Patient privacy Manatt

Patient privacy: should industry self-regulate its practices?

Robert Wood Johnson Foundation-sponsored study assesses the situation


‘Patient privacy’ has been—and will be—a critical issue for how data generated from patient diagnosis and care affects everything from drug development to industry revenues. A run-of-the-mill question to ask is whether any particular healthcare provider or service organization is HIPAA compliant, but in this digital age, that is becoming increasingly beside the point. For one thing, recent federal legislation (the 21st Century Cures Act) and CMS policy has made sharing patient data a priority; in fact, business entities could be penalized for not sharing data. Additionally, the rise of wearable medical monitoring systems (and all the attendant technology being used for patient-generated data) has not, generally speaking, been developed under HIPAA restrictions because the relationship has been between the patient and the digital-services provider, and not between the patient and a healthcare provider.

Individuals’ healthcare data, in recent years, has achieved “liquidity”—it has marketable value, and more and more businesses are either generating it or buying it. From the patient perspective, indications that one’s personal data is being freely marketed could create (if it hasn’t already) a strong revulsion in sharing it—with one result of that being a lower quality of data from a population health perspective.

These issues, as well as the current context of patient privacy and what to do about it, are aired out in a report sponsored by the Robert Wood Johnson Foundation, “A Shared Responsibility: Protecting Consumer Health Data Privacy in an Increasingly Connected World.” Expert roundtables, and industry expertise, were provided by Manatt, Phelps & Phillips, LLP, a New York legal and professional services firm. Besides reviewing current privacy practices (such as the European Union’s General Data Protection Regulation, GDPR), the report examines options for industry: wait for a legislative or regulatory action; self-regulate; do nothing (and some variations in between).

The idea of self-regulation has obvious value to industry, and there are precedents in fields such as financial services or advertising, among others. The Johnson Foundation, together with Manatt and other organizations, are convening a steering committee to develop next steps toward a national framework.

“A Shared Responsibility” is available for download here.