Taking Actions to Enhance Sensitive Health Data PrivacyGoogle Plans to Delete Certain Location Data; What Can Other Entities Do?
Google's recent move to soon being deleting location history pertaining to individuals' visits to facilities offering sensitive healthcare services is a step in the right direction, but experts warn a yawning digital privacy gap still remains.
The internet giant committed earlier this month to modifying its systems to automatically identify and delete location history data for visits individuals make to places that are "particularly personal."
That includes medical facilities such as abortion clinics, fertility centers, counseling centers, domestic violence shelters, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics "and others," Google says.
Google's changes come as scrutiny of technology firms, data brokers and others that handle location and sensitive health data intensifies in the wake of the Supreme Court's recent ruling overturning Roe v. Wade and as some states begin to ban and criminalize abortion.
Extreme cases include Texas, where civilians are being incentivized with $10,000 rewards to successfully sue individuals that assist patients seeking abortions. A few other states, including Missouri, have floated legislation seeking to potentially stop women from traveling to other states where abortion procedures are not banned.
But as law enforcement agencies in some states also prepare to demand that entities turn over sensitive information in suspected abortion cases, location data changes made by Google and potentially by other technology firms might help protect data privacy to some extent - but not fully.
"Google is but one player in the lightly regulated marketplace where data brokers and the government can buy information about where we go for our healthcare, our internet searches about medical conditions, or personal treatment records downloaded from patient portals to our smartphone," says privacy attorney David Holtzman of consulting firm HITprivacy.
"Congress needs to pass strong, comprehensive privacy legislation to establish a right to privacy as well as setting up an enforcement mechanism with real teeth," says Holtzman, a former senior adviser in the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
"Industry self-regulation has shown to be ineffective and has brought us to point where we are today."
Other experts also say that healthcare providers can tap into ways to potentially help better protect the privacy of sensitive patient information.
"Healthcare providers that provide particularly sensitive care should closely look at their website disclosures and what information about visitors is potentially going to third parties," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who is also a former senior adviser at HHS OCR.
Once that information is in the hands of a third party, it could be turned over pursuant to a court order, he says.
"Healthcare providers may wish to take advantage of the privacy exception to the HHS Information Blocking Rule by asking patients whether they want to request that the healthcare provider not provide access, exchange or use of their particularly sensitive health information and document agreement with such requests," Greene says.
HHS' Information Blocking Rule, which went into effect last year, generally prohibits healthcare providers, health IT developers and health information exchanges from knowingly interfering with the access, exchange or use of electronic health information (see: HHS on Information Blocking Rule Enforcement: Stay Tuned).
The aim of the rule - which was called for under the 21st Century Cures Act of 2016 - is to help facilitate the flow of electronic health records among healthcare providers - as well as bolster individuals' access to their own information - in order to improve patient care coordination and outcomes.
But the Information Blocking Rule has eight exceptions that spell out practices that are not considered information blocking. Those include two exceptions - one for privacy and another for security concerns - which under certain conditions allow entities to deny requests for access, exchange and use of patient information.
Still, healthcare entities have other regulatory obligations that limit their ability to take certain actions that might otherwise better guard patient data privacy, other experts say.
For instance, unlike Google's decision to delete certain location data from its systems, healthcare providers for the most part cannot take such measures with patient information.
For healthcare facilities, obtaining and keeping certain information, such as patients' addresses and other identifying information, is required for medical record-keeping, says regulatory attorney Rachel Rose.
"All healthcare includes sensitive types of services because of how protected health information is classified. The HIPAA Privacy Rule established policies to protect all individually identifiable health information that is held or transmitted," she says.
Nonetheless, healthcare entities can take some actions limiting what is disclosed to third parties, such as law enforcement officials and data brokers.
For instance, new HIPAA guidance issued last week sought to clarify that covered entities, for the most part, are permitted - but not required - to release patients' information to law enforcement agencies unless accompanied by specific court orders and other mandates (see: HHS Tackles Data Privacy Concerns Linked to Abortion Ruling).
In the meantime, some experts optimistically expect that other private sector companies will make their own moves to enhance protections around sensitive data in the wake of the Supreme Court's ruling.
"My impression is that a significant number of tech companies are closely scrutinizing the information that they collect and how it could be used or disclosed in the wake of the Dobbs decision," Greene says.
Google did not immediately respond to Information Security Media Group's request for additional information and comment.