Welcome
Welcoming Remarks
Commissioner Brill
Health Data Flows
Latanya Sweeney
Chief Technologist, FTC
@TechFTC lsweeney@ftc.gov theDataMap.org
Transparency Establishes Trust 
Disclaimer
The views and opinions in this presentation 
represent my own and are not necessarily 
those of the U.S. Federa...
Transparency Establishes Trust
Establishes Distrust
You, the Patient Physician, Hospital
thedatamap.org
Pharmacy
Payer (Insurer)
Law
Firms
Pharmacy Benefits Manager
Employer (Yours, Spouse’s)
Employer’s Wellness Program
Life I...
Transcriptio
n
Pharmacy
CDC
Pharmaceutical Company
Pharmacy Benefits Manager
Analytics
ICU Management
Researcher
Consultin...
Transcriptio
n
Pharmacy
CDC
Pharmaceutical Company
Pharmacy Benefits Manager
Analytics
ICU Management
Researcher
Consultin...
Transcriptio
n
Pharmacy
CDC
Pharmaceutical Company
Pharmacy Benefits Manager
Analytics
ICU Management
Researcher
Consultin...
33 States Sell or Share Personal Health Data
Hooley S and Sweeney L. Survey of Publicly‐Available State Health Databases. ...
Only 3 States Use HIPAA Standards
Hooley S and Sweeney L. Survey of Publicly‐Available State Health Databases. Paper 1075....
Transcriptio
n
Pharmacy
CDC
Pharmaceutical Company
Pharmacy Benefits Manager
Analytics
ICU Management
Researcher
Consultin...
Transcriptio
n
Pharmacy
CDC
Pharmaceutical Company
Pharmacy Benefits Manager
Analytics
ICU Management
Researcher
Consultin...
Washington State Health Database
43% news stories re‐identified
Sweeney L. Matching Known Patients to Health Records in Wa...
@TechFTC lsweeney@ftc.gov theDataMap.org
Transparency Establishes Trust 
A Snapshot of Data Sharing by 
Select Health and Fitness Apps
FTC Staff’s Preliminary Observations
Jah‐Juin “Jared” Ho
She...
Name
Username
MAC
Language
Carrier Provider
Device Model
Weight
Geolocation
DOB
Age
Gender
CALORIES BURNED
Hydration
Sympt...
Privacy Rights Clearinghouse
Mobile Health and Fitness Applications and Information Privacy‐ July 2013
• Examined 43 free ...
Evidon
A Healthy Data Set‐ September 2013
• Tested 20 health and fitness apps
• Found the presence of 70 third parties
• “...
WHO and WHAT?
Reconceptualizing the Evidon Study
: app
: third party
Health & Fitness App Snapshot
Methodology
• Twelve apps and two wearables
• App traffic analysis
• Mapped the data sets
Health & Fitness App Snapshot
Limitations
• One device
• Only Free Apps
• Front-end testing only
• Did not review privacy ...
App Example
One app transmitted information to 18 different 3rd parties. 
Information included:
*Device Information
*Devic...
: app
: third party
: app
: third party
Observation #1
18 third‐parties received Device Specific Identifiers
such as:
*Device ID
*MAC address
...
Observation #2
14 third‐parties received 
Consumer Specific Identifiers such as:
*Username
*Name
*Email Address
: app
: th...
Observation #3
22 third‐parties received additional
information about consumers such as:
*Exercise Information
*Meal/Diet ...
Summary of Observations
• Health and fitness apps collect and transmit to third parties sensitive 
information about our b...
Panel Discussion
• Christopher R. Burrow, M.D., EVP Medical Affairs, 
Humetrix
• Joseph Lorenzo Hall, Chief Technologist, ...
Mobile Anytime/Anywhere Access
to Personal Health Records
Mobile Anytime/Anywhere Access
to Personal Health Records
36
Access to e‐Health Records is a Right Ensured by HIPAA 
Important tools like Electronic Health Records (EHRs) and Personal...
iBlueButton Display & Aggregation of TRICARE, VA,  Medicare 
Blue Button  and  EMR Records (Epic, Cerner, Allscripts etc…)...
Patient Generated Data 
Health Care Proxy and Prior Discharge Summaries
Imported into iBlueButton
Consumer‐Controlled Mobile Health Record Access & Exchange
EHRs
from 
diverse 
sources 
(e.g. 
hospitals, 
payers, 
HCP 
g...
iBlueButton for Medicare Beneficiaries: Three Years of 
Medical History in Patients’ Hands for their Safety 
From Blue But...
susan.jones@direct.ibluebutton.com
© Humetrix 2014
Providers Transmit Records to their Patients’ Unique iBlueButton Addres...
iBlueButton: Display of Medicare, EMR,  
VA and TRICARE records with Real Time Aggregated View
© Humetrix 2014
43
© Humetrix 2014
Patient Generated Data
Medication and Condition Annotations and Privacy Settings
iBlueButton Privacy Policy and ONC PHR Model Privacy Notice
Panel Discussion
• Christopher R. Burrow, M.D., EVP Medical Affairs, 
Humetrix
• Joseph Lorenzo Hall, Chief Technologist, ...
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
Upcoming SlideShare
Loading in...5
×

FTC Spring Privacy Series: Consumer Generated and Controlled Health Data

497

Published on

Increasingly, consumers are taking a more active role in managing and generating their own health data. For example, consumers are researching their health conditions and diagnosing themselves online. Consumers are also uploading their information into personal health records and apps that allow them to manage and analyze their data, and utilizing connected health and fitness devices that regularly collect information about them and transmit this information to other entities.

