We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

FTC Examines Benefits and Risks of Consumer Generated and Controlled Health Data

HL Chronicle of Data Protection

09 May 2014
As part of its 2014 Spring Privacy Series, on May 7, 2014 the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations.   The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.
FTC Examines Benefits and Risks of Consumer Generated and Controlled Health Data

In her opening remarks, Commissioner Brill was clear in her message that she considers health information to be highly sensitive even when it is created and processed entirely outside of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) context, and her comments focused on the need to adequately protect CGHD that falls outside of the HIPAA regulatory regime. 

The presentations and comments by FTC representatives, as well as the panel discussion, highlighted the following issues related to CGHD:

  • The lack of a regulatory regime that focuses specifically on health information that falls outside of the scope of HIPAA.
  • The notable absence of self-regulatory frameworks that address CGHD.
  • The lack of transparency regarding how CGHD is used and shared.
  • The significant number of third parties with whom CGHD is shared.
  • The potential limitations of the current notice and choice framework in the CGHD context.
  • The need for a common definition and understanding of what constitutes de-identified data and the agencies’ perception that re-identification risks are significant.

The FTC did not announce any specific action on CGHD and has not yet indicated whether it will issue a staff report on the issue, although it seems clear that the agency is likely to further examine this issue.  The FTC is accepting public comments until Monday, June 9, 2014. Click here to submit comments electronically.

HL Chronicle of Data Protection

Cybersecurity in the Health Sector

The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...

02 May 2016
Loading data