Writing for the Health Affairs blog, law professor Nicholas Terry recently looked at some of the implications of a revision to the Consumer Privacy Bill of Rights Act, a piece of legislation currently in the draft phase which seeks to address new needs of health data privacy and protection.
Among other values put forth in this document, the bill would place an emphasis on transparency for protected healthcare entities, with affected individuals given "reasonable notice" about the security practices in use. There are limits to the amount of transparency that would be expected: trade secrets, for example, would not be required.
Another point made in the draft is the necessity of context in light of personal information issues. This would allow covered entities to avoid the need to conduct a risk analysis if their processing of personal data is found to be "reasonable." By contrast, if the context reveals a process to not be reasonable, a detailed review and mitigation of possible risks would be necessitated.
Professor Terry refers to the "respect for context" section of the draft as one of its "more interesting provisions," and examined the ways it could apply to health data governance.
"Given the longitudinal context of a provider-patient relationship and patient expectations, it is arguable that this provision will have limited applicability in the traditional health context," he said. "However, it should be of major importance in controlling data abuse in emerging and increasingly important health data contexts, from big data to social media and mobile apps."
While this bill could reportedly add to health data security regulations, practices and health organizations still need to be mindful of HIPAA violations and seek advice on avoiding them if they aren't sure how to.