When the US Supreme Court overturned the landmark 1973 Roe v. Wade decision last month with their decision on Dobbs v. Jackson Women’s Health Organization, it immediately raised the stakes on medical data privacy for individuals and their employers. It also increased the importance of protecting medical data privacy for a wide range of healthcare-related businesses, including: insurers, healthcare providers, and the makers of fitness trackers and wellness apps – and especially fertility tracking apps.
In this article, I’ll look at how governments and businesses are responding to these developments, and I’ll share the steps that CPOs can take to help protect the privacy of their customers’ and employees’ sensitive medical data.
The Dobbs decision, OCR, and HIPAA
The overturn of Roe v. Wade has left Americans seeking access to abortions in states with restrictive laws in a difficult situation: they need to travel to another state to obtain healthcare, and in some cases, they need to keep travel plans strictly private to avoid the threat of prosecution.
In response, the White House issued a memo aimed at increasing the privacy of medical data, and the HHS Office for Civil Rights (OCR) issued new guidance that clarifies the protections available for private medical data under the Health Insurance Portability and Accountability Act (HIPAA). OCR also provided guidance to individuals on how to protect their location and healthcare data on their phones and other devices. Members of Congress are investigating the privacy practices of fertility apps and regulators like the FTC plan to take a deeper look into the data collection practices of healthtech apps. And the private sector is doing its part as well: Google recently published a blog post describing how it’s helping users to keep their location history private by removing location logs when users visit healthcare clinics and similar facilities.
This moment serves as a reminder to any CPO whose organization handles protected healthcare information (PHI) that ensuring medical data privacy is a mission-critical obligation. So, what can you do to help your organization to protect PHI – and those seeking medical attention – from unneeded scrutiny?
Data privacy is critical and complex
Beyond medical data privacy, the issue of protecting data privacy in general is becoming increasingly salient. CPOs are noticing a variety of trends that make getting data privacy right more critical than ever, including:
- Enhanced global enforcement from regulators under the EU’s GDPR and other national privacy laws like Brazil’s LGPD
- The passage of data privacy laws across several US states, including California, Colorado, Utah, and Virginia
- Consideration of a federal privacy bill in the US Congress
Data privacy is complex, and so is protecting it. For privacy, security, and compliance leaders – and even startup founders and CEOs – it’s challenging to figure out which approaches to protecting sensitive data are most effective, and how to combine these approaches. You need a holistic approach to protect data privacy, ensuring that the people, technologies, controls, and workflows in your organization (and partner organizations) are aligned to keep private data truly private.
Best practices: How CPOs can protect data privacy
As a CPO who has worked in the privacy space at a variety of technology companies for over a decade, I’ve learned a few things about which approaches are most effective when it comes to data privacy.
Here’s my list of actionable steps for how to help your organization to build a privacy program that protects sensitive data:
- Get buy-in to prioritize privacy: Privacy and compliance professionals and other leaders whose organizations collect a lot of sensitive data should make sure that they have buy-in from their leadership team to make protecting medical data privacy a priority. This means discussing and sharing company ethics and values around privacy, and committing to going beyond compliance to deliver true data privacy with a privacy by architecture approach, instead of treating privacy as an afterthought.
- Designate responsibility: Do you have a CPO or other leader who owns privacy at your organization? If you don’t have a Chief Privacy Officer, can you designate, empower and train someone with the interest and capacity to serve that function? Consider hiring an outside consultant with experience in helping organizations to set up and improve privacy programs and asking them to provide a report to senior leadership with concrete recommendations.
- Understand the legal and regulatory landscape: Depending on what you build and where you operate, different data protection laws apply. For example, if your company sells a health app to help women track their periods and reproductive health, you should ask: What rules and regulations do you need to follow? What jurisdictions are you operating in? Are you tracking location data (and if so, do you really need to)?
- Consider adopting a privacy framework: Akin to security frameworks, the privacy industry has developed some industry standard privacy frameworks. To get started, I recommend reviewing the privacy framework from the NIST. Other cybersecurity standards bodies have released similar frameworks.
- Perform a data mapping and inventory: Identify what PII you collect, categorize the individual datasets, understand where this data is stored, who it’s shared with, and why. Finally, classify this data as PII, PHI, or other sensitive data types. And don’t forget to include data handled by your vendors (a big source of sensitive data sprawl).
- Implement data minimization: After completing your data inventory, revisit why you’re collecting this data, where it’s being stored (by database and country), who has access to it, and how long the data will be retained. If you’re collecting data you don’t need, or retaining it indefinitely, then implement data minimization controls to fix these issues. You can implement data minimization using privacy-enhancing techniques like tokenization, polymorphic encryption, and de-identification.
- Update contracts, policies, and notices: Consumers, employees, vendors, and regulators like the FTC are entitled to accurate representations of how you handle sensitive data. So, you need to carefully develop, review, and update any public-facing communications and documents to ensure accuracy and transparency. You should also ensure that internal documentation, policies, and contracts accurately describe the handling of sensitive data – and decide in advance how to handle various types of data requests from law enforcement. Avoid public statements that don’t accurately reflect what your organization is currently doing – so, don’t say “our app encrypts PHI end-to-end” if that’s coming soon, but not yet implemented.
- Strengthen administrative, technical and organizational safeguards: Periodically ask yourself and your organization questions about the safeguards and controls you have in place to protect sensitive customer data. Questions like: Where does PII and PHI reside, and could it be more centralized to prevent data sprawl? Who has access to this data, how much, and for which purposes? Then, take action to implement safeguards to address any issues that you uncover.
- Document, train, and repeat: Document your privacy program, develop and deliver training to help your organization to implement the program, and keep both your documents and your training materials up-to-date to keep your organization privacy-focused.
- Automate how you manage sensitive data: Guidelines and policies are important, but the best way to protect sensitive data from misuse is to buy or build technologies that let you tightly control access to sensitive data and monitor how that data is used. A data privacy vault is a technology that lets you isolate, secure, and tightly control access to manage, monitor, and use sensitive data. It includes a wide range of technical safeguards and data minimization features, like automatically deleting certain types of data that you only need for a short time. Most companies don’t have the budget, time, or expertise to build data privacy vaults like those created internally at Netflix, Apple, and Google, so you might consider buying one. To learn more, see What is a Data Privacy Vault?
Final thoughts
The Supreme Court’s overturn of Roe v. Wade increases the urgency of following data privacy best practices. Now more than ever, your customers and employees are counting on you to protect their medical data privacy.