AMA Issues New Privacy Principles

Jul 09, 2020 at 09:05 am by Staff

Jesse Ehrenfeld, MD, MPH

Organization Looks to Restore Trust, Power to Patients

From wearables and fitness apps to EHRs and patient portals, an individual's health data resides in a lot of different places. In the wake of rising privacy concerns, however, the American public has grown increasingly worried about how their information is used and with whom it is shared.

In response to this unease, the American Medical Association released new privacy principles in May that support an individual's right to control, access and delete personal data collected about them. Jesse Ehrenfeld, MD, MPH, immediate past chair of the AMA Board of Trustees, said it was important for the organization to take a leadership role on the topic. "Trust is a fundamental component of the physician-patient relationship. For me to provide the best care to my patients, my patients have to trust they can share information with me they might not want anyone to know," he said, adding there's only one opportunity to get it right. "Once privacy is lost, you can't get it back. Privacy has to be fiercely protected."

Rock Health and Stanford Center for Digital Health recently released a white paper outlining findings from the 2019 Consumer Adoption Survey. In its fifth year, the study highlighted another reason the AMA is well positioned to take the lead in outlining privacy expectations - physicians remain the most-trusted group when it comes to sharing health data. Even physicians, however, have seen consumer confidence slip a little over the last three years. Yet, nearly three-quarters of respondents still were willing to share information with physicians and more than half with insurance companies compared to 23 percent willing to share with health tech companies, 12 percent with the government, and only 10 percent with general tech companies.

Confidence has been shaken by a number of tech sector breaches and scandals over the last few years, said Ehrenfeld, a public health policy expert who serves as director of the Advancing a Healthier Wisconsin Endowment and maintains a faculty appointment at Vanderbilt University School of Medicine. Additionally, there is growing recognition and frustration over the tech business model that quietly collects personal data, often without consumer knowledge or consent and without the strictures that accompany HIPAA. "We fully support the right of patients to be able to access, download and share their data," Ehrenfeld stated, adding that control belongs with the individual not an entity.

To address these concerns and issues, he said the AMA Privacy Principles outline transparency expectations across five main categories - individual rights, equity, entity responsibility, applicability and enforcement.

Ehrenfeld noted part of the impetus for AMA publishing these new principles stems from the spring release of final rules on data sharing and patient control from the U.S. Department of Health and Human Services in connection to the 21st Century Cures Act and the MyHealthEData initiative. "We advocated strongly and regularly to HHS to include controls in those final rules that would promote how apps use health data and how patients can prevent an app from using their information without consent," he said. "Unfortunately, HHS didn't take any action in that final rule to promote transparency."

Ehrenfeld added, "HIPAA is a law that predates almost all modern digital technology. HIPAA does not cover data that is created or managed by a patient or third party app." Without appropriate privacy controls, he said health information collected by apps or wearable fitness trackers could be shared with an employer or added to a credit score. "Once health information goes out the door and goes to a broker, you have the perfect recipe for harmful profiling and discrimination," he pointed out.

Yet, he continued, data collection is both ubiquitous and important to optimizing care. Trackers and apps can improve activity levels, diet, hydration and disease management. Data collection can highlight risk factors, identify at-risk populations or help clarify symptoms and spread of an infectious disease like COVID-19. "The more assurances people have about how entities will use that data, the more willing society will be to use technologies - whether it's telehealth or contact tracing," he said.

"We think that having guardrails and transparency is key to building trust and not inhibiting data exchange. We want to restore confidence in data privacy, and that's what our principles are all about," Ehrenfeld concluded.

Highlights of AMA Privacy Principles

The American Medical Association detailed expectations and rights for data exchange and privacy derived primarily from policy approved by the AMA House of Delegates. In a release, AMA leadership said the goal is to create a national framework of transparency and guardrails to guide data collection, direct privacy legislation and build public trust. The privacy principles are available below.

Individual Rights: Recognition that individuals have the right to know who is collecting their data, why it's being collected, how it will be used, and what is in the information. Furthermore, the AMA calls for individuals to have control over their info unless privacy rights have been waived "in a meaningful way," the data has been appropriately de-identified, or in rare instances when a public health or safety issue warrant "limited invasions of privacy or breaches of confidentiality."

Equity: Commitment to adopting privacy protections promoting equity and justice to ensure individuals are safeguarded from discrimination, stigmatization, profiling or exploitation in the collection, processing or sharing of data.

Entity Responsibility: Expectation that all entities that maintain an individual's health information "should have an obligation or 'duty of loyalty' to the individual." With that expectation, the entity should disclose exactly what data is collected and for what purpose.

Applicability: Understanding that privacy legislation applies to all entities that "access, use, transmit and disclose data," including entities not traditionally associated with healthcare that might be outside current HIPAA regulation.

Enforcement: Recognition that individuals shouldn't be responsible for the cost of enforcement except when exercising their private right of action. Furthermore, federal privacy legislation should serve as a "floor, not a ceiling" and shouldn't weaken any state laws or regulations.

WEB:

AMA Privacy Principles

Sections: Business/Tech