Nearly every aspect of modern life has a virtual or electronic component.  Today, most of us choose every day to share information online at the click of a button. And for many consumers, sharing health care information is no exception. This alone underscores how significantly things have changed since over the past decade.

We live in an interconnected world of technology and privacy, and nothing about concern over the lack of respecting boundaries is unexpected.  The European Union (EU) enacted the General Data Protection Regulations (GDPR) in 2016 which became effective in May 2018, miles ahead of the US in this space.  The US has yet to enact any over-arching data protection regulations perhaps because of backlash from large companies objecting to complicated mandates or from concern that such regulation would suppress innovation during a time when we are making tremendous strides in research and a positive impact on the delivery of health care as a whole. The GDPR set forth that personal data protection is a “fundamental right”.

Either way, this shift is impacting healthcare in more ways than one. Our traditional notions of how we deliver and receive care, research and predict outcomes is becoming more, and more aligned with technologies such as artificial intelligence and cloud computing.  What’s driving this shift is the realization that by embracing advances in technology, we can improve the quality of care we deliver in areas such as telemedicine and the use of machine learning, predictive analytics, and prescriptive analytics in research to cure and prevent diseases such as cancer. Of course, the Health Insurance Portability and Accountability Act (HIPAA) protections apply in this context. But what about the consumer market where companies not covered by HIPAA are developing products that collect personal information?

Today, companies are developing products for the consumer market that would have been unimaginable just a few years ago. Microsoft filed over 70 patents related to healthcare in the last 5 years. During this time, there has been an explosion of consumer products, apps and devices to which HIPAA protections do not apply, collecting health information (such as fitness and health monitoring devices).  Apple recently launched the Apple Records feature, allowing users to store their medical records on their smart phones. And then there’s Amazon who has impacted the supply chain by offering lower cost medical supplies to hospitals and clinics, and also entered into an agreement to acquire the on-line pharmacy “pill-pack” in June.

These apps, services and connected devices collect, transmit, store, and potentially share vast amounts of consumer data, some of it is highly personal raising new concerns about the nature of privacy and the means by which individual privacy might be compromised or protected.  We’ve entered into a whole new world intersecting the regulated Protected Health Information (PHI) world with non-regulated PHI world. Data from these devices should not be usable by insurers to set health, life, car, or other premiums, impact employment decisions, credit decisions, housing decisions, or other areas of public life. California recently passed a strict data protection regulation and it is anticipated that other states will follow suit and tighten up their rules on data protection as well.

We are in the midst of the fourth Industrial Revolution, a profound shift which is fundamentally altering the way we live, interact, and perform our jobs every day, at a pace far more furious than revolutions of the past, and there doesn’t appear to be any Federal mandate similar to GDPR in the US on the horizon. Unlike the EUs GDPR, the US has fallen short of committing to a similar Federal mandate since the Obama administration.

For more information on health care privacy issues, contact Linda Mancini at 781-272-8001.