itself from accessing its data until it pays a ransom [33]. OCR even released a HIPAA guidance on the topic confirming that such an attack would be a HIPAA ‘‘security incident’’ and in some cases a notifiable breach [34]. Overall, the upshot is that patient data that is held by traditional healthcare stakeholders and that is subject to HIPAA data protection models increasingly is at jeopardy.
variety of industries: marketing products, risk mitigation products, and people search products’’ [29]. Those commercial sources include some data from within the healthcare system. For example, de-identified healthcare data is not protected by HIPAA and may migrate out of the healthcare system (where it might even be reidentified). However, it is inferred data that powers most data products. Some, what are referred to as medicallyinflected data (such as transaction data on health-related goods), are more obviously health-related. But, data brokers leverage all types of data to market health profiles and health scores about individuals. Indeed, data mining permits the creation of proxy health profiles of our medical selves outside of HIPAA-protected space [36]. Health scoring, like the financial scoring that preceded it, suggests a world of data determinism and certainly carries the risk of health or behavioural discrimination. According to the EU Article 29 Working Party, ‘‘[t]he type of analytics application used can lead to results that are inaccurate, discriminatory or otherwise illegitimate. In particular, an algorithm might spot a correlation, and then draw a statistical inference that is, when applied to inform marketing or other decisions, unfair and discriminatory. This may perpetuate existing prejudices and stereotypes, and aggravate the problems of social exclusion and stratification’’ [37]. In the EU, such predictive behavioural analytics would usually require ‘‘free, specific, informed and unambiguous ‘opt-in’ consent. . . for further use [to] be considered compatible’’ [38]. ‘‘Specifically, such consent should be required. . . for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research’’ [29]. No such requirement exists in the US HIPAA does not apply and the FTC’s powers under the Fair Credit Reporting Act (FCRA) are limited [10]. The FTC has called for opt-in legislation, ‘‘requiring that consumer-facing sources obtain consumers’ affirmative express consent before collecting and sharing such information with data brokers’’ [39]. However, as noted below, this and other calls for reform have failed to find legislative traction [40].
Big data
Personal health technologies and the internet of things
Big data health analytics operating within the healthcare system do pose some data protection issues and questions concerning the detailed application of HIPAA (for example, whether outcomes research is covered by healthcare ‘‘operations’’). However, the more controversial problem is how data brokers treat health-related that lies outside the traditional healthcare system and so beyond the reach of HIPAA. According to the FTC, ‘‘data brokers collect information about consumers from a wide variety of commercial, government, and other publicly available sources. In developing their products, the data brokers use not only the raw data they obtain from these sources, . . . but also certain derived data, which they infer about consumers. . .’’ [35]. Thereafter, ‘‘data brokers use this actual and derived data to create three main kinds of products for clients in a wide
Approximately 200,000 mobile health apps are available for download from smartphone app stores [41]. Many interact with ‘‘wearables;’’ fitness and wellness bands, watches, and patches. Analysts have projected a $70 billion market for wearable technology by 2025 [42]. Together these technologies create almost immeasurable streams of fitness and wellness data. Relatively few of these apps or wearables will be developed or supplied by traditional healthcare providers or their business associate partners. As a result, these data generally will not be protected by the HIPAA privacy or security rules [43], notwithstanding the high levels of risks they generate [44]. Unfortunately, many medical app and wearable manufactures offer inadequate privacy policies and their products frequently exhibit basic security flaws.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States The EU Article 29 Data Protection Working Party described the IoT as ‘‘an infrastructure in which billions of sensors embedded in common, everyday devices — ‘things’ as such, or things linked to other objects or individuals — are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities’’ [45]. Increasingly, connected infrastructure and domotics will be parsing or collecting healthcare data. Clearly, there are benefits to such interaction. First, healthrelated personal technologies will be more aware of current state; prescription medicine dispensers might note noncompliance, wearables could detect an elderly wearer’s fall, and research suggests patient care improves when their devices connect with providers [46]. Second, increased interconnectivity will make devices more aware of their user’s environment aiding in the recording of social determinants or identifying a particular health danger; for example, if an asthmatic was about to enter an area with a high level of pollutants. Third, IoT devices working in conjunction with other technologies could trigger certain actions; notifying a caregiver of a malfunctioning elevator in a patient’s building or automatically unlocking an access door upon the arrival of emergency services [47]. Although the IoT shares many of the same data protection problems as personal health technologies [29], policymakers have highlighted concerns about the ‘‘stunning’’ potential of IoT devices for data generation [46] and their possible use for surveillance and profiling [45]. However, perhaps the greatest challenges posed by the IoT are security-related. IoT devices are notoriously insecure [48] and are difficult, maybe impossible to patch [49].
