 Hello, and welcome to Health Information Privacy Ask an Expert. I'm Lucia Savage. I'm currently Chief Privacy and Regulatory Officer at Omata Health. Before joining Omata Health, I was Chief Privacy Officer at the Health and Human Services Office of the National Coordinator for Health IT. Yes, that's a mouthful. You can just say ONC for short. And that is the agency that not only brought you regulated electronic health records, but also brought you app-based access to your information. And we'll talk more about that later today. I'm really happy to be here today recording live for the Biohacking Village at DEFCON. As you know, the format of the show is to cover the basics of a topic and then open the mailbag on that topic. Today we're covering how health information privacy is regulated in the U.S. and the difference between health information in the health care system and outside of it, like on social media. We're also going to cover why there are lots of news headlines on the topic and what the headlines mean for ordinary people. Let's get started. I think the best place to start is why do people want health information privacy? It's pretty simple. People want health information privacy to prevent them from being treated badly because of their health status. There's a few very current examples of that. Just look at Kim Kardashian's note about her husband's mental health situation. Or if you want a deeper dive, you can read Carrie Fisher's autobiography. Or you can check out on social media the Royal Highnesses campaign to remove mental health stigma in Britain. All of those are areas where we have specialized privacy rules because we treat people badly when the health information gets out in public. And there's many, many areas as well, but those are three current examples. At the same time, it's really important to remember that here, the fifth of the way through the 21st century, digital health information can be used for really, really important purposes to help us address inequities, address discrimination, improve the care system. You can't fix what you can't measure. One example would be many years ago, we started measuring the rate of breast cancer screening in women. And because we could measure it and identify the physicians that were not ordering mammograms for their patients, we increased the rate of screening and we saved lives. That's a really early example. But some more current examples are things like using the data to measure what kind of languages the healthcare providers speak compared to their patients or using the data to figure out immunization rates. So using it is important, but keeping it private is important. And therefore we have regulation. And I thought today I'd talk a little bit about how is health information regulated and then open it up to questions from the mailbag. So the first thing I wanted to say is within the healthcare system there's a very specific set of rules. You guys will all have heard the acronym HIPAA. It stands for Health Insurance Portability and Accountability Act. And you'll notice that there's no privacy in that acronym. Privacy is a side product of the original effort, which was to digitize the claims data so we could do this measurement. But we do have a very robust privacy rule. And in fact people equate HIPAA with privacy. And the way that works is the digital health information within the healthcare system is designed by regulation to move around for ordinary healthcare purposes. For example, if you go to the doctor's office and you have insurance, you want your doctor to build the insurance company without you having to do extra paperwork. Or at least most people do. There are definitely a subsection of the American population that wants to manage it all themselves, but that's not most of us. And so that transaction, that care transaction, is all digital and it goes from your doctor's office to your insurance company so your doctor can get paid and you get billed whatever your co-insurance is. And we know that could be high. That's a different panel. But you don't have to do anything. You don't have to collect the data. You don't have to send it somewhere. It doesn't have to be printed out. And all that is designed to happen normally. In addition, the regulations are also designed to let us do this normalized measurement, to measure that breast cancer screening rate, to measure the immunization rates, to measure language, to measure how expensive it is. And there's lots and lots of examples of that. But the last thing is the regulations are designed to not allow the data outside of the healthcare system in an identifiable way without you giving permission to it. And I don't have time today to give you very specific and detailed technicalities of the regulations, but I will be providing a list of public resources where you can dig in yourself about that. That's the basics of within the healthcare system. But again, here we are. It's 2020, almost 2021. And we have lots and lots of health information that's either directly collected from individuals that's outside the healthcare system, like fitness trackers and social media sites, or where we use data that's like grocery shopping data, or banking data, or driving data to impute health information about people from other data sets. And all of that, not being in the regular healthcare system is subject to a completely different regulatory scheme. So that regulatory scheme is basically about consumer privacy protection. So it's really the same rules apply to the health information Facebook collects, as applied to the fashion information Facebook collects, or the dining information your social media account collects, it's all the same set of rules. And that basic construct is, did the organization tell you what it was going to collect? We can have a long conversation about notice. And were they honest about it? So were there actions, what they said they were going to be, or did they lie about their actions or mislead you about their actions? So it sounds really good in concept, but very, very hard to prove in the detail. The ability to prove those consumer violations lies primarily with the Federal Trade Commission, which is a federal agency not in the healthcare system, and as well with state attorneys general. Then as the 21st century has gone on from 2000 to the present, states have begun to take a role. And so we