AMA Outlines Privacy Principles for Health Data episode artwork

EPISODE · May 26, 2020

AMA Outlines Privacy Principles for Health Data

from Info Risk Today Podcast · host InfoRiskToday.com

The American Medical Association has issued a set of privacy principles for health data that it hopes Congress and regulators will keep in mind as they prepare legislation and regulations. In an interview, AMA Board Chair Jesse Ehrenfeld, M.D., describes the recommendations.

Episode metadata supplied by the publisher feed · Published May 26, 2020

The American Medical Association has issued a set of privacy principles for health data that it hopes Congress and regulators will keep in mind as they prepare legislation and regulations. In an interview, AMA Board Chair Jesse Ehrenfeld, M.D., describes the recommendations.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

AMA Outlines Privacy Principles for Health Data

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

I'm Marianne Kolbasach-McGee, Executive Editor at Information Security Media Group. Today, I'm speaking with Dr. Jesse Ehrenfeld, Board Chair of the American Medical Association, about a new set of privacy principles issued by the AMA that the organization hopes will set the future direction of regulatory guardrails that the AMA thinks is needed to restore public confidence in data privacy protections. Dr.

Ehrenfeld, for starters, why did the AMA issue these new privacy principles now, and what sorts of new potential regulatory guardrails for privacy is the AMA hoping will come out of these? Well, in particular, as Congress continues discussions around federal privacy legislation, we want to make sure that any privacy laws protect what really is a sacred trust at the heart of the physician-patient relationship. And we want to make sure that as health information is shared, particularly outside of the healthcare system, that patients have control over that. They have an understanding of how their data is being used, who it's being shared with.

We need to make sure that patients feel confident that their health information will be private, and preserving that patient trust is absolutely critical. So what are some examples of the top principles being proposed by the AMA? The U.S. healthcare system has gradually shifted, really, over the last 10 years towards digital record-keeping among hospitals and health plans and physician practices.

And that transition has occurred under the umbrella of privacy and security rules that were really rooted in HIPAA, a law, which, if you think about it, predates most modern online and mobile services. And HIPAA explicitly excludes health information that's created or managed by patients themselves or by third-party apps. Now, the rapid growth in both the range and the volume of digital patient data beyond the confines of the existing HIPAA framework, in other words, patient data that isn't currently protected by federal privacy law, really merits some serious attention. And without clear guardrails around how entities use data, we know that public trust will continue to crumble in the face of repeated scandals and undermine the potential for digital health to facilitate an era of more accessible, coordinated, and personalized care.

And so the aim is privacy principles seek to provide guidance on what those guardrails should include. The AMA also notes that the principles apply to potential regulations for entities that are not physicians. So what sorts of entities are you looking at? Are there various technology vendors, data brokers, others?

And where are the gaps? As we're learning more and more every day, personal health information is no longer private, right? So social media platforms, wearable fitness trackers, and apps allowing patients to download their health records from electronic health records and manage health conditions, they all collect data that is not protected by HIPAA. Now, that means that this data can be shared for a wide range of purposes, including advertising and marketing.

Sharing that health information with data brokers who can combine it with other consumer information, things like your credit score, your level of education, or even something as simple as a zip code, creates, frankly, the perfect recipe for harmful profiling and discrimination. There was a recent 2019 study by Rock Health and Stanford Center for Digital Health. And what it showed is that consumers have become more reticent when it comes to sharing their health data. Out of all healthcare stakeholders, consumers are still most willing to share their health data with physicians.

But even that sentiment has slipped a little bit since 2017. Now, consumers were least willing to share their health data with technology companies whose business models and technical capabilities are effectively reliant on it. So as you know, the Department of Health and Human Services has issued health IT interoperability and also information blocking rules. And part of the push with this is to give patients more access or easier access to their own health information.

What does the AMA see in terms of privacy principle proposals that are needed to be examined as Congress sort of examines whether or not there are enough privacy protections with patients' data? Let me start by saying that the AMA firmly and unequivocally believes that individuals, patients, have the right to access and extract their own data, period. The HHS recently finalized interoperability and information blocking rules are really poised to impact the exchange, access, and use of all electronic medical records. And while there are elements in both rules that deserve support, there are also a bunch of problems, particularly when it comes to protecting patient privacy.

