By David Hoover, Senior Privacy and Security Manager, Validic™

Today’s consumers are not only taking steps to be more engaged in their health and wellness – with nearly 90% of people using at least one digital health tool to manage or track their health – but are also more interested in understanding how their health data is being used. Though the data generated from these tools could be useful on a number of levels that are only beginning to be explored by the industry, it is important that the data be protected – and that this privacy is outlined in terms consumers can understand. 

As such, the Consumer Technology Association Guiding Principles for the Privacy of Personal Health and Wellness Information were developed to address the new trends and challenges facing the healthcare industry today. Creating a general set of guidelines could add substantial value for companies looking to explore that data and for individuals needing to control how that data is collected and used. The Principles provide guidelines for data privacy and security, with an aim to promote transparency in the collection and use of personal health information that ultimately enhances consumer trust.

The Principles were specifically developed without reference to regulatory terms like HIPAA, GDPR, or other standards with which people may be familiar. The objective of the Principles is not to be an additional regulation, but rather a voluntary guideline for organizations to better build consumer trust through enhanced data privacy. The Principles are seen as a complement to these requirements, not a replacement. For a healthcare consumer, attempting to read complicated government regulations and understand them can be a daunting task; these Principles were developed to be useful and easily understood by both healthcare organizations and the individuals who share their health data.

Firstly, it was important to ensure the Principles could be understood by its intended audience, including both industry organizations and consumers themselves. This meant agreeing upon the terminology used. Within the guide, several definitions will be found explaining exactly what a term means as it relates specifically to  Principles, such as “personal health information.” 

In developing the guidelines, three core focuses were developed.

The first was privacy – encouraging organizational behavior around transparency, proper use, and accountability. If organizations are collecting and utilizing these data, these principles can only add value by providing these organizations with some reasonable expectations. These expectations outline how organizations can promote transparency with consumers and use personal health information responsibly. 

The second was security. Separate from privacy, security focuses on how organizations should protect the data itself using techniques such as encryption and testing. The Principles provide no specific technological suggestions in order to allow companies the flexibility to build security strategies that best fit their organization. Instead, they offer guidelines for best practices to build and maintain a secure environment for personal health information at rest and in transit.

The third area focuses on the people. In the privacy principles, you will see suggestions for training people, empowering them, working with them, and putting yourself in consumers’ shoes. This is important, as first and foremost, we are talking about people’s personal information, and the other people who will be handling it. The “people factor” is something often overlooked, especially when looking at data; it’s easy to see personal information as just numbers, dates, and times, or see the person providing the data as an anonymous grouping of numbers and letters. The Principles drive home the value of people themselves by making consumers aware they have the right to ask questions, hold organizations accountable, and take ownership of their data. 

The Principles were developed in order to inform organizations and individuals about the importance of privacy surrounding health and wellness information in general, easy-to-understand terms. It touches several important areas, but stops short of making specific recommendations or stating requirements in order to allow organizations the flexibility to support data privacy in a way that makes sense for them. 

There are numerous ways to achieve privacy, with more appearing every day as technology continues to evolve at a tremendous rate. However, more information is appearing at that rate as well. It is important that both organizations and people take responsibility for that information. These Principles aim to explore what that responsibility means and help organizations understand how to develop privacy protections that work best for them in the myriad of situations that exist.

View More >