The movement of health data outside the traditional medical provider context has many potential benefits; however, it also raises potential privacy concerns. The seminar will address questions such as:

What types of websites, products, and services are consumers using to generate and control their health data, and how are consumers using them?
Who are the companies behind these websites, products, and services, what are their business models, and what does the current marketplace look like?
How can consumers benefit from these companies’ websites, products, and services?
What actions are these companies taking to protect consumers’ privacy and security?
What do consumers expect from these companies regarding privacy and security protections?
Do consumers differentiate between these companies and those that offer traditional medical products and services that are covered by HIPAA?
What restrictions, if any, do advertising networks and others impose on tracking of health data?

1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
497
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

FTC Spring Privacy Series: Consumer Generated and Controlled Health Data

  1. 1. Welcome
  2. 2. Welcoming Remarks Commissioner Brill
  3. 3. Health Data Flows Latanya Sweeney Chief Technologist, FTC
  4. 4. @TechFTC lsweeney@ftc.gov theDataMap.org Transparency Establishes Trust 
  5. 5. Disclaimer The views and opinions in this presentation  represent my own and are not necessarily  those of the U.S. Federal Trade Commission.   These views are for the benefit  of public discourse and public education,  and are not necessarily an opinion regarding  any position I may take  on related issues decided  by the FTC. 
  6. 6. Transparency Establishes Trust
  7. 7. Establishes Distrust
  8. 8. You, the Patient Physician, Hospital thedatamap.org
  9. 9. Pharmacy Payer (Insurer) Law Firms Pharmacy Benefits Manager Employer (Yours, Spouse’s) Employer’s Wellness Program Life Insurance Company Accreditation Vital Statistics Researcher Consulting Physician You, the Patient Physician, Hospital
  10. 10. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union
  11. 11. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other Government Federal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union Flows not covered by HIPAA
  12. 12. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Media Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Dental/Vision Payer (Insurer) SSA Employee Union Real Estate Financial Mental & Addiction Discharge Data
  13. 13. 33 States Sell or Share Personal Health Data Hooley S and Sweeney L. Survey of Publicly‐Available State Health Databases. Paper 1075. 2013.  thedatamap.org/states.html
  14. 14. Only 3 States Use HIPAA Standards Hooley S and Sweeney L. Survey of Publicly‐Available State Health Databases. Paper 1075. 2013.  thedatamap.org/states.html
  15. 15. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union
  16. 16. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union
  17. 17. Washington State Health Database 43% news stories re‐identified Sweeney L. Matching Known Patients to Health Records in Washington State Data. Paper 1089. 2013.  thedatamap.org/risks.html News stories have same information that others know.  Employers, Creditors, Family, Friends and Neighbors
  18. 18. @TechFTC lsweeney@ftc.gov theDataMap.org Transparency Establishes Trust 
  19. 19. A Snapshot of Data Sharing by  Select Health and Fitness Apps FTC Staff’s Preliminary Observations Jah‐Juin “Jared” Ho Sheryl Novick Mobile Technology Unit Federal Trade Commission Christina Yeung Division of Planning and Information Federal Trade Commission
  20. 20. Name Username MAC Language Carrier Provider Device Model Weight Geolocation DOB Age Gender CALORIES BURNED Hydration Symptom Searches ?
  21. 21. Privacy Rights Clearinghouse Mobile Health and Fitness Applications and Information Privacy‐ July 2013 • Examined 43 free and paid health and fitness apps o Wearables not included • Traffic analysis and privacy policy review • Findings: o 26% of the free apps and 40% of the paid apps did not have a privacy policy o 39% of the free apps and 30% of the paid apps sent data to someone not disclosed by the developer either in-app or in any privacy policy they found o 13% of the free apps and 10% of the paid apps encrypted all data connections between the app and the developer’s website. • Conclusion: “Our research brought us to the conclusion that, from a privacy perspective, mobile health and fitness applications are not particularly safe when it comes to protecting user privacy.” Source: https://www.privacyrights.org/mobile-medical-apps-privacy-consumer-report.pdf
  22. 22. Evidon A Healthy Data Set‐ September 2013 • Tested 20 health and fitness apps • Found the presence of 70 third parties • “These companies are typically advertising and analytics companies, who attempt to better match advertisements to users who will buy; and who work to help app developers increase functionality and usability, respectively.” • Source: http://www.evidon.com/blog/healthy-data-set
