The Health IT Policy Committee’s Privacy and Security Workgroup has held hearings over that last several months to narrow its focus on potential harmful uses said co-chair Stanley Crosley during the June 30 meeting.

The major topics are concerns about tools commonly used to protect privacy, such as de-identification, consent, security and transparency; preventing, limiting and redressing harms; and the complex legal landscape. Legal complexity confuses consumers and imperils trust, he said.

The workgroup sees a need to address the uneven policy environment and reevaluate the existing rules to make sure there are incentives for the responsible re-use of data for learning purposes. The group also wants to consider modifying the rules around research uses of data to provide incentives for the use of privacy-protecting architectures such as data enclaves.

The workgroup called for better education of consumers about the privacy and security laws and uses of data both within and outside of the HIPAA environment. The Department of Health and Human Services, the FTC and other agencies should help guide these efforts to help more quickly establish the rules and the road to build trust.

The workgroup also said individuals should have strong rights to access their health information, sufficient to enable them to access, download and transmit their health information as easily as they can with their financial information. “This will require creating a ‘right of access’ in entities not covered by HIPAA as part of the voluntary codes of conduct,’ they said. It also will require strengthening HIPAA over time to bring it into the digital age.

Crosley also noted that there is over-reliance on de-identification and no accountability for re-identification. There are no overarching standards for de-identification of data outside of HIPAA and the HIPAA standards for de-identification often are voluntary and not required. De-identification reduces the value of data and places a burden on innovation, he said.

The workgroup’s recommendations in this area include calling on the Office of the National Coordinator for Health IT to be a better steward of HIPAA de-identification standards and conduct. The office should conduct an ongoing review of the methodologies and policies and seek assistance from third-party experts such as the National Institute of Standards and Technology.

They also urge the development of initiatives or programs to objectively evaluate statistical methodologies to vet their capacity for reducing re-identification risk to “very low” in certain contexts. “OCR should consider granting safe harbor status to those methodologies proven to be effective in particular contexts in order to encourage use of proven methodologies.”

OCR also should consider establishing risk-based de-identification requirements in circumstances where re-identification risk has been lowered other than through treatment of the data.

These are difficult conversations, Crosley acknowledged. “Criminalizing re-identification could create some liability and actually act as a disincentive for data exchange.” The workgroup desires accountability for re-identification or negligent identification but recommends against specifically asking Congress to address this at this time.

The workgroup also looked at security threats and gaps such as silos of protections and no end-to-end secure environment for health data. There is no entity responsible for assuring end-to-end protections and no legal incentives for privacy-enhancing technical architectures. The group acknowledged that Congress is the only policy-making body equipped to provide a baseline level of security for health data but is not calling for congressional action at this time.

To support the secure use of data for learning, the workgroup urges the development of voluntary codes of conduct to address robust security safeguards that can be enforced by the FTC. They call on public and private sectors to educate stakeholders about cybersecurity risks and recommended precautions. They also call on policymakers to provide incentives for entities to use privacy-enhancing technologies and architectures.

The workgroup re-endorsed prior Tiger Team recommendations including flexible and scalable security policy and a consistent and dynamic process for updating security policies and rapid dissemination of new rules and guidance to all affected.