5 health data privacy takeaways from AHA, industry group report

Advocacy groups representing clinicians, hospitals, health insurers and technology companies released a new report showing the challenges with the industry’s consumer data sharing and privacy practices. 

The recommendations derive from a December 2022 meeting where 14 non-profit associations discussed challenges with existing health data privacy regulatory frameworks. The American Hospital Association, Blue Cross Blue Shield Association and the Federation of American Hospitals were among the industry groups involved with this effort.

These recommendations come as federal regulators are showing increased interest in how healthcare companies are sharing and using consumer data. On Feb. 1, the Federal Trade Commission barred digital health company GoodRx from sharing personal health data with third parties and fined the company $1.5 million.  

Here are some takeaways and recommendations from this industry report: 

1. A patchwork of privacy laws govern health data privacy. This makes it difficult to aggregate multiple sources and draw inferences across a variety of populations, organizations and governments. Also, privacy frameworks created by the Health Insurance Portability and Accountability Act and other regulatory measures are often not enforced. 
2. Digital health apps are often not covered HIPAA entities. There are multiple privacy laws narrowly covering some of the practices some digital health companies engage in, such as protecting children or requiring consumer financial products to explain how consumer data is shared. But stakeholders say much of the data collected and shared by digital health companies remains unregulated and not covered by HIPAA or any other law. In some cases, states have moved in to create their own laws. 
3. Harmonization of privacy standards needed. This patchwork of laws has created confusion among consumers and providers. The groups called on the federal government to develop and harmonize common standards around the sharing and privacy of consumers’ health information. There have been several Congressional attempts in the last few years to strengthen and harmonize privacy laws within healthcare but none have passed into law. Industry groups have made their own guidelines. 
4. Consumers and providers must be educated. Consumers are often misinformed when their information is protected by HIPAA or privacy regulation. The stakeholders say consumers as well as providers should be informed the ways in which their data is being shared or stored on these apps. 
5. More public-private collaboration. Government stakeholders both at the federal and state level should work with industry groups to improve privacy laws around consumer health data sharing. There should be no additional burdens on consumers or HIPAA covered entities, the stakeholders said in the report. 

This story first appeared in Digital Health Business & Technology.