Yale Journal of Health Policy, Law, and Ethics Volume 17|Issue 1 Article 3 2017 Regulatory Disruption and Arbitrage in Health- Care Data Protection Nicolas P. Terry Indiana University Robert H. McKinney School of Law Follow this and additional works at:https://digitalcommons.law.yale.edu/yjhple Part of theHealth Law and Policy Commons, and theLegal Ethics and Professional Responsibility Commons Recommended Citation Nicolas P. Terry,Regulatory Disruption and Arbitrage in Health-Care Data Protection, 17Yale J. Health Pol'y L. & Ethics(2017). Available at:https://digitalcommons.law.yale.edu/yjhple/vol17/iss1/3 This Article is brought to you for free and open access by Yale Law School Legal Scholarship Repository. It has been accepted for inclusion in Yale Journal of Health Policy, Law, and Ethics by an authorized editor of Yale Law School Legal Scholarship Repository. For more information, please [email protected]. Terry: Regulatory Disruption and Arbitrage in Health-Care Data Protectio Regulatory Disruption and Arbitrage in Health-Care Data Protection* Nicolas P. Terry** Abstract: This article explains how the structure of U.S. health-care data protection (specifically its sectoral and downstream properties) has led to a chronically uneven policy environment for different types of health-care data. It examines claims for health-care data protection exceptionalism and competing demands such as data liquidity. In conclusion, the article takes the position that health- care-data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of health-care data residing outside of the traditional health-care domain is challenging, currently even politically impossible. Notwithstanding, a hybrid model is envisioned with downstream HIPAA model remaining the dominant force within the health-care domain, but being supplemented by targeted upstream and point-of-use protections applying to health-care data in disrupted spaces. * 0 2016 Nicolas Terry. All rights reserved. ** Hall Render Professor of Law, Executive Director, Hall Center for Law and Health, Indiana University Robert H. McKinney School of Law. Email: [email protected]. Frank Pasquale, Kristin Madison, Craig Konnoth were generous with their time in commenting on an early draft. I also thank the workshop participants at the 2015 Amsterdam Privacy Law Scholars Conference (Oct. 2015) and the Health Law Policy, Biotechnology, and Bioethics Workshop at the Petrie-Flom Center at Harvard Law School (Apr. 2016) for their valuable feedback. I also thank the anonymous peer reviewers at the Yale Journal of Health Policy, Law, and Ethics for their helpful comments. Professor Miriam Murphy helped immeasurably with research and Kelci Dye, Indiana University Robert H. McKinney School of Law J.D. candidate, was a diligent editor. 143 Published by Yale Law School Legal Scholarship Repository, 2017 1 Yale Journal of Health Policy, Law, and Ethics, Vol. 17 [2017], Iss. 1, Art. 3 YALE JOURNAL OF HEALTH POLICY, LAW, AND ETHICS 17:1 (2017) TABLE OF CONTENTS TABLE OF CONTENTS ........................................................................................ 144 INTRODUCTION ................................................................................................. 146 I. BACKGROUND: KEY CHARACTERISTICS OF U.S. DATA PROTECTION ...... 148 A. SECTORAL DATA PROTECTION .................................. 149 B. UPSTREAM VS. DOWNSTREAM PROTECTION MODELS .. ............. 151 II. REGULATORY TURBULENCE, DISRUPTION & ARBITRAGE ....................... 155 A. TURBULENCE AND DISRUPTION .......................... 156 B. ARBITRAGE ................................................... 160 C. IMPLICATIONS OF REGULATORY DISRUPTION AND ARBITRAGE........... 161 III. EXCEPTIONALISM AND THE HEALTH-CARE DATA PROTECTION MODEL162 A. SECTORAL MODEL ........................................... 162 B. DOWNSTREAM PROTECTION FAVORED ...................... ..... 164 C. UNDERSTANDING EXCEPTIONAL HEALTH-CARE DATA PROTECTION.. 168 1. HISTORY OF EXCEPTIONALISM ................................... 169 2. HEALTH SUBDOMAIN EXCEPTIONALISM ......... .............. 171 IV. TURBULENCE, DISRUPTION, AND ARBITRAGE IN PRACTICE...................173 A. PROFESSIONAL HEALTH-CARE DOMAIN VS. CONSUMER DOMAIN....... 173 B. EXAMPLE ONE: BIG DATA ...................................... 177 C. EXAMPLE Two: MOBILE HEALTH DATA........... ............... 181 V. DATA PROTECTION VERSUS DATA LIQUIDITY...........................................184 A. CLINICAL INTEROPERABILITY ............................. ...... 184 B. MEDICAL AND POPULATION HEALTH RESEARCH ................... 186 C. REFUTING THE BINARY ............................................. 