have state breach notification laws to protect us from consumer harm, when our consumer data is collected and then breached or misused or misdisclosed. And we have states also beginning to take specific action about health information outside of the healthcare system. The last thing I want to say about this interplay between inside the healthcare system and outside the healthcare system has to do with states. So the federal law HIPAA is a baseline. It's the floor of regulation. And many states have very specific laws about in general clinical verticals. So they'll have specific laws about HIV AIDS or specific laws about mental health data, or specific laws about domestic violence or sexually transmitted diseases. There's eight or so key areas. And they'll have a specialized rule about that and who gets to use it and what is permission required and do you have to consent to the release of your data. And all of those rules sit on top of HIPAA. So in the healthcare system, if you're a healthcare provider like OMATA is, you have to think about HIPAA and you have to think about all your state laws. But again, those laws are about the healthcare system itself and not about particular kinds of data outside the health system in the consumer setting. Finally, we have an emerging set of laws. Many people here will have heard of the California Consumer Privacy Act. And many people on the California resident will know that we have a ballot initiative coming to us in November where we can vote on a additional privacy law that ironically enough, the privacy advocates are fighting about whether it's any good. That's also a conversation for another day. You can look that up on social media. But other states are looking to California to see what it does and whether there are things those states can copy from the California landscape to protect their own residents in the absence of federal regulation, which takes me to my final point. There have been a lot of headlines about this. Mr. Zuckerberg has been in front of Congress many times. Leaders from Google, leaders from Twitter all have been in front of Congress talking about privacy. It is an important federal policy question and the important question is, will the federal government change anything in the federal landscape to augment the FTC powers to make the consumer rights more meaningful, to make the consumer rights more particularized, to help care information outside of the health care system? So these conversations started in the wake of Cambridge Analytica. A lot of us privacy advocates had great hopes for something happening. Remind you, Cambridge Analytica was two years ago now, a little bit more than two years ago now. So politics moves very, very slowly. It's an election year. We have COVID. Conventional wisdom says nothing's going to happen this year. And then it's very complicated politically. There are three or four committees on the Senate side. Another half a dozen committees on the House side. Each of them has jurisdiction. If you went back to, I'm just a bill from Schoolhouse Rock, you would realize you have to have a bill on each side. Then they have to come together and come to a compromise bill. And then both houses have to pass it again. And then the president has to sign it. So lots and lots of moving parts. Lots of opportunities there for people are interested to still make their voices heard. And we'll talk about that a little bit later. Eventually, I think we will have something national that it could take another two to four years. So I have somebody with me today to help me read the mail. My friend Nina. Nina, what's in the mail bag? First question. What are the big issues that are being debated in Congress about a nationwide privacy law? I think the two biggest issues are one is what we call preemption. So that is the idea that the federal law overtakes and supersedes any active state law. So if you think about the CCPA construct, if there were a federal law and if it were preemptive, it would override whatever California enacts in its own law. So you can see that that could be really contentious because some states might want to be more aggressive or more protective of their consumers than other states or than the federal government. On the flip side, however, is the more laws there are, the harder it is to assure compliance. So from a consumer perspective, it might actually be better to have one single law that applies the same everywhere. So you don't have to be confused or have your rights change as you cross state lines. Many, many complex tradeoffs there. The other big issue is should individuals be able to bring their own lawsuits for breaches of privacy? Now, there's a very long complicated history about lawsuits and privacy and damages. But at the end of the day, it's about how does this get enforced? So right now, outside of health care, the FTC brings an action. Consumers under their individual state laws may or may not have the right to sue. And in health care, consumers have no personal rights under HIPAA to sue. A federal law could change all that by giving individuals the right to sue. That can be a really effective enforcement mechanism, as has been true for automobile safety, for example. Right? Cars are safer because Ford got sued over the canto. But it also can make the cost of the business much more expensive. It can be a barrier to innovation because you have to worry about being sued. There are a lot of downstreams too widely available, empowering a lot of people to bring a lawsuit. So again, tradeoffs there. Those are probably the two biggest issues that people cannot agree on. Why can't people get to yes? There are a lot of economic interests involved in that. So you can see that the trial attorneys want to make money off the lawsuits, but the small businesses and the innovation community and the venture capitalists want to keep growing new businesses with new ideas, and they don't want the threat of lawsuits hanging over their heads. Compliance can be complicated. There are philosophical differences. There are people who definitely believe in empowering consumers to sue, and people who don't believe in empowering consumers to sue. Those fall across the political spectrum. And that's probably why we can't get to yes, is there isn't enough people in any one particular place on that spectrum to balance the scales to a yes. You have to