FTC Spring Privacy Series: Consumer Generated and Controlled Health Data
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

FTC Spring Privacy Series: Consumer Generated and Controlled Health Data

on

  • 409 views

Increasingly, consumers are taking a more active role in managing and generating their own health data. For example, consumers are researching their health conditions and diagnosing themselves online. ...

Increasingly, consumers are taking a more active role in managing and generating their own health data. For example, consumers are researching their health conditions and diagnosing themselves online. Consumers are also uploading their information into personal health records and apps that allow them to manage and analyze their data, and utilizing connected health and fitness devices that regularly collect information about them and transmit this information to other entities.

The movement of health data outside the traditional medical provider context has many potential benefits; however, it also raises potential privacy concerns. The seminar will address questions such as:

What types of websites, products, and services are consumers using to generate and control their health data, and how are consumers using them?
Who are the companies behind these websites, products, and services, what are their business models, and what does the current marketplace look like?
How can consumers benefit from these companies’ websites, products, and services?
What actions are these companies taking to protect consumers’ privacy and security?
What do consumers expect from these companies regarding privacy and security protections?
Do consumers differentiate between these companies and those that offer traditional medical products and services that are covered by HIPAA?
What restrictions, if any, do advertising networks and others impose on tracking of health data?

Statistics

Views

Total Views
409
Views on SlideShare
408
Embed Views
1

Actions

Likes
1
Downloads
5
Comments
1

1 Embed 1

http://www.slideee.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

FTC Spring Privacy Series: Consumer Generated and Controlled Health Data Presentation Transcript