187 VI. REGULATORY RESPONSES TO DISRUPTION AND ARBITRAGE.................189 A. IS DISRUPTION WORTH THE TROUBLE? ...................... ..... 189 B. A DIFFERENT TYPE OF LABORATORY, THE STATES ....... .......... 191 C. WHAT STYLE OF REGULATION IS APPROPRIATE FOR DISRUPTIVE TECHNOLOGIES? ................................... . . ... ........ 192 D. THE LEVEL OF REGULATION: THE CASE FOR CONTINUED 144 https://digitalcommons.law.yale.edu/yjhple/vol17/iss1/3 2 Terry: Regulatory Disruption and Arbitrage in Health-Care Data Protectio HEALTH-CARE DATA PROTECTION EXCEPTIONALISM ............................................ 196 VII. MOVING BEYOND HIPAA, EXPLORING THE POTENTIAL OF MULTIPLE DATA PROTECTION MODELS .................................................................... 199 A. INCREASED ENFORCEMENT ..................................... 203 B. AMENDMENTS TO THE PRIVACY AND SECURITY RULES ....... ...... 204 C. TARGETED FEDERAL LEGISLATION .................... .............. 204 CONCLUSION ..................................................................................................... 205 145 Published by Yale Law School Legal Scholarship Repository, 2017 3 Yale Journal of Health Policy, Law, and Ethics, Vol. 17 [2017], Iss. 1, Art. 3 YALE JOURNAL OF HEALTH POLICY, LAW, AND ETHICS 17:1 (2017) "Your previous provider refused to share your electronic medical records, but not to worry-I was able to obtain all of your information online."i INTRODUCTION In 1994, two years before passage of the statute that authorized the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules, the Institute of Medicine (IOM) took the position that "legislation should clearly establish that the confidentiality of person-identifiable data is an attribute afforded to the data elements themselves, regardless of who holds the data."2 That exhortation was ignored, allowing a regulatory vector between the protection of health-care data held inside and outside of the conventional health care space. Policymakers' persistent, systemic failure to safeguard health-care data outside the HIPAA domain is now exemplified by the minimal, sub-HIPAA data protection afforded health-care data either held by data brokers ("companies that collect consumers' personal information and resell or share that information with others"3) or created by mobile apps. The result of this policy misstep is an emerging narrative of regulatory disruption and arbitrage. Simply put, disruption and arbitrage can occur when disruptive businesses in a lightly regulated domain create products previously associated with incumbents of a highly regulated domain. This is not just another story of emerging technologies exposing the lamentable state of data protection in the United States. It is also an account of the likely depreciation of a health-care-specific policy position that was hard won and as yet has not been convincingly refuted. This policy is health-care privacy exceptionalism. As described below, the fundamental flaw in U.S. data protection was the rejection of generalized or universal protection in favor of a domain- specific model. Virtually alone among those domains, health care carved out a reasonably effective data protection position, referred to as health-care privacy exceptionalism, courtesy of the HIPAA Privacy and Security Rules4 and their 1. Kaamran Hafeez, Daily Cartoon, THE NEW YORKER (Sept. 11, 2015), http://www.newyorker.com/cartoons/daily-cartoon/daily-cartoon-friday-september-11th-healthcare- doctor-visit [https://perma.cc/K3N6-6BW4]. 2. INSTITUTE OF MEDICINE, HEALTH DATA IN THE INFORMATION AGE: USE, DISCLOSURE, AND PRIVACY 191 (Molla S. Donaldson & Kathleen N. Lohr eds., 1994) [hereinafter HEALTH DATA IN THE INFORMATION AGE]. 3. Data Brokers: A Call for Transparency and Accountability, FED. TRADE COMMISSION i (2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency- accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf [https://perma.cc/M9M5-A6P8] [hereinafter Data Brokers]. 4. HIPAA Administrative Simplification, Regulation Text, 45 CER. pts. 160, 162, and 164 146 https://digitalcommons.law.yale.edu/yjhple/vol17/iss1/3 4 Terry: Regulatory Disruption and Arbitrage in Health-Care Data Protectio HEALTH-CARE DATA PROTECTION state law analogues.' Exceptionalism also has a downside. Conversations about mainstream data protection have tended to ignore, even isolate health care, viewing the domain as sui generis and adequately protected by HIPAA. The key to understanding current disruption and arbitrage in the health-care data sector is an appreciation of the U.S. data protection approach and, obviously, its particular application to health care. While the sectoral nature of U.S. health- care data protections is generally understood, other properties, such as the distinction between