Ongoing and Emerging Issues in Privacy and Security in a Post COVID-19 Era: An Environmental Scan

The National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy, Confidentiality and Security (PCS) requested this environmental scan to better understand recent developments in privacy, confidentiality and security issues in the health, healthcare, and public health sectors.1 Accordingly, this environmental scan was developed to guide PCS and NCVHS in identifying new major projects to pursue.1 This report is primarily focused on developments occurring during or after 2018.Information privacy, confidentiality, and security continue to be issues of national importance. In the last four years, there have been substantial developments in law, legal theory, data analytics, privacy preserving technologies, efforts to promote novel and socially beneficial data applications, and public disclosures of concerning data applications. The National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy, Confidentiality and Security (PCS) requested this environmental scan to better understand recent developments in privacy, confidentiality and security issues in the health, healthcare, and public health sectors. Accordingly, this environmental scan was developed to guide PCS and NCVHS in identifying new major projects to pursue. This report is primarily focused on developments occurring during or after 2018. PROPOSED AND ENACTED STATE AND FEDERAL PRIVACY LEGISLATION Nationally, there are intensive efforts to address privacy and security risks in state and federal legislation. At the state level, momentum for new comprehensive privacy legislation is “at an all-time high.” Since 2018, five states have adopted new comprehensive privacy laws: California, Colorado, Connecticut, Virginia, and Utah. Four additional states—Michigan, New Jersey, Ohio, and Pennsylvania—have active comprehensive privacy bills under active consideration. Also noteworthy is the Uniform Law Commission’s Uniform Personal Data Protection Act, which introduces several innovative privacy provisions. These innovations include a factor-based approach to defining allowable data uses and incorporating a voluntary consensus standard approach to enable the law to adapt to evolutions to data practices over time. In comparison to state activity, few new federal privacy laws have been adopted. However, dozens of bills have been introduced, and at least one has broad support. The 21st Century Cures Act’s regulations defining exceptions to the Act’s prohibition of “information blocking” is a notable exception to relative federal inactivity. Nevertheless, Congress has been busy exploring new federal privacy legislation with over 50 federal privacy bills introduced during the 117th Congress. Of these, the American Data Privacy & Protection Act (ADPPA) is considered the most significant and promising federal comprehensive privacy effort in the past decade. However, there are still significant political challenges to overcome before the ADPPA can become law. NEW PRIVACY AND SECURITY RISKS AND PROMISING POLICIES, PRACTICES AND TECHNOLOGIES This environmental scan explores two significant new risks to privacy and security: artificial intelligence and law enforcement use of private data. Artificial intelligence has evolved in a largely unregulated space. This has created significant alarm due to the growing reliance on these tools across sectors. Risks associated with artificial intelligence cross social, health, economic, and political dimensions. Notably, artificial intelligence processes can be opaque, making it difficult for consumers to understand risks or difficult for processors to evaluate the unintended effects of their algorithms. In particular, group harms can be pronounced in artificial intelligence applications. Additionally, multiple high-profile stories have alarmed the public and lawmakers about the scope of law enforcement use of data. These include the use of commercial DNA databases to identify criminal suspects from the DNA of their distant relatives, the criminalization of once legal health procedures (e.g., after the Dobbs v. Jackson Supreme Court decision, which overturned a long recognized federal constitutional right to abortion,) as well as law enforcement using commercial surveillance tools to achieve “mass surveillance on a budget.” Despite these challenges, there are many innovations in privacy policies, practices, and technologies. This report describes four primary approaches to contemporary privacy legislation: (1) the consumer protection model, e.g., notice and consent, (2) the data protection approach, similar to the European Union’s General Data Protection Regulation (GDPR), (3) the antitrust approach, i.e., focusing oversight on dominant entities, and (4) the information fiduciary approach, i.e., imposing legal duties of confidentiality, care, and loyalty on data controllers. Similarly, this report describes different approaches to privacy enforcement. Each alternative can be consequential for the effectiveness of a given regulatory framework. These enforcement options include, (1) delegating enforcement authority to a preexisting or newly created agency, (2) enforcement