Light Collective Issues Public Comment to FTC
TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact
The comment, on Docket No.
* * *
We are a grassroots organization with 28 member grassroots nonprofit patient advocacy organizations. Our mission is to advance the rights, interests, and voices of patient communities in health technology.
First, thank you for the work this year in prioritizing Health Privacy, as exemplified in this recent post: protecting health privacy - A Baker's Dozen. We are writing to respond to the request for public comment on the Health Breach Notification Rule. Thank you for the opportunity to comment.
Background & Prior Comment
Before diving into our comments on current proposed changes to the Health Breach Notification Rule (HBNR), it is first important to share our specific history of prior engagement on this topic to the
1. We submitted a complaint to the
2. When the
3. We submitted our research study on the impacts of cross site trackers, which has since been validated by independent investigations, and are now banned by HHS, with joint warning letters being sent to hospitals.
We won't belabor the history of these prior comments but hope they are referenced as this rule is revised. Perhaps this history exemplifies how and why better protection for health privacy outside of HIPAA has been urgently needed. We hope for continued enforcement and expansion of this rule's enforcement.
The Bigger Picture: Enforcing Health Privacy Outside of HIPAA
The Commission has federal rule-making authority to issue industry-wide regulations (Rules and Guides) to deal with common unfair or deceptive practices and unfair methods of competition. The
As stated in our prior comments, the surveillance economy in healthcare is causing wide-scale erosion of consumer trust, especially when it comes to health privacy. We might have looked then to the HBNR as a tool to prevent exploitation and misuse of consumer health data years ago. Specifically, cyber harms in digital health can come in many forms, which is best outlined in this recent Nature paper: Characterizing cyber harms from digital health./1
The problem of what the
There are 5 Changes Proposed In this Rule:
* Change #1: The Commission proposes to modify the definition of "PHR identifiable health information" and add two new definitions ("health care provider" and "health care services or supplier").
- Our Comment: We support the notion that entities covered by this rule should be driven less by how they self-identify and more by the actual or potential opportunity for them to collect, manage, or share health data.
- Health information is increasingly shared and brokered in places on the internet that need health privacy laws to protect consumers. For example, consider that consumer-facing platforms such as Meta, Amazon, X,
1 Perakslis, E.D., Ranney, M.L. & Goldsack, J.C. Characterizing cyber harms from digital health. Nat Med 29, 528-531 (2023). https://doi.org/10.1038/s41591-022-02167-6
* * *
...expanding their business into healthcare without clearly being covered by the definitions of the HBNR?
- To cite one example: Consumers share sensitive health information in "Private" support groups, posts, internet searches, and messages which generate vast amounts of information about an individual's health. To date there have been no protections for this type of information, because these entities do not self-identify as providing health-related services. Yet, such platforms abuse health privacy promises without oversight.
- We encourage the Commission to think broadly about the rapid expansion of technology that may fall outside the scope of the rule when it was originally created. Here are a few examples for consideration:
-- An AI platform like ChatGPT can gather consumers' health information if a user loads their patient test result or repeatedly asks prompt questions about their health condition.
-- Meta has developed a business around health information gathered on their platform.
- We suggest expanding the definition of what qualifies as a "health record." It would be beneficial to provide examples to guide developers in determining which category their products belong to. A "health record" should be defined broadly as anything pertaining to a person's mental or physical health, not merely records created within a health app. Definition of a health record should explicitly include examples such as:
1. Private social media posts about an individual's health status.
2. Web-browsing triggered events on an app or website such as adding a health related item to a user's 'shopping cart' or purchasing health-related products at a grocery store.
3. Internet search engine queries by a consumer pertaining to their health. There are many more examples - but these three above exemplify an underlying principle that our health activity online and outside the past definition of a health app increasingly are used to make predictions about "Social Determinants of Health" and must be included in any definition of a health record.
* Change #2: The Commission proposes to revise the definition of breach of security to clarify that a breach of security includes an unauthorized acquisition of PHR identifiable health information in a personal health record that occurs as a result of a data security breach or an unauthorized disclosure.
- Our comment: In the current NPRM, our understanding is that the Commission has no requirement for affirmative consent. There are no common requirements for what counts as "authorization" in consent waivers and end user license agreements. Consumers shouldn't be left to parse through dense or deceptive privacy claims that are misleading. For example,
-
- We urge the Commission to do more to remedy this problem by ensuring the HBNR has clear standards for what counts as authorization in a way that is clear, conspicuous, and specific for entities that share health information. From a patient/consumer's perspective, there should not be waivers of rights, vague legalese, or ever-changing terms designed for companies to count as authorization. Rather, the HNBR needs to include standard terms for authorization that are "clear, conspicuous, and specific" - and enable informed choices about disclosures of health information.
