Existential challenges for healthcare data protection in the United States;Des défis existentiels pour la protection des données de santé aux États-Unis

Ethics, Medicine and Public Health

Volumn 3, Issue 1, 2017, Pages 19-27

  Terry, N ^a  

^a Indiana University School of Law Indianapolis   (United States)

Author keywords

Big data; GDPR; Healthcare data; HIPAA; Privacy laws; Protection

Indexed keywords

EID: 85018844783     PISSN: None     EISSN: 23525525     Source Type: Journal    
DOI: 10.1016/j.jemep.2017.02.007     Document Type: Short Survey

References (55)

1. [1] Ware, W.H., et al. Records, computers and the rights of citizens. Final report. 1973, Secretary of Health, Education, and Welfare's Advisory Committee on Automated Personal Data Systems, Washington, D.C.
2. [2] Landesberg, M., Levin, T., Curtin, C., Lev, O., Privacy online: a report to congress. 1998, US Federal Trade Commission, Washington, D.C.
3. [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [Available at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC].
4. [4] Directive 95/46/EC.
5. [5] F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236. (3d Cir. 2015).
6. [6] The White House, Consumer data privacy in a networked world: a framework for protecting privacy and promoting innovation in the global digital economy. 2012 [Available at https://www.whitehouse.gov/sites/default/files/privacy-final.pdf].
7. [7] Id, pg 59.
8. [8] US Federal Communications Commission, FCC adopts privacy rules to give broadband consumers increased choice, transparency and security for their personal data. 2016 [Available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1027/DOC-341937A1.pdf].
9. [9] Gramm-Leach-Bliley Act, Pub. L. No. 106-102, § 501, 113 Stat. 1338, 1436 (1999).
10. [10] 15 U.S.C. § 1681 et seq.
11. [11] Pub. L. No. 100-618, 102 Stat. 3195.
12. [12] HIPAA Administrative Simplification, 45 CFR Parts 160, 162, and 164 (unofficial version, as amended through March 26, 2013). [Available at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf].
13. [13] H.R. 1, 111th Cong. (2009).
14. [14] 45 C.F.R. § 164.103.
15. [15] 45 C.F.R. § 160.103.
16. [16] See, e.g., 45 C.F.R. § 164.502. (Uses and disclosures of protected health information).
17. [17] 45 CFR §§ 164.400-414.
18. [18] US Department of Health and Human Services, Office for Civil Rights. Breach portal: notice to the secretary of HHS breach of unsecured protected health information. [Available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf].
19. [19] US Department of Health and Human Services. Summary of the HIPAA security rule. [Available at: http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html].
20. [20] 45 CFR § 164.506.
21. [21] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html].
22. [22] Institute of Medicine (US), To err is human: building a safer health system. 1999 [See also Institute of Medicine (US). Crossing the quality chasm: a new health system for the 21st century; 2001].
23. [23] Terry, N., Pit crews with computers: can health information technology fix fragmented care?. Houston J Health Law Policy 129 (2014), 129–189.
24. [24] Office of the National Coordinator for Health Information and Technology, Percent of hospitals, by type, that possess certified health IT. 2016 [Available at: dashboard.healthit.gov/quickstats/pages/certified-electronic-health-record-technology-in-hospitals.php].
25. [25] US Department of Health and Human Services, New rule protects patient privacy, secures health information. 2013 [Available at: http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-health-information.html].
26. [26] US Department of Health and Human Services. Enforcement results by year. [Available at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html].
27. [27] Ornstein, C., Waldman, A., Few consequences for health privacy law's repeat offenders. Propublica, 2015 [Available at: https://www.propublica.org/article/few-consequences-for-health-privacy-law-repeat-offenders].
28. [28] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements].
29. [29] Id.
30. [30] US Department of Health and Human Services. Guidance on HIPAA & cloud computing. [Available at: http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html].
31. [31] US Department of Health and Human Services. Resolution agreements and civil money penalties. [Available at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/].
32. [32] Rodionova, Z., Healthcare is now top industry for cyberattacks, says IBM over 100 million healthcare records were reportedly compromised in 2015. 2016, The Independent [Available at: http://www.independent.co.uk/news/business/news/healthcare-is-now-top-industry-for-cyberattacks-says-ibm-a6994526.html].
33. [33] See Davis J. Massive Locky ransomware attacks hit US hospitals. Healthcare IT News. 2016 Aug. 19. [Available at: http://www.healthcareitnews.com/news/massive-locky-ransomware-attacks-hit-us-hospitals].
34. [34] HHS OCR, Fact sheet: Ransomware and HIPAA. 2016, US Department of Health and Human Services, Office for Civil Rights [Available at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf].
35. [35] US Federal Trade Commission, Data brokers: a call for transparency and accountability. 2014 [Available at: https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf].
36. [36] Terry, N., Protecting patient privacy in the age of big data. Univ Missouri Kansas City Law Rev 81 (2013), 385–415.
37. [37] Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013 at 45.
38. [38] Id., at 46.
39. [39] US Federal Trade Commission, Data brokers: a call for transparency and accountability. 2014.
40. [40] See generally: Nicolas Terry. Navigating the incoherence of big data reform proposals. J Law Med Ethics 2015;43:1.
41. [41] Things are looking app. 2016, The Economist [Available at: http://www.economist.com/news/business/21694523-mobile-health-apps-are-becoming-more-capable-and-potentially-rather-useful-things-are-looking].
42. [42] Hayward, J., Chansin, G., Zervos, H., Wearable technology 2015-2025: technologies, markets, forecasts. IDTechEx. 2016 [Available at: http://www.idtechex.com/research/reports/wearable-technology-2015-2025-technologies-markets-forecasts-000427.asp].
43. [43] Terry, N., Mobile health: assessing the barriers. Chest 147:5 (2015), 1429–1434.
44. [44] See generally: Terry N. Opening remarks for House Energy and Commerce Subcommittee Hearing on Health Care Apps 2016 Jul. 13. [Available at: http://docs.house.gov/meetings/IF/IF17/20160713/105197/HHRG-114-IF17-Wstate-TerryN-20160713.pdf].
45. [45] Article 29 Data Protection Working Party. Opinion 8/2014 on the on recent developments on the internet of things. 2014 [Available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf].
46. [46] Internet of things. US Federal Trade Commission staff report 2015 Jan. [Available at: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf].
47. [47] See generally: Terry N. Will the internet of things disrupt healthcare? Vand. J. Ent. & Tech. L. (forthcoming 2017).
48. [48] Limer, E., How hackers wrecked the internet using DVRs and webcams. Popular Mech, 2016 [Available at: http://www.popularmechanics.com/technology/infrastructure/a23504/mirai-botnet-internet-of-things-ddos-attack/].
49. [49] US Federal Communications Commission Staff Report, Internet of things. 2015 [Available at: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf].
50. [50] Terry, N., Navigating the incoherence of big data reform proposals. J Law Med Ethics, 43, 2015, 1.
51. [51] US Federal Communications Commission, Protecting privacy for broadband consumers. 2016 [Available at: https://www.fcc.gov/news-events/blog/2016/10/06/protecting-privacy-broadband-consumers].
52. [52] US Federal Trade Commission, Two data brokers settle FTC charges that they sold consumer data without complying with protections required under the fair credit reporting. 2014.
53. [53] FTCA § 5(a). See e.g., In Re LabMD Inc., https://www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter; F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236. (3d Cir. 2015).
54. [54] See e.g., Cal. Civil Code §§ 56–56.07.
55. [55] See GDPR Preamble §§ 51–54.