There’s a new normal for health data
Last week, the Federal Trade Commission set clear and ground-breaking precedent for use of health data. It came in the form of its first action under the Health Breach Notification Rule. Regular readers here won’t be surprised by this, since at Tranquil Data we’ve been out ahead of these trends for several years. That said, you should be no less shocked by the enormity of the action, and you should drop everything to understand what it means.
My colleague Shawn Flaherty will go in-depth and unpack details of the complaint (update: here’s his must-read first take). There is a lot to unpack. If you’re in digital health this complaint impacts you materially today. If you’re in any other space, expect this to have repercussions by 2024, at the latest, for how you engage with users and handle data (you can see this trend, e.g., in the soon to-be-enforced Law 25). If you don’t believe me, here are two key take-aways to consider.
First, this complaint comes from the FTC. For years, digital health companies have claimed they don’t need to respect HIPAA PHI requirements because they weren’t acting as covered entities. That stance has now been firmly rejected. If you are handling personal health data, you must be transparent with your users about how and why you have their data, and you must prove that use is consistent with purpose. In practice, these are very hard problems to solve at-scale.
Second, and possibly more important, the FTC has stated resolutely something I’ve been saying for years: clicking “accept” on a Privacy Policy is not Consent. This should be obvious, since consent is an act of freely exercising a choice with known outcomes, but in practice most services force users to agree to terms that they don’t understand. The new bar is something called Affirmative Express Consent (AEC). It requires that concise and transparent language be shown to users who must then opt-in to usage.
In the long run, this will be a huge win for all players. Users will regain say over how their data is used, and the transparent engagement model framed by AEC will build consumer trust, accelerating customer adoption and revenue. I firmly believe that as companies understand this, AEC will become the gold standard across verticals. In the near-term, however, digital health companies have a massive challenge ahead of them. Good news: at Tranquil Data we’ve built the world’s first product tailored to exactly this challenge, and are deploying it with customers at-scale. Reach out and we’ll help get you on the right track.