* Change #3: The Commission proposes revising the definition of "PHR related entity." Our comments on the definition of PHR related entities are as follows:
- First: Consider third party brokers and healthcare marketing firms developing predictive models about our health in massively harmful ways./3/4 We agree with the proposed change, and think that health marketing firms and brokers should be considered specifically as a "PHR related entity."
- Second, sending unsecured PHR identifiable information should not be allowed. Even if the data is secured via encryption due to state laws, there should still be an obligation to notify an individual if data is not encrypted. There need to be clear standards and guidance from the
2 McDonald AM, Reeder RW, Kelley PG, Cranor LF. A Comparative Study of Online Privacy Policies and Formats. In: Privacy Enhancing Technologies. Springer Berlin Heidelberg; 2009:37-55
3 Gebhart, Jennie. " Science Shouldn't Give Data Brokers Cover for Stealing Your Privacy"
* * *
- Third, Companies should not be able to develop predictive algorithms based on consumers' social media posts and/or web-browsing behavior and use them without the knowledge and consent of the consumers in question. Third parties
- Finally, the scale and scope of harm that can befall vulnerable patient populations through targeting and exploitation of their health data outside of HIPAA grows as surveillance trackers are used to target patients' activity online./5 We urge the commission to ban the use of surveillance technologies to share or target health information.
* Change #4, The Commission proposes to clarify what it means for a personal health record to draw PHR identifiable health information from multiple sources.
- The original definition of a PHR was drawing from "Multiple Sources" such as different health systems in order to streamline and coordinate an individual's healthcare.
- In our original
* Change #5, Authorizing electronic notice instead of mailed notice.
- We agree electronic notice is more effective. Consumers should be able to choose whether they want to receive Notice via email or text. Any Breach Notification should be prominently displayed on the website of the company or organization.
* Sixth, the proposed Rule would expand the required content of the notice to individuals, to require that consumers whose unsecured PHR identifiable...
5 Downing A,
6 Allan, Marshall. Health Insurers Are Vacuuming Up Details About You -- And It Could Raise Your Rates. ProPublica,
* * *
...information has been breached receive additional important information, including information regarding the potential for harm from the breach and protections that the notifying entity is making available to affected consumers. The
Conclusion
In Summary, the
Respectfully,
Board President & Co-Founder
The Light Collective
* * *
Original text here: https://downloads.regulations.gov/FTC-2023-0037-0080/attachment_1.pdf
TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact
Citizens Rings The Opening Bell® at the New York Stock Exchange on August 18, 2023, at Approximately 9:26 AM EasteTime
Aegon reports first half year 2023 results
Advisor News
- Nationwide Financial Services President John Carter to retire at year end
- FINRA, FBI warn about generative AI and finances
- Prudential study: Babies born today will likely need nearly $2M to retire
- Economy performing better than expected, Morningstar says
- Advisors have more optimism post-election
More Advisor NewsAnnuity News
- Prudential Financial to Reinsure $7B Japanese Whole Life Block with Prismic Life
- Nationwide Financial Services President John Carter to retire at year end
- Pension Rights Center: PRT deals could lead to ‘nationwide catastrophe’ regulated
- Allianz Life Retirement Solutions Now Available Through Morgan Stanley
- Midland Advisory Focused on Growing Registered Investment Advisor Channel Presence
More Annuity NewsHealth/Employee Benefits News
- Insider named as new CEO for UnitedHealthcare insurance business
- FastTrack and RGA Partner to Bring Digital Workflow Automation and Claims System Technology to RGA Clients
- Stock market today: Wall Street mixed in premarket as airlines drag and insurance companies rise
- Voya launches innovative new permanent life insurance offering through the workplace
- Council Reviews Health Care Options at Special Meeting
More Health/Employee Benefits NewsLife Insurance News
- Prudential Financial and Dai-ichi Life to Pursue Strategic Partnership
- AM Best Removes From Under Review With Positive Implications and Upgrades Credit Ratings of ShelterPoint Insurance Company and ShelterPoint Life Insurance Company
- Prudential inks $7 billion reinsurance deal with Bermuda-based reinsurer
- Securian Financial Announces Chief Financial Officer Transition
- Voya launches innovative new permanent life insurance offering through the workplace
More Life Insurance News