upstream and downstream data protection models, may not be so well-known. The intersections of multiple data protection models help explain the current declining state of health-care data protection. Equally, understanding multiple models is helpful in refuting over-simplified binaries (for example, privacy versus data liquidity) and provides insight into potential data protection reforms. The analysis that follows suggests two examples of regulatory disruption and arbitrage in in health-care data. The first example considers health-care data collected, analyzed, and sold by big data brokers. Some of those data are created within the highly regulated space of health-care practice but legally "exported" (for example, they may have been de-identified). Other big data are created outside the highly regulated health-care domain but are medically inflected, and, once combined with other data points, operate as data proxies for protected HIPAA data. In both scenarios, data triangulation may defeat any de- identification. In the second example, users increasingly generate wellness, fitness, and sickness data on mobile health platforms or by mobile health apps. Again, the picture is complicated (hence the disruption). Some data are created in a highly regulated space but then exported to a mobile device; other data are processed in the opposite direction. This article takes the position that health-care-data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of health-care data residing outside of the traditional health-care domain is challenging. This article envisions a hybrid model, with downstream HIPAA model remaining the dominant force within the health-care domain, supplemented by upstream and point-of-use protections applying to health-care data in disrupted spaces. (Unofficial Version, as amended through March 26, 2013), U.S. DEP'T HEALTH & Hum. SERVS., http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa- simplification-201303.pdf [https://perma.cc/P9R8-QH7A]. 5. See generally Joy L. Pritts, Altered States: State Health Privacy Laws and the Impact of the FederalH ealth Privacy Rule, 2 YALE J. HEALTH POL'Y L. & ETHICs 327, 332-40 (2002). 147 Published by Yale Law School Legal Scholarship Repository, 2017 5 Yale Journal of Health Policy, Law, and Ethics, Vol. 17 [2017], Iss. 1, Art. 3 YALE JOURNAL OF HEALTH POLICY, LAW, AND ETHICS 17:1 (2017) I. BACKGROUND: KEY CHARACTERISTICS OF U.S. DATA PROTECTION The dysfunctional nature of U.S. data protection is ironic given its often- heralded roots. Samuel Warren and Louis Brandeis's famous Harvard article' has achieved mythic fame for birthing its eponymous "Right to Privacy." However, looking back at their article today, it is striking to see the relatively narrow driver that led those famous lawyers to propose the recognition of the "right to be let alone."' Primarily, they seemed concerned about some members of the press (perhaps, in today's terms, the paparazzi) and what the authors viewed as an inappropriate appetite for gossip and triviality.' Indeed, Jill Lepore has described the article, "a manifesto against the publicity of modernity."' Today, the article's "Right to Privacy" title plays better than its substance and, perversely, that title now exists merely as a slogan inaccurately preserving the myth of strong U.S. data protection. Those seeking the source of the contemporary data protection debate are more likely to find it, albeit accompanied by dystopian contexts, in Alan Westin's 1967 book Privacy and Freedom"o or his 1972 preview of today's data broker issues, Databanks in a Free Society." With no little irony given the health-care context of this paper, it was the U.S. Department of Health, Education, and Welfare (HEW), a precursor to the Department of Health & Human Services (HHS), which first considered a comprehensive privacy law applying across all domains and regulating both public and private entities.12 The HEW report discussed both government and non-governmental information practices13 and outlined one of the first iterations of Fair Information Practice Principles (FIPPs).14 FTPPs are a distillation of the best information practices common to developed democracies and, as noted by the Federal Trade Commission (FTC), include some core privacy principles: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress."' 6. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REv. 193 (1890). 7. Id. at 195. 8. Id. at 196. 9. Jill Lepore, The Prism: Privacy in an Age of Publicity, NEW YORKER (June 24, 2013), http://www.newyorker.com/reporting/2013/06/24/130624fafact lepore [https://perma.cc/5AN6- EAH5]. 10. ALAN F. WESTIN, PRIVACY AND FREEDOM (1967). 11. ALAN F. WESTIN, MICHAEL A. BAKER, DATABANKS IN A FREE SOCIETY: COMPUTERS, RECORD-KEEPING, AND PRIVACY (1972). 