Legislative or regulatory amelioration Reform of the broken US data protection system is difficult. Policymakers have over-committed to downstream rules and, even if ‘‘tweaked,’’ such rules cannot deal with the challenges to healthcare data protection; for example, upstream models would also need to be deployed to require a purpose limitation or achieve some level of data minimization. A specific problem is the current system’s commitment to the disclosure-centric confidentiality model. Confidentiality has some salience when applied to the physician-patient relationship, but does not scale well to healthcare institutions and is based on a fiction when the parties (such a supermarket customer and a data broker) have no preexisting relationship. But, more importantly, the challenge today does not call for an on-off switch (share or not) but the more nuance questions surrounding what can be collected, disclosed or processed for what purposes; questions that require better data protection tools to answer. For related reasons, improving protections offered by regulatory models that, like HIPAA or GLBA, rely on domainspecific data custodians is almost impossible. For example, an ‘‘easy fix’’ might appear to be extending the HIPAA definition of data custodian (‘‘covered entity’’) to include persons outside of traditional health care, such as mobile app developers or data brokers with access to healthcare data. However, not only is there no statutory authority for
7
such a change but also most of the protections thereby triggered would make little sense outside of the traditional healthcare system. Over the last six years, there have been consistent calls for statutory reform from the White House and the FTC. Such reforms would have created a more comprehensive, FIPPS-respecting data protection environment, with vertically and horizontally regulation more closely resembling that of the GDPR [50]. Agencies have also proposed narrower legislation to precisely target some data protection abuses. For example, the Federal Communications Commission (FCC) has issued new regulations requiring optin consent before broadband providers can share sensitive information, including health information [51]. Further, the FTC has recommended immediate legislation to require ‘‘that consumer-facing sources obtain consumers’ affirmative express consent before collecting and sharing such information with data brokers’’ [39]. Absent legislation, data protection for healthcare data left unprotected by HIPAA depends on case-by-case determinations of specific FCRA violations by data brokers [52] the occasional application of the FTC’s more general powers to prohibit deceptive to curtail unfair or deceptive practices [53], or the ‘‘accident’’ of one of the few progressive state data protection laws being applicable [54].
Conclusion Current US law provides exceptional (albeit only downstream) protection for data circulating within the traditional healthcare system. Among its exceptional qualities, the federal health data protection model displays detailed mapping to the healthcare industry and superior enforcement. However, its most exceptional property is that it provides vastly more protection for healthcare data than is enjoyed by other industrial sectors where protections are negligible. Herein lies one of the more significant comparisons with the situation in the EU. The GDPR, like its predecessor Directive, also provides that some special categories of sensitive personal data such as healthcare and genetic data [55] require additional protection or special treatment. The difference, of course, is that the GDPR baseline of protections is so much higher than anything existing in the US. A bleak outlook for US healthcare data protection is growing bleaker. Following the 2016 US election, it is quite possible that there will be a reduction in HIPAA enforcement, making leaks out of the traditional health care system more likely. Further, those victorious in the election are no friends of the FTC or FCC suggesting some of their data protection activities may be reined in. It is also extremely unlikely that comprehensive privacy legislation will be passed by the incoming administration. Yet, technological progress and consumer choice almost inevitably will result in increasing amounts of healthcare data being created and processed outside the HIPAA-protected zone. Not surprisingly therefore, healthcare data protection in the US faces a perilous future and one that increasingly will be at odds with the protections offered by its trading partners.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
8
N. Terry
Disclosure of interest The author declares that he has no competing interest.