have a majority vote in both sides. So what's the impact of CCPA? So in the healthcare system, CCPA has a very specific carve out for organizations that are actually already covered by HIPAA. For example, OMADA would fall into that bucket, except for our public website that in a casual, you guys might be browsing it right now. But our program itself is healthcare delivering, it's within HIPAA. But if you are a company who is collecting health information, for example, because you are running a business that offers consumers gift cards to answer surveys about their health conditions, that might be a business model, that's not within the healthcare system and CCPA is going to apply and all the rules that are going to apply. And of course, it's a little bit of a moving target because the law was enacted a year ago, it took effect in January, but the regulations didn't take effect until July and actually they didn't get finalized till last week and that might be upended by, you know, a ballot initiative and who knows what's going to happen if there's court action about the ballot initiative. I'm not an expert on CCPA. I think it's something that's really important to people. But to me, the most important part of it from a consumer is knowing that I can go and say to that organization, what did you collect about me and can I please have a copy of it? That's a really important thing for consumers who want to take action. I completely agree with that. So if anything, did COVID change? You know, COVID hasn't changed very much in the landscape, the overall regulatory landscape. There have been a couple of little things that have eased because of the public health emergency, but that easement is temporary. But I think in terms of health information, what the impact COVID has had is really given more people a stronger sense of the possibility that digital health has for us as a way of getting care, maintaining our health, getting the coaching or the assistance we need when we can't go to the doctor's office. And because of that, I mean, it's great for a digital health company like OMARA, but because of that people are now going to be thinking about their health information a lot more. That's one. The second one is I think that the arrival of big tech at the COVID moment with their wide variety of contact tracing apps, you know, that Facebook both runs ads for legitimate academic research about COVID and also runs not legitimate, you know, links to things that are not legitimate research. Arriving as it has two years after Cambridge Analytica, I think we're suffering from the skepticism that Cambridge Analytica brought to the doorstep of health information outside of HIPAA really and truly. People are concerned about the contact tracing apps. The uptake is very low. It even bleeds over into human-to-human contact tracing where I might call you Nina and say, hey, you know, look like you were at that concert or did you know there was a big concert and were you there and who were you with and who were they with and that's, you know, contact tracing. We've been doing it for decades, really centuries because we do contact tracing for sexually transmitted diseases that are contagious. And so we also have erosion of trust of the human-to-human contact tracing and we'll suffer from that as a society for a while. How important is this issue to Congress? You know, it's a little bit of water before this question. You know, it's a little bit of Kentucky windage, right? Issues are important that constituents care about and that's pretty much how the democratic process works. So right now constituents care about COVID and some constituents care about election security, which is hugely important. We won't get a privacy anything this year, although I know there are still people working on little pieces of privacy. I saw a draft bill the other day about COVID and contact tracing apps about a month ago. But if you as a constituent think this is important, you should tell your Congressperson, House or Senate. And in fact, if you have a senator or a representative who's on a committee of jurisdiction, you should most definitely tell them. If you think back to 2017 and the original attempts in the current administration to undermine the Affordable Care Act, who went to Congress, people with six children and six family members, and they were constituents. So, you know, you call over there and they will ask what your zip code is. And you should be honest about that. I happen to have a representative who chugs along doing what I think is right without ever having the ever having to call her, but I can imagine being in a different state and having to call my representative every week or ask for an appointment for the office to the office with local staff to say, hey, did you know this is happening? And this is how it's impacting our community and me, and you should fix it. Noi squeaky wheels totally get the grease in politics. So that's when it becomes important. Perfect segue. So how can the biohacking community get involved and move the needle on issues in privacy? I think there are a few things. I'm going to sort of try to list as many as I can in this materials, Nina, of, you know, bills that people might want to look at and committees of jurisdiction and where you go. But it's pretty simple. If you want to know, you go to finance.senate.gov and you look at the members and you figure out if they're your senator. And then you call your Senate's office. You call them and you say, I'm Lucia Savage and I'm a resident of blah, blah, blah state. And I understand that you're looking at such and such an issue. Here's what I think about it. And if you have a bunch of friends, you know, you can do a house party and everyone can get on their cell phone. You can call serially. You can email, but it's probably not as carefully read or paid attention to as a phone call. Can do a house party after COVID. You can do it. Well, well, you could do a virtual house party, right? Like set it up on zoom. You can have all the contact information on a document that you're sharing. People can just, you know, call on mute. They were talking have a good time. So how can biohackers be more involved in the privacy needs and changes that are taking place? How do we get people to listen aside from talking to our congressional person? So I think stories are really, really important. People