Case Study: Office of the National Coordinator for Health Information Technology's Model Personal Health Record Privacy Notice and Beyond
PHRs, in many ways eclipsed today, are one vehicle for data collection in which the use of privacy notices has been explored extensively. PHRs allow individuals to create, develop, and control information about their health. At one point, they were thought to be an excellent way to involve consumers in their healthcare, although they appear to have been largely supplanted by other methods such as Internet apps or wearable devices. Evaluations suggested that PHRs were simply too complex for many intended users.58 Many of the PHRs remaining in use are linked to EHRs maintained by healthcare providers; these PHRs are typically structured so that the information in them is protected by HIPAA and subject to HIPAA notice requirements. Some PHRs, however, are freestanding and may contain health information that has been uploaded by the patient or downloaded from HIPAA-protected entities, but the information in them is not subject to HIPAA because these freestanding PHRs are not HIPAA-covered entities. The vast explosion of Internet apps and wearable devices for collecting health information also has taken place largely outside of the realm of HIPAA protection, except for those devices that are directly linked to patients’ medical records. The development of PHRs and later methods of health data collection thus provide an instructive case study for analyzing issues raised by reliance on notices as a method for achieving transparency.
In 2008, ONC began a process of developing a model PHR notice for PHR vendors to use, a process culminating in September 2011 with the release of a voluntary model notice. The project’s goals were to increase consumer awareness and provide consumers with an easy method for comparing the practices of different PHR vendors.59 The Office of the National Coordinator for Health Information Technology’s (ONC’s) background statement judged that the model notice should help vendors to be transparent about their privacy and security policies, generate trust in PHRs, and compete on the extent to which their policies protect consumers.60 ONC’s model notice was not designed to tell vendors what choices they should offer consumers or whether to provide additional information to meet legal requirements applicable in their jurisdictions. Instead, with transparency as the goal, the model notice was developed based on consumer testing and research involving cognitive usability and provided a standard template for insertion of “yes/no” answers into preset fields.
The template was titled “What are [company name] PHR data practices?”61 It covered two topics: data release and security. “Release” questions asked whether data would be released for marketing and advertising, medical and pharmaceutical research, reporting about the company and customer activity, insurers and employers, and developing software applications—in each case as either personally identifiable or statistical forms. For “security,” the questions were whether data are stored in the United States only and whether activity logs are kept for customer review. The template also encouraged vendors to add a “hot button” at the end for individuals to click on to access the vendor’s complete privacy and security policies.
An earlier edition of this chapter reported significant problems with PHR privacy notices 10 months after ONC published its voluntary model privacy notice.62 Notices were long and had an average reading level of 14.54, with a low of 12.44 and a high of 18.02, making it quite unlikely that the notices would be accessible by the many Americans without college degrees. By contrast, the National Cancer Institute recommends an eighth grade reading level for informed consent forms used for patients in research studies.63 Several notices included explicit statements that the policy limited their liability to the consumer; these policies could be characterized as company protective rather than consumer informative. Many policies indicated that they would disclose information in response to requests by law enforcement or government agencies such as Homeland Security and only one indicated that the site would attempt to notify the consumer before disclosing the information. Because these disclosures might adversely affect consumers’ legal rights, privacy advocates have been especially concerned that PHR vendors should at least inform consumers in order to give them an opportunity to object.64 Many notices reserved the right to change privacy policies, in some cases without directly informing the consumer. A few indicated that consumers could delete information or terminate accounts, but others were silent about consumers’ rights in this regard.
PHRs have been largely supplanted in the market by Internet apps for tracking various health measures such as diet or weight, and by wearable technologies such as fitness trackers. Because these mechanisms are outside of HIPAA protections, concerns about privacy protection have been significant. In 2016, ONC embarked on an update of its model privacy notice aimed at these mechanisms.65 It solicited comments and received 13 comments representing broad coalitions of stakeholders. A search of these comments revealed frequent statements about the importance of transparency and a few suggestions of how that might be achieved. Table 7.1 summarizes these results:
Table 7.1 Comments to ONC on Revising Model Privacy Notice: References to Transparency
|
Comment Author |
Mention of Transparency? |
Content? |
|
ACT/the App Association66 |
Yes |
To inform consumers about planned commercial uses |
|
AMA67 |
Yes |
"clear privacy policies to ensure accuracy, transparency, and the appropriate level of consumer choice," citing lack of privacy policies in diabetes apps and noting that apps with sensitive health information should be moved toward the standards that apply to physicians |
|
Center for Democracy and Technology |
Yes |
Created with the typical person in mind; disclosures should be clear, in a time and manner likely to be seen and acted upon; "concrete, digestible information about what entities actually do with user data, using written language and visual data flows whenever possible;" responsive to different languages and disabilities. |
|
Comments on updates68 |
No |
Does say that it is difficult for consumers to assess security risk levels and that it would be useful to know whether data will be aggregated |
|
Consumer Partnership for eHealth69 |
Yes |
Should also include disclosure of company's own uses |
|
Consumer Technology Association70 |
Yes |
Consumers want transparency about transfer to unaffiliated third parties; developers should have maximum flexibility |
|
DirectTrust71 |
Yes |
First principle for PHR notices; should include information about entities ownership, non-profit status, privacy policy |
(Continued)
Table 7.1 (Continued) Comments to ONC on Revising Model Privacy Notice: References to Transparency
|
Comment Author |
Mention of Transparency? |
Content? |
|
GetMyHealthData72 |
Yes |
Explanation of choices in consumer- friendly language; distinction between HIPAA-covered and non- HIPAA-covered entities confusing; consumers should not be surprised by data uses |
|
Humetrix73 |
No |
Recommends explaining to consumer uses of de-identified information and aggregated information; should align with EU standards to the extent feasible |
|
Linda Van Horn74 |
No |
Lists information that consumers should have |
|
NATE (National Association for Trusted Exchange)75 |
Yes |
Concerned that without transparency consumers "will be lulled" into thinking that their providers and payers give better protection than exchanges |
|
National Partnership for Women and Families76 |
No |
Recommends sharing information about company's own uses, reporting for public health, and commercial uses |
|
patientprivacyrights77 |
Yes |
Most important information practice is transparency, as in accounting for disclosures. Should be "real-time online access, an available API, and notice anytime data drawn from the individual is used, even in de-identified form" |
These results indicate a commitment to transparency, but less discussion of what transparency actually means or how it can be achieved. Perhaps the explanation is that the comments were submitted in response to ONC’s request to answer other specific questions regarding updating model privacy notices for PHRs. Nonetheless, only two—CDT and patient privacy rights—refer to difficulties in achieving communication of data uses in real time to consumers. Many do indicate the importance of sharing types of uses with consumers, including the company’s own planned uses and uses of de-identified information. All approve of ONC’s plan to extend the voluntary model privacy notice to entities beyond PHR vendors; the AMA is perhaps the most forceful in stating that these entities should be moved toward the standards applicable to physicians because of the sensitivity of the health information they possess. Other commentators such as the Consumer Technology Association would give app developers a great deal of flexibility in how they communicate with consumers about what will be done with information. Achieving transparency for consumers over the life cycle of information use remains a challenge; this is a challenge that will surely need to be addressed as the PMI and other novel uses of large data sets evolve.