Now, while we in the AMA wholeheartedly support the intent of the rules to make it easier for patients to access their electronic health information, the rules lack safeguards to help ensure that patients understand what they're consenting to when they grant permission to an app to access their medical records. The AMA advocated strongly and regularly for Health and Human Services to include controls in the final rule to promote transparency as to how apps use health information, who apps share health information with, and how patients could prevent apps from profiteering off of their data. Unfortunately, Health and Human Services did not take meaningful action in its final rule to promote that kind of transparency. And as a result, patients may be less willing to share information with physicians for fear that a technology company or a data broker is going to have, frankly, full authority over the use of their indelible health data.

So now, as contact tracing, telehealth, mobile apps, and other technologies are getting rolled out during this COVID-19 crisis that we're in, how might the implementations of your principles help protect patient privacy not only now, if they were applied, but also for future pandemics? The recent events have highlighted how critical it is to have clear rules of the road with respect to data use. As you note, there is an unprecedented reliance on remote care technologies like telehealth to help people avoid leaving their homes during the COVID-19 pandemic. And both patients and clinicians are justified in questioning how platforms will secure and protect the information exchange during a virtual visit.

Similarly, there are many private and public efforts that are underway to collect, use, and disseminate public health surveillance data to help inform public health officials and policymakers about the spread of the novel coronavirus. Those efforts are critically necessary but must address questions about how to best handle the data both used during collection and once the pandemic has subsided. In fact, there was a recent poll from The Washington Post and the University of Maryland that showed that the American public has deep privacy concerns about using tech-enabled COVID-19 tracking and tracing systems that could help limit the pandemic's deadly toll, making the release of our document outlining our principles around privacy especially timely. People need assurances about how entities are going to use and exchange data.

And the more we have those assurances, the more willing society will be to use technologies such as telehealth and public health contact tracing apps. I have to say, we learned that one of the very first contact tracing apps violates its own privacy policy. The North and South Dakota Care19 coronavirus app sends user location data to more than just the government, which was promised by the app when people signed up for it. So those kinds of issues really need to be addressed.

And that brings us back to the privacy principles that we have promulgated. Now, are there any particular security or technology controls that you would like to see considered by entities to help facilitate the privacy principles that you're laying out? Well, we don't speak to specific technologies in our principles. There are a few things that are worth pointing out when considering security controls.

So first, our principles speak to providing individuals with greater granular controls over how their information is used and shared. And that means that technology developers should start thinking more about how to permit individuals to securely share pieces of information. So, you know, somebody might want to share only a medication list or a diagnosis list as opposed to their entire medical record. Second, the principles note that privacy and security tools can't be reserved for only those who can afford or otherwise easily access them.

For example, we wouldn't support a policy in which privacy protections are only included in a paid version of an app. And finally, we're calling on entities to use de-identification techniques that are demonstrably robust, scalable, transparent, and provable, and to make sure that those techniques are clear to the people who are using them. And finally, how might AMA like to see Congress incorporate these principles into new or modified privacy legislation? So our privacy principles provide guidance on what any federal privacy framework should include, namely individual rights, equity, entity responsibility, applicability, and enforcement mechanisms.

They also take into consideration that there's some data historically not considered personal that may, in fact, be personally identifiable, like your IP address or the advertising identifier on your mobile phone. Accordingly, our privacy principles use of the term data include information that can be used to identify an individual even if it is not descriptive on its face. Moreover, we believe that the primary purpose of boosting guardrails around data is to build public trust, not inhibit data exchange. We want people to be able to access and exchange their data.

Our privacy principles really seek to promote confidence in the systems that are being established to help keep people safe and healthy and help ensure that the steps that we take now will not unfairly and disproportionately impact vulnerable populations down the road. Thanks, Dr. Ehrenfeld. I've been speaking to Dr.

Jesse Ehrenfeld of AMA. I'm Marianne Kolbesak-McGee of Information Security Media Group. Thanks for listening.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on May 26, 2020.

What is this episode about?

The American Medical Association has issued a set of privacy principles for health data that it hopes Congress and regulators will keep in mind as they prepare legislation and regulations. In an interview, AMA Board Chair Jesse Ehrenfeld, M.D.,...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!