listen to stories. So I'm always compelled by, that's why I love the reference to Kim Kardashian or Kerry Fisher, right? It gives us a context for why people have privacy issues. Why are we working on mental health? Why is there so much stigma? How do we remove the stigma? And we analogize that to privacy. So in your family or in your community, what has been a bad impact of poor privacy practices or poor security practices for that matter? How has it impacted people? Whether it's a neighbor who got doxed and somebody, you know, something terrible happened to them or people that you know, or even yourself. That's how we got anti-doxing legislation is people went to their representative and said, Hey, this happened to me and there ought to be a law. So it's really about stories and it's very politics is very personal. It's, you know, there are white papers, there are studies, there is data. We can explain all that. But it's really the compelling personal stories that tip the scales when somebody's on the edge. It's the story about the constituent that's going to push somebody where you want them to go. And since I don't know about everyone's personal life who might be listening to this, it's really hard for me to know after that, like what would be a story that would be compelling. But I know I had a, my mother was bipolar and in all my work as a privacy advocate, particularly the work I did in the last administration, I would always talk about that. Like, I get it. I get stigma. I get why this is important and I get why we need to understand it better. Can I get my personal moment in here? Absolutely. So I give this story a lot about why I'm in healthcare and why this matters so much to me. My father, fire department of New York, paramedic captain, he was at 9-11. My mother, stage four, one of the rarest cancers in the world, and I learned about it. I learned about both of their health issues the same week. Oh my God. So my father's issue was that he has bilateral lung nodes from being at the World Trade Center. Right. And it's that very compelling story of I suddenly became a caretaker. My parents were super independent. They were doing their things and now it's I own all of their medical data. I have all of their physician numbers in my phone and if something happens, I immediately make a call for them. And if I'm not available, they understand that the physicians will call me right after to give me that data and the update of their condition. So I'm complete agreement with the story is so compelling because we all have something that we can talk about and gives us that emotion to say there needs to be a change. It's not a question I'm not asking you and telling you that moment. Two things. If you think back about the 9 11 fund and you remember that John Stewart was on that like a dog on a bone week after week, it was embarrassing. He was intentionally embarrassing the politicians with these really compelling stories and it worked. So think about that. The thing I would say just on a personal note, Nina, and I don't know if we have time today, but you know, caretakers, we are, we baby rumors are a pretty big population and our kids are going to be taking care of us and we should all have the ability as a caretaker not just to call your parents doctor and have them call back, but have online on your phone access to their records if they want you to have it. I had that for my mom through the Kaiser app. She authorized it. It meant I could help care for her and she could call me and say I don't understand this thing. What does it mean? And that is what digital health really means is not keeping data sacrosanct in a box under a cement floor, but putting it where it needs to be and where the patient wants it to be to get the care that they need. And if that's what the family member, let the family member know. If that's with a friend from church, let the friend from church know. If that's you as a person, you're a DIY healthcare person and you want to broadcast your health status on that big billboard at Times Square, go right ahead. It's your data. How do the agencies that command and control healthcare, how do they work together or how do they not work together? Sure. That's a great question and something I forgot earlier on. I wanted to be super clear about who really has authority over privacy. So in the federal realm, it is solely the Health and Human Services Office for Civil Rights. They write the privacy regulation. They write the security regulation. They investigate those. They find people for them and they enforce them. Now, the FDA, which has a lot to say about digital tools, their remit or their jurisdiction is really about, is the thing safe, clinically safe? Like it's not going to cause you, you know, a glucometer isn't going to burn your arm or whatever. And is it doing clinically what you say it's going to do? So remember, it's the Food, Drug Action, Cosmetics Act. And the enabling legislation, which dates back to Teddy Roosevelt, is about not having health products in the field that are dangerous, right? And actually the FDA covers veterinary science as well. So just think about that in totality. So I love the cool. I know everybody over there, great crowd, really interested in privacy as a concept, but they don't actually regulate privacy. What they regulate is, did your device that has software in it secure that software sufficiently that the device data is still accurate and has integrity? That's pretty much what they regulate. So that's the FDA. And then HHS OCR writes the privacy rule and that applies to health insurance companies, employer-sponsored coverage if you have like a big employer, like you're at an Apple or Google or health health monster coverage physicians or any other provider who bills the government electronically. And then some additional sort of intermediate companies called clearing houses. There's always a lot of talk around the medical devices and the security that surround those. But one of the parts that are normally lacking in conversation are the electronic medical records. And you talked before about the O&C owning them. So what's, how does that link in with the... So the O&C has three specific powers. The first one is they write a regulation about what the software in a certified EHR has to do. And they're EHRs that are not certified, by the way. So if you have a certified