This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

"Is Privacy Obsolete" Study Group Page"

From HL7Wiki
Jump to navigation Jump to search

Back to Security Main Page


Links

Study Group Mission and Scope

  • Study Group PSS - TBD

Deliverables

Reference Material

ONC Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA This Report: 1) analyzes the scope of privacy and security protections of an individual’s health information for these new and emerging technology products that are not regulated by HIPAA; 2) identifies key gaps that exist between HIPAA regulated entities and those not regulated by HIPAA; and 3) recommends addressing those gaps in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA...This Report focuses on “mHealth technologies” and “health social media.” The former includes entities that collect or deal in personal health records (PHRs)5 and cloud-based or mobile software tools that intend to collect health information6 directly from individuals and enable sharing of such information, such as wearable fitness trackers. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences. Taken together, these mHealth technologies and health social media that are outside the scope of HIPAA are referred to as “non-covered entities” or NCEs. This Report does not cover products, services, and data sources where health information is derived from other data (such as GPS reporting, where one can infer an individual’s physical activity, 7 or air quality reporting data from which respiratory health might be inferred), or information casually disclosed by individuals, such as a personal Facebook post that one has the flu. Products that may meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), such as apps that can control the inflation and deflation of a blood pressure cuff or the delivery of insulin on an insulin pump, also are not discussed here, though these tools also may not be regulated by HIPAA.

FHIR Consumer Centered Data Exchange (CCDE) Connectathon

Library

From Mike Davis, VHA Security Architect

India Privacy Law Changes

Thanks to Adrian Gropper for bringing this up

ISO Proposed Consumer Protection Standard for Privacy by Design of Consumer Goods and Services

From Chris Shawn, Security Cochair, VA

Another article that may be relevant to the “Is privacy dead?” question:

“In practice, this means that we can no longer expect a meaningful difference between observability and identifiability — if we can be observed, we can be identified.”

https://www.nytimes.com/2017/10/05/opinion/privacy-rights-security-breaches.html?mwrsm=Email

From Diana Proud-Madruga (Electrosoft

Devon Connor Green HL7 Norway, Privacy Attorney

One of the most popular myths about the new European General Data Protection Regulations is that companies must have consent to process people’s personal data. According to the ICO: “Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.” But how can data only be processed if an organisation has explicit consent to do so? The answer to this is that the rules around consent only apply if you are relying on consent to process personal data, i.e. consent is only one way to comply with GDPR, there are others. For data processing to be lawful in the new General Data Protection Regulations, companies and organisations need to identify a lawful basis before starting. There are five other ways in the main (as well as consent):

  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is  necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

This means that consent is not the only basis on which an organization can process personal data under the new European General Data Protection Regulations.

ISTPA

International Security, Trust and Privacy Alliance

Sharing with Protections - a New Paradigm

  • Moving beyond Protection from Sharing in the age of Big Data, Learning Health System, and Health IOT

Balancing Clinician Need to Know (N2K) and Patient Privacy Expectations

Theresa Årdal Connor Privacy Attorney Norway

Pertinent EU Links

Counter Points

Study Group Members

x Member Name x Member Name x Member Name x Member Name
x Mike Davis - Study Group Lead x Christopher ShawnSecurity Co-chair x Kathleen ConnorSecurity Co-chair . Trish WilliamsSecurity Co-chair
x John MoehrkeSecurity Co-chair x Suzanne Gonzales-Webb x David Staggs x Diana Proud-Madruga
. Mohammed Jafari . Beth Pumo . [1] x [2]
x [3] . [4] x [5] . [6]