As part of its 2014 Spring Privacy Series, on May 7, 2014 the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations. The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.
In her opening remarks, Commissioner Brill was clear in her message that she considers health information to be highly sensitive even when it is created and processed entirely outside of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) context, and her comments focused on the need to adequately protect CGHD that falls outside of the HIPAA regulatory regime.
The presentations and comments by FTC representatives, as well as the panel discussion, highlighted the following issues related to CGHD:
- The lack of a regulatory regime that focuses specifically on health information that falls outside of the scope of HIPAA.
- The notable absence of self-regulatory frameworks that address CGHD.
- The lack of transparency regarding how CGHD is used and shared.
- The significant number of third parties with whom CGHD is shared.
- The potential limitations of the current notice and choice framework in the CGHD context.
- The need for a common definition and understanding of what constitutes de-identified data and the agencies’ perception that re-identification risks are significant.
The FTC did not announce any specific action on CGHD and has not yet indicated whether it will issue a staff report on the issue, although it seems clear that the agency is likely to further examine this issue. The FTC is accepting public comments until Monday, June 9, 2014. Click here to submit comments electronically.