AMA Issues New Privacy Principles
By CINDY SANDERS
Organization Looks to Restore Trust, Power to Patients
From wearables and fitness apps to EHRs and patient portals, an individual's health data resides in a lot of different places. In the wake of rising privacy concerns, however, the American public has grown increasingly worried about how their information is used and with whom it is shared.
In response to this unease, the American Medical Association released new privacy principles in May that support an individual's right to control, access and delete personal data collected about them. Jesse Ehrenfeld, MD, MPH, immediate past chair of the AMA Board of Trustees, said it was important for the organization to take a leadership role on the topic. "Trust is a fundamental component of the physician-patient relationship. For me to provide the best care to my patients, my patients have to trust they can share information with me they might not want anyone to know," he said, adding there's only one opportunity to get it right. "Once privacy is lost, you can't get it back. Privacy has to be fiercely protected."
Rock Health and Stanford Center for Digital Health recently released a white paper outlining findings from the 2019 Consumer Adoption Survey. In its fifth year, the study highlighted another reason the AMA is well positioned to take the lead in outlining privacy expectations - physicians remain the most-trusted group when it comes to sharing health data. Even physicians, however, have seen consumer confidence slip a little over the last three years. Yet, nearly three-quarters of respondents still were willing to share information with physicians and more than half with insurance companies compared to 23 percent willing to share with health tech companies, 12 percent with the government, and only 10 percent with general tech companies.
Confidence has been shaken by a number of tech sector breaches and scandals over the last few years, said Ehrenfeld, a public health policy expert who serves as director of the Advancing a Healthier Wisconsin Endowment and maintains a faculty appointment at Vanderbilt University School of Medicine. Additionally, there is growing recognition and frustration over the tech business model that quietly collects personal data, often without consumer knowledge or consent and without the strictures that accompany HIPAA. "We fully support the right of patients to be able to access, download and share their data," Ehrenfeld stated, adding that control belongs with the individual not an entity.
To address these concerns and issues, he said the AMA Privacy Principles outline transparency expectations across five main categories - individual rights, equity, entity responsibility, applicability and enforcement.
Ehrenfeld noted part of the impetus for AMA publishing these new principles stems from the spring release of final rules on data sharing and patient control from the U.S. Department of Health and Human Services in connection to the 21st Century Cures Act and the MyHealthEData initiative. "We advocated strongly and regularly to HHS to include controls in those final rules that would promote how apps use health data and how patients can prevent an app from using their information without consent," he said. "Unfortunately, HHS didn't take any action in that final rule to promote transparency."
Ehrenfeld added, "HIPAA is a law that predates almost all modern digital technology. HIPAA does not cover data that is created or managed by a patient or third party app." Without appropriate privacy controls, he said health information collected by apps or wearable fitness trackers could be shared with an employer or added to a credit score. "Once health information goes out the door and goes to a broker, you have the perfect recipe for harmful profiling and discrimination," he pointed out.
Yet, he continued, data collection is both ubiquitous and important to optimizing care. Trackers and apps can improve activity levels, diet, hydration and disease management. Data collection can highlight risk factors, identify at-risk populations or help clarify symptoms and spread of an infectious disease like COVID-19. "The more assurances people have about how entities will use that data, the more willing society will be to use technologies - whether it's telehealth or contact tracing," he said.
"We think that having guardrails and transparency is key to building trust and not inhibiting data exchange. We want to restore confidence in data privacy, and that's what our principles are all about," Ehrenfeld concluded.