through an individual right of action, (3) deputizing intermediaries to enforce standards and discipline, (4) increasing standards and associated penalties according to the scale of the activity or the size and sophistication of the regulated entity, (5) profit disgorgement, and (6) personal liability for corporate executives. POTENTIAL PROBLEMS IN GOVERNANCE OF HEALTH INFORMATION The U.S. privacy framework is often derided as a patchwork of laws. This patchwork is both overly complex and under protective. The U.S. legal privacy framework is under protective when its sector-by-sector and jurisdiction-by-jurisdiction approach leaves personal information un(der)-regulated (e.g., commercial data). This sectoral approach leads to uneven protections that can be confusing to consumers (e.g., health information stored in a hospital versus health information stored in a fitness-tracking app). The U.S. privacy framework is also overly complex because of inconsistency between jurisdictional approaches. This variability complicates compliance. This is one reason why industry has embraced calls for a national comprehensive privacy law. Notably, the U.S. privacy framework might also be considered overprotective where it restricts popular and socially beneficial data uses. For example, a 2020 national survey of U.S. adults measured privacy preferences, and it identified instances where socially beneficial and popular data uses might be impeded by existing privacy restrictions. This environmental scan also identifies and explores important and contentious issues in legislative debates. These include (1) defining and regulating sensitive data, (2) preemption of state laws, (3) treatment of existing federal laws, (4) authorizing an individual right of action, and (5) the impact of privacy legislation on healthcare and public health data practices. In addition, developments in data science, world events, and privacy scholarship necessitate discussion of four additional issues. First, artificial intelligence’s anticipated risks and benefits warrant regulatory attention, but it presents a challenging regulatory target. Second, the COVID-19 response exposed significant challenges and concerns in public health data collection, use, sharing, and governance. Third, de-identification remains a significant issue in part because (1) data science and reidentification methods have seemingly outgrown decade-old guidance, and (2) new scholarly thinking on group harms raises concerns about the effect of deidentification methods on groups. Fourth, there is increasing skepticism of the effectiveness of the notice-and-consent model within legal scholarship, which raises questions on the sustained reliance on this approach given available alternatives. OPPORTUNITIES FOR TIMELY ADVICE FROM NCVHS TO THE HHS SECRETARY REGARDING CONSTRUCTIVE ACTIONS THAT HHS AND OTHER FEDERAL DEPARTMENTS MIGHT TAKE. This environmental scan identifies four opportunities for timely advice to the HHS Secretary: 1. De-identification remains a critically important issue in privacy. It would be prudent to revisit the 2017 NCVHS recommendations on deidentification, which remain highly relevant to contemporary issues, in addition to other considerations (e.g., group harms). 2. Recent concerns about law enforcement access to and use of private information raise parallel questions about whether existing law enforcement disclosure exceptions in some privacy laws might enable inappropriate uses. An NCVHS convening could help refine and identify nuance within this area. Some of the issues that could be explored in more detail include narrowing the scope of law enforcement exceptions and imposing data protection requirements on data disclosed for law enforcement purposes (e.g., duties of data minimization or purpose limitation). 3. Artificial intelligence and machine learning tools are reshaping the structures of health care delivery as well as broader social structures, but many existing federal laws do not account for the fundamental difference in the scope and scale of the risks associated with these automated processes. A future NCVHS convening could explore the following issues: (1) standards and requirements for conducting algorithm impact assessments, (2) algorithm transparency requirements or standards, and (3) higher standards, duties, or penalties based on the size and sophistication of the data controller. 4. There are important health implications for the Federal Trade Commission advance notice of proposed rulemaking (ANPRM) on Commercial Surveillance and Data Security. Some unintended consequences could be mitigated by early communication between HHS and FTC to ensure that proposed rules consider the health perspectives and objectives. If FTC promulgates new regulations on commercial surveillance, joint guidance by the FTC and HHS might be needed to ensure that HIPAA covered entities understand their compliance obligations under both laws. A future NCVHS convening could explore whether timely comments or input could inform or assist the FTC rulemaking process and group harm considerations. NCVHSNational Committee on Vital and Health Statistics, U.S. Department of Health and Human Service