EHR, it has to have these minimum functional requirements and they've been getting more and more rigorous as time has gone by. The second thing they have is to educate the provider workforce primarily, especially the small doctor's offices. Remember, while there are some really big systems, most healthcare is provided in very small business practices that have two or three physicians in them. So educate the physicians and the nurses and the people out in the field about how to safely, privately and securely use certified EHRs to deliver care. And the third is to run sort of the policy making for the agency about both what that software package should be. It's a very unusual power, a federal agency that writes a prescriptive rule for software, but also in general about health information technology policy writ large. So for example, O&C has a specific duty of coordinating Office of the National Partner across agencies. And I might bring people to the table that would be the FDA and the FTC and Office of Civil Rights to stand up a tool that in fact exists. So on the FTC website is the Mobile Health App Developer Tool. And if you were to go to that tool, you would see in kind of a Q&A fashion, it moves you through a flowchart to help you make sure if you're a developer, you know which rules you have to deal with for the thing you're envisioning. So that's an example of coordinating across the agencies. Enforcement is not really a coordinating event in federal law generally. I'm making a very broad statement, but OCR has its remit and a privacy breach is investigated by OCR and they investigate every single one that's reported to them. A safety violation by a device would be investigated by the FDA, if that makes sense. And then of course, all of these agencies are within Health and Human Services, which is an agency run by Secretary Azar. And so how the agencies work together is really a factor of whether the secretary is making them work together and how much. Different secretaries have different approaches to that. The FDA is a very big agency. It's called an operating division that's kind of freestanding and runs on its own, but the FDA administrator would be part of Azar's sort of kitchen cabinet or his cabinet. Similarly, CMS, operating division, kitchen cabinet, NIH operating division, but in the cabinet. And then ONC, Office for Civil Rights, actually report directly up through the secretary, also in the cabinet, but literally under more of the secretarial vertical, if you can imagine that. So how do they work together? Let me just summarize it up. I think the staff work really well together when they're asked to, but people also have very specific portfolios and work that needs to get done. And so they really focus on that. So I want to be clear with people that you and I have met once and it was in a coffee shop and I watched you walk in and the conversation we had was extremely powerful. And I instantly knew that you had so much information that you needed to share it. And the, I feel like the community that we work in, we focus a lot on the medical devices because it's something very tangible that we can get our hands on. And this, even with all the knowledge that I have on how things function, this has engaged me and enlightened me. And now it's, okay, I can't focus so much here because they don't control this one thing that I'm working on. It's, I need to move over here. And maybe if I'm working over here, I can gauge this and make things happen. So that said, what other resources can we find for everything that you're talking about? So I'll put all these links in a document that you can hand out me now, but I will tick off a few of them that are going to be in that document. The first one is when I was at ONC, we published actually a long white paper for Congress. So let's just say it's like publication book level clearance and editorial accuracy for 2016 about the way health privacy is regulated in healthcare and outside of healthcare. And while the names of the companies may have evolved over time, Twitter is still Twitter, you know, Facebook still operates the same way. None of the rules or laws that, that characterize that description have changed. So that is a public document. If you wanted to look for it right now, you'd Google ONC non-covered entity report, and it would pop right up free, paid by the American taxpayer, no matter who else produces anything, the law firms, the consulting houses, the hacker community. This one is going to be the definitive source because it has to go through so many layers, including approval by the White House before it gets released to Congress. So that will be in there. I will provide some links to educational materials that ONC and Office for Civil Rights publish about more details about how HIPAA works, not only what people's individual rights are like you as the caregiver, what are your rights for you and your parents to collectively get the information you need to help them with their care, but also for people to understand what are the ordinary disclosures that happen within the healthcare system to make it run between physicians, between physicians and health plans, etc. So there'll be some of that material in there. And then I'll probably link to some other think tanks in DC that are working on the federal privacy law space, and people can look at those organizations' websites and decide what's of interest to them, but it would be Brookings Institute Future Privacy Forum, Electronic Frontier Foundation, Epic, potentially American Enterprise, New America Foundation, they've all kind of worked in this space. So we'll put some links together that are those people's websites, and you can just go to them and check it out. Yeah. Thank you so much. This is the stuff we don't talk about, and that is why this is so important. So thank you for coming. I completely and utterly appreciate your brain space. I'm really happy to be here. I think that the more people who can bring the stories to the floor, the more likely we are to have traction. There's a lot of times when it's the same 300 people having this conversation and bringing the new voices, especially of the next generation, when they've been specifically impacted by this, or they understand the technology better than some of our older congresspeople. Awesome. Fully awesome. Thank you. You're welcome. Thanks for having me.