Mind the Gaps: Loopholes Digital Health Data Regulations Are Patient Safety Issues

Today is World Patient Safety Day, and The Light Collective is proud to share new community-based participatory research on patient priorities in health technology.

Health data regulations today are fraught with critical gaps—both in governmental oversight and corporate practices—that leave patients vulnerable. As our healthcare systems become increasingly data-driven, addressing these shortcomings is not just an ethical imperative but a matter of safeguarding patient well-being. Below, we highlight the most pressing regulatory and practice gaps that persist, continuing to jeopardize the privacy, security, and ultimately, the lives of patients.

1. Regulation and Aggregation of Non HIPAA Covered Data:

As of today, a lot of your health data is not covered under HIPAA. This includes what you post online, your health-related searches, and browsing activity. Information about online purchases, posts, and searches can reveal sensitive health details. The FTC holds authority to enforce privacy for non HIPAA covered data, and recently expanded the definition of “Protected Health Records” (PHR) to apply to online platforms and mobile apps, and revised the method, time, and content for reporting data breaches.

Some of this was in part due to work of The Light Collective (further reading here). Yet despite small wins, third parties, including health and wellness apps, use and resell de-identified PHR data. Even though companies have to tell consumers about data breaches, they can get around some pretty big loopholes if they put certain terms in the fine print of their privacy policies.

2. De- Identified Health Data: 

HIPAA sets standards for de-identifying patient health data. De-identified data is not considered covered, so it can be shared with third parties. However, assuming that de-identified data is completely secure is a false assumption. There are still risks related to sharing de-identified data that jeopardize patient privacy. Current practices and regulations do not fully deal with these risks, leaving room for potential misuse and re-identification by third parties.

3. Industry Self-Regulation: Where is Independent Representation For Patient Interests?

Organizations gather health data for health AI, which changes how patients get their own care. Health AI will bring benefits but also unintended consequences. Through our recent research, we learned that 91% of patients in our own network want to be informed if AI is being used in their care. Patient consent is crucial, regardless of HIPAA coverage, to make certain data doesn’t complicate patient care and access to information.

While gaps in policy and standards for non-HIPAA covered data, de-identified data, and emerging health technologies persist, there are certain policies and measures that can help in closing these gaps or disincentivizing health providers, researchers, tech startups, and large corporations from falling into them.

1. Affirmative express consent for the aggregation of deidentified health data. This consent must be more clear than simply pressing ‘accept’ to the terms and conditions of using a service
2. Clear and accessible choice for patients to opt-out of having any format of health data aggregated to third parties. The State of California has introduced Assembly Bill 3048, setting a strong example for the integrating of an ‘opt out’ function for consumers using web browsers. This principle should be extended to patients in regards to their health data.
3. Covered status for PHR and health data on Social Media. Giving these two forms of health data a covered status would ensure that it is granted further privacy protections and encourage further regulations.
4. Reproducibility standards for Machine Learning Research. It has been shown that there can be several issues with the quality of research utilizing de-identified health data in machine learning algorithms. To ensure that the results of such research is reliable, and not promoting information that may be incorrect, there must be standards set for ensuring the quality of the data being utilized. 
5. Clarity on accountability for data misuse and harms. As there are increasingly more third party services utilized in patient care, patient’s health data is no longer only analyzed by the patient’s doctor. While the doctor is bound by his fiduciary responsibility to the patient, third party applications are primarily responsible to their shareholders and generating profits. This can increase the likelihood of cyber harms towards patients, threatening the quality of their care. It is imperative that any ambiguity concerning which parties are responsible for these potential patient harms is removed, especially considering that third party services can purposely remain ambiguous about what their duty to patients is to avoid accountability. Clear accountability will ensure that third parties are more careful with the services they provide to patients, since they will be liable for the harms caused.

Toward A Patient Community-Led Data Trust

A data trust is a legal structure which is run by an independent institution that decides how data held within the trust should be handled. Data trusts allow for the data held to be utilized in a manner that is deemed best by the independent institution which runs it, ensuring that there are no conflicts of interest guiding decisions about data sharing. Beginning to think about how health data trusts could be structured, and how patient’s themselves could be trustees of the data trust, sheds light on a new structure in which health data can be handled with the interests of patients as the primary guiding principle.