Plan Now for Managing Electronic Data and Avoid Tomorrow’s Legal Risks

[Excerpt] In a world where the use of electronic data is rapidly increasing, companies must find ways to manage data now so that they effectively control compliance risks. The proliferation of electronic data is both astonishing and overwhelming. Given the storage power of average computers today, even the most modest mom-and-pop business may have electronic storage capacity equivalent to 2,000 four-drawer file cabinets. The task of managing electronic data is further compounded by the fact that the data is no longer just tangible pieces of paper, but rather are bytes of information that are constantly being edited, changed, and updated from different people and sources. Proper archiving, retention, monitoring, filtering, and encryption of electronic data are no longer optional: they are imperative

Legal Solutions in Health Reform: Privacy and Health Information Technology

Identifies gaps in the federal health privacy standard and proposes options for strengthening the legal framework for privacy protections in order to build public trust in health information technology. Presents arguments for and against each option

Privacy and Health Information Technology

The increased use of health information technology (health IT) is a common element of nearly every health reform proposal because it has the potential to decrease costs, improve health outcomes, coordinate care, and improve public health. However, it raises concerns about security and privacy of medical information. This paper examines some of the “gaps” in privacy protections that arise out of the current federal health privacy standard, the Health Insurance Portability and Accountability (HIPAA) Privacy Rule, the main federal law which governs the use and disclosure of health information. Additionally, it puts forth a range of possible solutions, accompanied by arguments for and against each. The solutions provide some options for strengthening the current legal framework of privacy protections in order to build public trust in health IT and facilitate its use for health reform. The American Recovery and Reinvestment Act (ARRA) enacted in February 2009 includes a number of changes to HIPAA and its regulations, and those changes are clearly noted among the list of solutions (and ARRA is indicated in the Executive Summary and paper where the Act has a relevant provision)

Going Rogue: Mobile Research Applications and the Right to Privacy

This Article investigates whether nonsectoral state laws may serve as a viable source of privacy and security standards for mobile health research participants and other health data subjects until new federal laws are created or enforced. In particular, this Article (1) catalogues and analyzes the nonsectoral data privacy, security, and breach notification statutes of all fifty states and the District of Columbia; (2) applies these statutes to mobile-app-mediated health research conducted by independent scientists, citizen scientists, and patient researchers; and (3) proposes substantive amendments to state law that could help protect the privacy and security of all health data subjects, including mobile-app-mediated health research participants

The Benefits and Costs of Online Privacy Legislation

Many people are concerned that information about their private life is more readily available and more easily captured on the Internet as compared to offline technologies. Specific concerns include unwanted email, credit card fraud, identity theft, and harassment. This paper analyzes key issues surrounding the protection of online privacy. It makes three important contributions: First, it provides the most comprehensive assessment to date of the estimated benefits and costs of regulating online privacy. Second, it provides the most comprehensive evaluation of legislation and legislative proposals in the U.S. aimed at protecting online privacy. Finally, it offers some policy prescriptions for the regulation of online privacy and suggests areas for future research. After analyzing the current debate on online privacy and assessing the potential costs and benefits of proposed regulations, our specific recommendations concerning the government's involvement in protecting online privacy include the following: The government should fund research that evaluates the effectiveness of existing privacy legislation before considering new regulations. The government should not generally regulate matters of privacy differently based on whether an issue arises online or offline. The government should not require a Web site to provide notification of its privacy policy because the vast majority of commercial U.S.-based Web sites already do so. The government should distinguish between how it regulates the use and dissemination of highly sensitive information, such as certain health records or Social Security numbers, versus more general information, such as consumer name and purchasing habits. The government should not require companies to provide consumers broad access to the personal information that is collected online for marketing purposes because the benefits do not appear to be significant and the costs could be quite high. The government should make it easier for the public to obtain information on online privacy and the tools available for consumers to protect their own privacy. The message of this paper is not that online privacy should be unregulated, but rather that policy makers should think through their options carefully, weighing the likely costs and benefits of each proposal.