  23. 23. WHO and WHAT? Reconceptualizing the Evidon Study : app : third party
  24. 24. Health & Fitness App Snapshot Methodology • Twelve apps and two wearables • App traffic analysis • Mapped the data sets
  25. 25. Health & Fitness App Snapshot Limitations • One device • Only Free Apps • Front-end testing only • Did not review privacy policies
  26. 26. App Example One app transmitted information to 18 different 3rd parties.  Information included: *Device Information *Device & 3rd Party Identifiers *Consumer Specific Identifiers *Workout/Route Information *Diet Information : app : third party : developer
  27. 27. : app : third party
  28. 28. : app : third party Observation #1 18 third‐parties received Device Specific Identifiers such as: *Device ID *MAC address *IMEI
  29. 29. Observation #2 14 third‐parties received  Consumer Specific Identifiers such as: *Username *Name *Email Address : app : third party
  30. 30. Observation #3 22 third‐parties received additional information about consumers such as: *Exercise Information *Meal/Diet Information *Medical/Symptom Search Information *Zip code *Geolocation *Gender : app : third party
  31. 31. Summary of Observations • Health and fitness apps collect and transmit to third parties sensitive  information about our bodies and our habits. • The 12 apps tested transmitted information to 76 different third‐parties.  This information included: ‐Device Information; ‐Consumer specific identifiers; ‐Unique device IDs capable of allowing 3rd parties to track users’ devices across apps; ‐Unique 3rd party IDs capable of allowing 3rd parties to track users’ devices across apps; and  ‐Consumer information such as exercise routine, dietary habits, and symptom searches. • There are significant privacy implications where health routines,   dietary habits, and symptom searches are capable of being aggregated using identifiers unique to that consumer.
  32. 32. Panel Discussion • Christopher R. Burrow, M.D., EVP Medical Affairs,  Humetrix • Joseph Lorenzo Hall, Chief Technologist, Center for  Democracy & Technology • Sally Okun, RN, MMHS, Vice President of Advocacy,  Policy & Patient Safety, PatientsLikeMe • Heather Patterson, Postdoctoral Research Fellow,  New York University • Joy Pritts, Chief Privacy Officer, Office of the  National Coordinator for Health Information  Technology, Department of Health & Human  Services
  33. 33. Mobile Anytime/Anywhere Access to Personal Health Records Mobile Anytime/Anywhere Access to Personal Health Records 36
  34. 34. Access to e‐Health Records is a Right Ensured by HIPAA  Important tools like Electronic Health Records (EHRs) and Personal Health Records  (PHRs) will make it easier, safer, and faster for you to get access to your health  information and stay engaged. Important tools like Electronic Health Records (EHRs) and Personal Health Records  (PHRs) will make it easier, safer, and faster for you to get access to your health  information and stay engaged.
  35. 35. iBlueButton Display & Aggregation of TRICARE, VA,  Medicare  Blue Button  and  EMR Records (Epic, Cerner, Allscripts etc…) © Humetrix 2014
  36. 36. Patient Generated Data  Health Care Proxy and Prior Discharge Summaries Imported into iBlueButton
  37. 37. Consumer‐Controlled Mobile Health Record Access & Exchange EHRs from  diverse  sources  (e.g.  hospitals,  payers,  HCP  groups) 40
  38. 38. iBlueButton for Medicare Beneficiaries: Three Years of  Medical History in Patients’ Hands for their Safety  From Blue Button… to From a 300 page Blue Button ASCII text claims record to… …a mobile longitudinal health record available at every Point of Care
  39. 39. susan.jones@direct.ibluebutton.com © Humetrix 2014 Providers Transmit Records to their Patients’ Unique iBlueButton Address   using the Secure Federal Direct Transport Standard iBlueButton App generates a Direct Address for each Profile
  40. 40. iBlueButton: Display of Medicare, EMR,   VA and TRICARE records with Real Time Aggregated View © Humetrix 2014 43
  41. 41. © Humetrix 2014 Patient Generated Data Medication and Condition Annotations and Privacy Settings
  42. 42. iBlueButton Privacy Policy and ONC PHR Model Privacy Notice
  43. 43. Panel Discussion • Christopher R. Burrow, M.D., EVP Medical Affairs,  Humetrix • Joseph Lorenzo Hall, Chief Technologist, Center for  Democracy & Technology • Sally Okun, RN, MMHS, Vice President of Advocacy,  Policy & Patient Safety, PatientsLikeMe • Heather Patterson, Postdoctoral Research Fellow,  New York University • Joy Pritts, Chief Privacy Officer, Office of the  National Coordinator for Health Information  Technology, Department of Health & Human  Services
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×