  • 1. Welcome
  • 2. Welcoming Remarks Commissioner Brill
  • 3. Health Data Flows Latanya Sweeney Chief Technologist, FTC
  • 4. @TechFTC lsweeney@ftc.gov theDataMap.org Transparency Establishes Trust 
  • 5. Disclaimer The views and opinions in this presentation  represent my own and are not necessarily  those of the U.S. Federal Trade Commission.   These views are for the benefit  of public discourse and public education,  and are not necessarily an opinion regarding  any position I may take  on related issues decided  by the FTC. 
  • 6. Transparency Establishes Trust
  • 7. Establishes Distrust
  • 8. You, the Patient Physician, Hospital thedatamap.org
  • 9. Pharmacy Payer (Insurer) Law Firms Pharmacy Benefits Manager Employer (Yours, Spouse’s) Employer’s Wellness Program Life Insurance Company Accreditation Vital Statistics Researcher Consulting Physician You, the Patient Physician, Hospital
  • 10. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union
  • 11. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other Government Federal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union Flows not covered by HIPAA
  • 12. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Media Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Dental/Vision Payer (Insurer) SSA Employee Union Real Estate Financial Mental & Addiction Discharge Data
  • 13. 33 States Sell or Share Personal Health Data Hooley S and Sweeney L. Survey of Publicly‐Available State Health Databases. Paper 1075. 2013.  thedatamap.org/states.html
  • 14. Only 3 States Use HIPAA Standards Hooley S and Sweeney L. Survey of Publicly‐Available State Health Databases. Paper 1075. 2013.  thedatamap.org/states.html
  • 15. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union
  • 16. Transcriptio n Pharmacy CDC Pharmaceutical Company Pharmacy Benefits Manager Analytics ICU Management Researcher Consulting Physician Health IT Other GovernmentFederal Trade Commission You, the Patient Physician, Hospital Real Estate Media Discharge Data Education Accreditation Law & Justice Prescription Analytics Law Firms Care Facility Clearing House De-identification Coding Licensing Vital Statistics Registries Social Services Public Health Clinical Lab Copy&Transport Associations Debt Collection Employer’s Wellness Program Life Insurance Company Personal Health Record Online Websites Medical Devices Financial Blood & Tissue Employer Personal Transport Home Health Retirement & Disability Social Support Human Resources Disease Management Mental & Addiction Dental/Vision Payer (Insurer) SSA Employee Union
  • 17. Washington State Health Database 43% news stories re‐identified Sweeney L. Matching Known Patients to Health Records in Washington State Data. Paper 1089. 2013.  thedatamap.org/risks.html News stories have same information that others know.  Employers, Creditors, Family, Friends and Neighbors
  • 18. @TechFTC lsweeney@ftc.gov theDataMap.org Transparency Establishes Trust 
  • 19. A Snapshot of Data Sharing by  Select Health and Fitness Apps FTC Staff’s Preliminary Observations Jah‐Juin “Jared” Ho Sheryl Novick Mobile Technology Unit Federal Trade Commission Christina Yeung Division of Planning and Information Federal Trade Commission
  • 20. Name Username MAC Language Carrier Provider Device Model Weight Geolocation DOB Age Gender CALORIES BURNED Hydration Symptom Searches ?
  • 21. Privacy Rights Clearinghouse Mobile Health and Fitness Applications and Information Privacy‐ July 2013 • Examined 43 free and paid health and fitness apps o Wearables not included • Traffic analysis and privacy policy review • Findings: o 26% of the free apps and 40% of the paid apps did not have a privacy policy o 39% of the free apps and 30% of the paid apps sent data to someone not disclosed by the developer either in-app or in any privacy policy they found o 13% of the free apps and 10% of the paid apps encrypted all data connections between the app and the developer’s website. • Conclusion: “Our research brought us to the conclusion that, from a privacy perspective, mobile health and fitness applications are not particularly safe when it comes to protecting user privacy.” Source: https://www.privacyrights.org/mobile-medical-apps-privacy-consumer-report.pdf
  • 22. Evidon A Healthy Data Set‐ September 2013 • Tested 20 health and fitness apps • Found the presence of 70 third parties • “These companies are typically advertising and analytics companies, who attempt to better match advertisements to users who will buy; and who work to help app developers increase functionality and usability, respectively.” • Source: http://www.evidon.com/blog/healthy-data-set
  • 23. WHO and WHAT? Reconceptualizing the Evidon Study : app : third party
  • 24. Health & Fitness App Snapshot Methodology • Twelve apps and two wearables • App traffic analysis • Mapped the data sets
  • 25. Health & Fitness App Snapshot Limitations • One device • Only Free Apps • Front-end testing only • Did not review privacy policies
  • 26. App Example One app transmitted information to 18 different 3rd parties.  Information included: *Device Information *Device & 3rd Party Identifiers *Consumer Specific Identifiers *Workout/Route Information *Diet Information : app : third party : developer
  • 27. : app : third party
  • 28. : app : third party Observation #1 18 third‐parties received Device Specific Identifiers such as: *Device ID *MAC address *IMEI
  • 29. Observation #2 14 third‐parties received  Consumer Specific Identifiers such as: *Username *Name *Email Address : app : third party
  • 30. Observation #3 22 third‐parties received additional information about consumers such as: *Exercise Information *Meal/Diet Information *Medical/Symptom Search Information *Zip code *Geolocation *Gender : app : third party
  • 31. Summary of Observations • Health and fitness apps collect and transmit to third parties sensitive  information about our bodies and our habits. • The 12 apps tested transmitted information to 76 different third‐parties.  This information included: ‐Device Information; ‐Consumer specific identifiers; ‐Unique device IDs capable of allowing 3rd parties to track users’ devices across apps; ‐Unique 3rd party IDs capable of allowing 3rd parties to track users’ devices across apps; and  ‐Consumer information such as exercise routine, dietary habits, and symptom searches. • There are significant privacy implications where health routines,   dietary habits, and symptom searches are capable of being aggregated using identifiers unique to that consumer.
  • 32. Panel Discussion • Christopher R. Burrow, M.D., EVP Medical Affairs,  Humetrix • Joseph Lorenzo Hall, Chief Technologist, Center for  Democracy & Technology • Sally Okun, RN, MMHS, Vice President of Advocacy,  Policy & Patient Safety, PatientsLikeMe • Heather Patterson, Postdoctoral Research Fellow,  New York University • Joy Pritts, Chief Privacy Officer, Office of the  National Coordinator for Health Information  Technology, Department of Health & Human  Services
  • 33. Mobile Anytime/Anywhere Access to Personal Health Records Mobile Anytime/Anywhere Access to Personal Health Records 36
  • 34. Access to e‐Health Records is a Right Ensured by HIPAA  Important tools like Electronic Health Records (EHRs) and Personal Health Records  (PHRs) will make it easier, safer, and faster for you to get access to your health  information and stay engaged. Important tools like Electronic Health Records (EHRs) and Personal Health Records  (PHRs) will make it easier, safer, and faster for you to get access to your health  information and stay engaged.
  • 35. iBlueButton Display & Aggregation of TRICARE, VA,  Medicare  Blue Button  and  EMR Records (Epic, Cerner, Allscripts etc…) © Humetrix 2014
  • 36. Patient Generated Data  Health Care Proxy and Prior Discharge Summaries Imported into iBlueButton
  • 37. Consumer‐Controlled Mobile Health Record Access & Exchange EHRs from  diverse  sources  (e.g.  hospitals,  payers,  HCP  groups) 40
  • 38. iBlueButton for Medicare Beneficiaries: Three Years of  Medical History in Patients’ Hands for their Safety  From Blue Button… to From a 300 page Blue Button ASCII text claims record to… …a mobile longitudinal health record available at every Point of Care
  • 39. susan.jones@direct.ibluebutton.com © Humetrix 2014 Providers Transmit Records to their Patients’ Unique iBlueButton Address   using the Secure Federal Direct Transport Standard iBlueButton App generates a Direct Address for each Profile
  • 40. iBlueButton: Display of Medicare, EMR,   VA and TRICARE records with Real Time Aggregated View © Humetrix 2014 43
  • 41. © Humetrix 2014 Patient Generated Data Medication and Condition Annotations and Privacy Settings
  • 42. iBlueButton Privacy Policy and ONC PHR Model Privacy Notice
  • 43. Panel Discussion • Christopher R. Burrow, M.D., EVP Medical Affairs,  Humetrix • Joseph Lorenzo Hall, Chief Technologist, Center for  Democracy & Technology • Sally Okun, RN, MMHS, Vice President of Advocacy,  Policy & Patient Safety, PatientsLikeMe • Heather Patterson, Postdoctoral Research Fellow,  New York University • Joy Pritts, Chief Privacy Officer, Office of the  National Coordinator for Health Information  Technology, Department of Health & Human  Services