Washington's My Health My Data Act treats consumer health information as a blanket category, encompassing a wide array of both health-specific data and health-related data, running the gamut from genetic, biometric and pharmaceutical data to social determinants of health, geolocation, inference and web search data. This places industry in a challenging place, having to prioritize which aspects of this definition will require the most attention and where the lines need to be drawn regarding consumer health information.
Industry should not stand by idly, permitting the host of legislative and regulatory activity to set off alarm bells, or jump to hasty conclusions that could prompt companies to bar data processing in certain states, create distinct consumer experiences within individual states or halt marketing, research, development and product deployment in the consumer health space.
Instead, companies can prioritize their review of consumer health data and optimize their compliance process by incorporating a risk-based approach.
A risk-based approach to processing consumer health data
In the case of so many differing definitions and proposed expanded applicability and enforcement of the FTC's Health Breach Notification Rule, one uniform risk-based framework would help with interpretation. Some models may provide useful benchmarks and more reasonable indices of risk in the artificial intelligence space. For example, the National Institute of Standards and Technology is building the AI Risk Management Framework to support more trustworthy practices in AI development, design and deployment. It could be an interesting model for the consumer health space to use to further parse the sensitivities across different types of consumer health data. Other countries have created a blanket opt-in approach to regulating data, including the most common framework in the EU General Data Protection Regulation, but, as we know, research demonstrates some clear shortcomings. In the U.S., when we look to the Health Insurance Portability and Accountability Act, data is uniformly treated as part of the same confidential category of "protected" health information, with all communications strictly reserved for the provider-patient relationship and any respective business associates.
Categorizing consumer health data through risk-based sensitivity
For a risk-based approach, we could think about the data in tiers descending from the most sensitive data that requires the most immediate level of action and care.
The first tier of data, the "most sensitive" data elements, includes data that is clearly linkable to health care in its most traditional status. This tier would include data that identifies a consumer’s past, present or future physical or mental health status, such as reproductive care, drug or pharmaceutical care, or biometric and genetic data that identifies a specific individual. This would also include linkable consumer data shared with third parties for advertising purposes without obtaining consent.
The second tier of midlevel sensitivity data includes data that could "reasonably indicate" an individual's physical or mental health status; data allowing for freemium, loyalty or other differential pricing programs; inferred data; and biometric data that is collected but does not identify a specific individual.
The third tier of sensitivity focuses on commonplace activities, such as general web searches about health status or diagnosis run by a consumer, data relating to search or purchase of health and wellness apparel or related products, data for first-party marketing and analytics, and data combined with other data already in the public record.
The fourth tier includes "prohibited" use cases of sensitive consumer health data, based on the implications from the recent FTC enforcement actions. Prohibited use cases would, at minimum, include sensitive precise location data that is collected, used or transferred for advertising purposes, and/or retained longer than is necessary or appropriate; and data generated by a geofence to collect health data, track, advertise to or message a consumer.
These prohibited use cases would appropriately convey the guidelines developed by industry thought leaders coalescing around digital advertising principles for self-regulation and their perspective on the intersection between consumer health and advertising.
Enforcement agencies have limited capacity to enforce the wide range of laws and regulations now manifesting in the patchwork of state consumer privacy laws. Industry accountability programs that review, reinforce and verify these best practices can provide an early review and a potential backstop for enforcement.