References [1] Ware WH, et al. Records, computers and the rights of citizens. Final report. Washington, D.C: Secretary of Health, Education, and Welfare’s Advisory Committee on Automated Personal Data Systems; 1973. [2] Landesberg M, Levin T, Curtin C, Lev O. Privacy online: a report to congress. Washington, D.C: US Federal Trade Commission; 1998. [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [Available at: http://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=uriserv:OJ.L .2016.119.01.0001.01. ENG&toc=OJ:L:2016:119:TOC]. [4] Directive 95/46/EC. [5] F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236. (3d Cir. 2015). [6] The White House. Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy; 2012 [Available at https://www.whitehouse.gov/sites/default/files/privacyfinal.pdf]. [7] Id, pg 59. [8] US Federal Communications Commission. FCC adopts privacy rules to give broadband consumers increased choice, transparency and security for their personal data; 2016 [Available at http://transition.fcc.gov/Daily Releases/Daily Business/2016/ db1027/DOC-341937A1.pdf]. [9] Gramm-Leach-Bliley Act, Pub. L. No. 106-102, § 501, 113 Stat. 1338, 1436 (1999). [10] 15 U.S.C. § 1681 et seq. [11] Pub. L. No. 100-618, 102 Stat. 3195. [12] HIPAA Administrative Simplification, 45 CFR Parts 160, 162, and 164 (unofficial version, as amended through March 26, 2013). [Available at: http://www.hhs.gov/sites/default/ files/ocr/privacy/hipaa/administrative/combined/hipaasimplification-201303.pdf]. [13] H.R. 1, 111th Cong. (2009). [14] 45 C.F.R. § 164.103. [15] 45 C.F.R. § 160.103. [16] See, e.g., 45 C.F.R. § 164.502. (Uses and disclosures of protected health information). [17] 45 CFR §§ 164.400-414. [18] US Department of Health and Human Services, Office for Civil Rights. Breach portal: notice to the secretary of HHS breach of unsecured protected health information. [Available at: https://ocrportal.hhs.gov/ocr/breach/breach report.jsf]. [19] US Department of Health and Human Services. Summary of the HIPAA security rule. [Available at: http://www.hhs.gov/hipaa/ for-professionals/security/laws-regulations/index.html]. [20] 45 CFR § 164.506. [21] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements/index.html]. [22] Institute of Medicine (US). To err is human: building a safer health system; 1999 [See also Institute of Medicine (US). Crossing the quality chasm: a new health system for the 21st century; 2001].
[23] Terry N. Pit crews with computers: can health information technology fix fragmented care? Houston J Health Law Policy 2014;129:129—89. [24] Office of the National Coordinator for Health Information and Technology. Percent of hospitals, by type, that possess certified health IT; 2016 [Available at: dashboard.healthit.gov/quickstats/pages/certifiedelectronic-health-record-technology-in-hospitals.php]. [25] US Department of Health and Human Services. New rule protects patient privacy, secures health information; 2013 [Available at: http://www.hhs.gov/about/news/2013/01/17/ new-rule-protects-patient-privacy-secures-health-information .html]. [26] US Department of Health and Human Services. Enforcement results by year. [Available at: http://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/data/enforcementresults-by-year/index.html]. [27] Ornstein C, Waldman A. Few consequences for health privacy law’s repeat offenders. Propublica 2015 [Available at: https://www.propublica.org/article/few-consequences-forhealth-privacy-law-repeat-offenders]. [28] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements]. [29] Id. [30] US Department of Health and Human Services. Guidance on HIPAA & cloud computing. [Available at: http://www.hhs.gov/ hipaa/for-professionals/special-topics/cloud-computing/ index.html]. [31] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/complianceenforcement/agreements/]. [32] Rodionova Z. Healthcare is now top industry for cyberattacks, says IBM over 100 million healthcare records were reportedly compromised in 2015. The Independent; 2016 [Available at: http://www.independent.co.uk/news/business/news/ healthcare-is-now-top-industry-for-cyberattacks-says-ibma6994526.html]. [33] See Davis J. Massive Locky ransomware attacks hit US hospitals. Healthcare IT News. 2016 Aug. 19. [Available at: http://www.healthcareitnews.com/news/massive-lockyransomware-attacks-hit-us-hospitals]. [34] HHS OCR. Fact sheet: Ransomware and HIPAA. US Department of Health and Human Services, Office for Civil Rights; 2016 [Available at: http://www.hhs.gov/sites/default/files/ RansomwareFactSheet.pdf]. [35] US Federal Trade Commission. Data brokers: a call for transparency and accountability; 2014 [Available at: https://www. ftc.gov/system/files/documents/reports/data-brokers-calltransparency-accountability-report-federal-trade-commissionmay-2014/140527databrokerreport.pdf]. [36] Terry N. Protecting patient privacy in the age of big data. Univ Missouri Kansas City Law Rev 2013;81:385—415. [37] Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013 at 45. [38] Id., at 46. [39] US Federal Trade Commission. Data brokers: a call for transparency and accountability; 2014. [40] See generally: Nicolas Terry. Navigating the incoherence of big data reform proposals. J Law Med Ethics 2015;43:1. [41] Things are looking app. The Economist; 2016 [Available at: http://www.economist.com/news/business/21694523-mobilehealth-apps-are-becoming-more-capable-and-potentiallyrather-useful-things-are-looking]. [42] Hayward J, Chansin G, Zervos H. Wearable technology 2015-2025: technologies, markets, forecasts. IDTechEx; 2016
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007
+Model JEMEP-186; No. of Pages 9
ARTICLE IN PRESS
Existential challenges for healthcare data protection in the United States
[43] [44]
[45]
[46]
[47] [48]
[Available at: http://www.idtechex.com/research/reports/ wearable-technology-2015-2025-technologies-marketsforecasts-000427.asp]. Terry N. Mobile health: assessing the barriers. Chest 2015;147(5):1429—34. See generally: Terry N. Opening remarks for House Energy and Commerce Subcommittee Hearing on Health Care Apps 2016 Jul. 13. [Available at: http://docs.house.gov/meetings/ IF/IF17/20160713/105197/HHRG-114-IF17-Wstate-TerryN20160713.pdf]. Article 29 Data Protection Working Party. Opinion 8/2014 on the on recent developments on the internet of things; 2014 [Available at: http://ec.europa.eu/justice/data-protection/ article-29/documentation/opinion-recommendation/files/ 2014/wp223 en.pdf]. Internet of things. US Federal Trade Commission staff report 2015 Jan. [Available at: https://www.ftc.gov/system/files/ documents/reports/federal-trade-commission-staff-reportnovember-2013-workshop-entitled-internet-things-privacy/ 150127iotrpt.pdf]. See generally: Terry N. Will the internet of things disrupt healthcare? Vand. J. Ent. & Tech. L. (forthcoming 2017). Limer E. How hackers wrecked the internet using DVRs and webcams. Popular Mech 2016 [Available at: http://www.
[49]
[50] [51]
[52]
[53]
[54] [55]
9
popularmechanics.com/technology/infrastructure/a23504/ mirai-botnet-internet-of-things-ddos-attack/]. US Federal Communications Commission Staff Report. Internet of things; 2015 [Available at: https://www.ftc.gov/system/ files/documents/reports/federal-trade-commission-staffreport-november-2013-workshop-entitled-internet-thingsprivacy/150127iotrpt.pdf]. Terry N. Navigating the incoherence of big data reform proposals. J Law Med Ethics 2015;43:1. US Federal Communications Commission. Protecting privacy for broadband consumers; 2016 [Available at: https://www. fcc.gov/news-events/blog/2016/10/06/protecting-privacybroadband-consumers]. US Federal Trade Commission. Two data brokers settle FTC charges that they sold consumer data without complying with protections required under the fair credit reporting; 2014. FTCA § 5(a). See e.g., In Re LabMD Inc., https://www.ftc.gov/ enforcement/cases-proceedings/102-3099/labmd-inc-matter; F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236. (3d Cir. 2015). See e.g., Cal. Civil Code §§ 56—56.07. See GDPR Preamble §§ 51—54.
Please cite this article in press as: Terry N. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health (2017), http://dx.doi.org/10.1016/j.jemep.2017.02.007