I'm Marianne Kolbasach-McGee, Executive Editor at Information Security Media Group. Today, I'm speaking with Dr. Jesse Ehrenfeld, Board Chair of the American Medical Association, about a new set of privacy principles issued by the AMA that the organization hopes will set the future direction of regulatory guardrails that the AMA thinks is needed to restore public confidence in data privacy protections. Dr.
Ehrenfeld, for starters, why did the AMA issue these new privacy principles now, and what sorts of new potential regulatory guardrails for privacy is the AMA hoping will come out of these? Well, in particular, as Congress continues discussions around federal privacy legislation, we want to make sure that any privacy laws protect what really is a sacred trust at the heart of the physician-patient relationship. And we want to make sure that as health information is shared, particularly outside of the healthcare system, that patients have control over that. They have an understanding of how their data is being used, who it's being shared with.
We need to make sure that patients feel confident that their health information will be private, and preserving that patient trust is absolutely critical. So what are some examples of the top principles being proposed by the AMA? The U.S. healthcare system has gradually shifted, really, over the last 10 years towards digital record-keeping among hospitals and health plans and physician practices.
And that transition has occurred under the umbrella of privacy and security rules that were really rooted in HIPAA, a law, which, if you think about it, predates most modern online and mobile services. And HIPAA explicitly excludes health information that's created or managed by patients themselves or by third-party apps. Now, the rapid growth in both the range and the volume of digital patient data beyond the confines of the existing HIPAA framework, in other words, patient data that isn't currently protected by federal privacy law, really merits some serious attention. And without clear guardrails around how entities use data, we know that public trust will continue to crumble in the face of repeated scandals and undermine the potential for digital health to facilitate an era of more accessible, coordinated, and personalized care.
And so the aim is privacy principles seek to provide guidance on what those guardrails should include. The AMA also notes that the principles apply to potential regulations for entities that are not physicians. So what sorts of entities are you looking at? Are there various technology vendors, data brokers, others?
And where are the gaps? As we're learning more and more every day, personal health information is no longer private, right? So social media platforms, wearable fitness trackers, and apps allowing patients to download their health records from electronic health records and manage health conditions, they all collect data that is not protected by HIPAA. Now, that means that this data can be shared for a wide range of purposes, including advertising and marketing.
Sharing that health information with data brokers who can combine it with other consumer information, things like your credit score, your level of education, or even something as simple as a zip code, creates, frankly, the perfect recipe for harmful profiling and discrimination. There was a recent 2019 study by Rock Health and Stanford Center for Digital Health. And what it showed is that consumers have become more reticent when it comes to sharing their health data. Out of all healthcare stakeholders, consumers are still most willing to share their health data with physicians.
But even that sentiment has slipped a little bit since 2017. Now, consumers were least willing to share their health data with technology companies whose business models and technical capabilities are effectively reliant on it. So as you know, the Department of Health and Human Services has issued health IT interoperability and also information blocking rules. And part of the push with this is to give patients more access or easier access to their own health information.
What does the AMA see in terms of privacy principle proposals that are needed to be examined as Congress sort of examines whether or not there are enough privacy protections with patients' data? Let me start by saying that the AMA firmly and unequivocally believes that individuals, patients, have the right to access and extract their own data, period. The HHS recently finalized interoperability and information blocking rules are really poised to impact the exchange, access, and use of all electronic medical records. And while there are elements in both rules that deserve support, there are also a bunch of problems, particularly when it comes to protecting patient privacy.
Now, while we in the AMA wholeheartedly support the intent of the rules to make it easier for patients to access their electronic health information, the rules lack safeguards to help ensure that patients understand what they're consenting to when they grant permission to an app to access their medical records. The AMA advocated strongly and regularly for Health and Human Services to include controls in the final rule to promote transparency as to how apps use health information, who apps share health information with, and how patients could prevent apps from profiteering off of their data. Unfortunately, Health and Human Services did not take meaningful action in its final rule to promote that kind of transparency. And as a result, patients may be less willing to share information with physicians for fear that a technology company or a data broker is going to have, frankly, full authority over the use of their indelible health data.
So now, as contact tracing, telehealth, mobile apps, and other technologies are getting rolled out during this COVID-19 crisis that we're in, how might the implementations of your principles help protect patient privacy not only now, if they were applied, but also for future pandemics? The recent events have highlighted how critical it is to have clear rules of the road with respect to data use. As you note, there is an unprecedented reliance on remote care technologies like telehealth to help people avoid leaving their homes during the COVID-19 pandemic. And both patients and clinicians are justified in questioning how platforms will secure and protect the information exchange during a virtual visit.
Similarly, there are many private and public efforts that are underway to collect, use, and disseminate public health surveillance data to help inform public health officials and policymakers about the spread of the novel coronavirus. Those efforts are critically necessary but must address questions about how to best handle the data both used during collection and once the pandemic has subsided. In fact, there was a recent poll from The Washington Post and the University of Maryland that showed that the American public has deep privacy concerns about using tech-enabled COVID-19 tracking and tracing systems that could help limit the pandemic's deadly toll, making the release of our document outlining our principles around privacy especially timely. People need assurances about how entities are going to use and exchange data.
And the more we have those assurances, the more willing society will be to use technologies such as telehealth and public health contact tracing apps. I have to say, we learned that one of the very first contact tracing apps violates its own privacy policy. The North and South Dakota Care19 coronavirus app sends user location data to more than just the government, which was promised by the app when people signed up for it. So those kinds of issues really need to be addressed.
And that brings us back to the privacy principles that we have promulgated. Now, are there any particular security or technology controls that you would like to see considered by entities to help facilitate the privacy principles that you're laying out? Well, we don't speak to specific technologies in our principles. There are a few things that are worth pointing out when considering security controls.
So first, our principles speak to providing individuals with greater granular controls over how their information is used and shared. And that means that technology developers should start thinking more about how to permit individuals to securely share pieces of information. So, you know, somebody might want to share only a medication list or a diagnosis list as opposed to their entire medical record. Second, the principles note that privacy and security tools can't be reserved for only those who can afford or otherwise easily access them.
For example, we wouldn't support a policy in which privacy protections are only included in a paid version of an app. And finally, we're calling on entities to use de-identification techniques that are demonstrably robust, scalable, transparent, and provable, and to make sure that those techniques are clear to the people who are using them. And finally, how might AMA like to see Congress incorporate these principles into new or modified privacy legislation? So our privacy principles provide guidance on what any federal privacy framework should include, namely individual rights, equity, entity responsibility, applicability, and enforcement mechanisms.
They also take into consideration that there's some data historically not considered personal that may, in fact, be personally identifiable, like your IP address or the advertising identifier on your mobile phone. Accordingly, our privacy principles use of the term data include information that can be used to identify an individual even if it is not descriptive on its face. Moreover, we believe that the primary purpose of boosting guardrails around data is to build public trust, not inhibit data exchange. We want people to be able to access and exchange their data.
Our privacy principles really seek to promote confidence in the systems that are being established to help keep people safe and healthy and help ensure that the steps that we take now will not unfairly and disproportionately impact vulnerable populations down the road. Thanks, Dr. Ehrenfeld. I've been speaking to Dr.
Jesse Ehrenfeld of AMA. I'm Marianne Kolbesak-McGee of Information Security Media Group. Thanks for listening.