12. SECRETARY'S ADVISORY COMM., U.S. DEP'T. HEALTH, EDUC. & WELFARE, DHEW PUB. No. (OS) 73-94, RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS (1973), http://www.justice.gov/opel/docs/rec-com-rights.pdf [https://perma.cc/ZU4D-DGC9]. 13. Id. at 33-46. 14. Id. at xx-xxi, xxiii. 15. Privacy Online: A Report to Congress, FED. TRADE COMISSION, 7 (1998), 148 https://digitalcommons.law.yale.edu/yjhple/vol17/iss1/3 6 Terry: Regulatory Disruption and Arbitrage in Health-Care Data Protectio HEALTH-CARE DATA PROTECTION Unfortunately, the misstep that followed was that the HEW report only recommended, and Congress only enacted, privacy legislation to control the data collecting practices of the federal government. Many of the issues discussed in this article can be traced back to this Pyrrhic victory, the Privacy Act of 1974.16 What Frank Pasquale has termed U.S. privacy law's "original sin" was the failure to embrace a comprehensive rather than piecemeal approach to data protection. 17 A. Sectoral Data Protection Thereafter, as acknowledged by the 2012 White House report, "most Federal data privacy statutes appl[ied] only to specific sectors, such as healthcare, education, communications, and financial services or, in the case of online data collection, to children." The original sin is not just about preferring sectoral to more comprehensive regulation. The patchwork of resulting protections "results from the sectoral approach having been created backwards. Rather than coming up with an overall picture and then breaking it up into smaller pieces that mesh together, Congress has been sporadically creating individual pieces of ad hoc legislation."" Thus, the "sectoral approach is emblematic of the lack of a perceptible, cohesive commercial data privacy policy, which creates complexity and costs for businesses and confuses consumers." 20 The sectoral approach has played out over multiple industries. As is well known, the Gramm-Leach-Bliley Act (GLBA) governs consumer privacy in the financial sector.21 GLBA, like HIPAA, is sectoral, applying to narrowly defined data custodians, specifically groups of financial entities. Just as HIPAA does not apply to all custodians of health-care data, so GLBA does not apply to all who https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv- 23a.pdf [https://perma.cc/UXR2-VQLC]. The FIPPs are principles or properties of privacy codes that were initially developed by the FTC but are now featured in codes across the world. 16. 5 U.S.C. § 552a (2012). 17. Episode 7: Mark Rothstein, Big Data & Health Research, Apple ResearchKit, White House Consumer Privacy Bill, WEEK HEALTH L. (Apr. 8, 2015), http://twihl.podbean.com/e/7-mark- rothstein-big-data-health-research-apple-researchkit-white-house-consumer-privacy-bill/ [https://perma.cc/LQ48-W2RL]. 18. Consumer Data Privacy in a Networked World: A Frameworkf or Protecting Privacy and Promoting Innovation in the Global Digital Economy, WHITE HouSE, 6 (Feb. 2012), https://www.whitehouse.gov/sites/default/files/privacy-final.pdf [https://perma.cc/4YS7-FWWH] [hereinafter Frameworkf or Protecting Privacy]. 19. Commercial Data Privacy and Innovation in the Internet Economy: Dynamic Policy Framework, U.S. DEP'T COM. 60 (Dec. 2010), http://www.ntia.doc.gov/report/2010/commercial- data-privacy-and- innovation-interet-economy-dynamic-policy-framework [https://perma.cc/PG6Z-V6HM] (summarizing commenters). 20. Id. at 59. 21. Gramm-Leach-Bliley Act, Pub. L. No. 106-102, § 501, 113 Stat. 1338, 1436-37 (1999). See generally Edward J. Janger & Paul M. Schwartz, The Gramm-Leach-Bliley Act, Information Privacy, and the Limits ofDefault Rules, 86 MINN. L. REv. 1219, 1219-20 (2002). 149 Published by Yale Law School Legal Scholarship Repository, 2017 7 Yale Journal of Health Policy, Law, and Ethics, Vol. 17 [2017], Iss. 1, Art. 3 YALE JOURNAL OF HEALTH POLICY, LAW, AND ETHICS 17:1 (2017) hold consumer financial data.22 And like HIPAA, GLBA is a downstream data- protection model that erects a duty of confidentiality23 and requires notice to consumers of an institution's privacy policies and practices.24 The Fair Credit Reporting Act (FCRA) applies to consumer reporting agencies regarding important if narrow requirements relating to quality, transparency, and access. 25 Other examples cover still narrower sectors such as video rental records.26 Even now, with the sectoral approach to data protection understood as causing severe regulatory gaps, calls for narrowly focused "fixes" continue, whether to protect student records from big data brokers 27 or to prevent automobiles from "spying" on their drivers.28 A sectoral approach to data protection has other flaws. For example, sectoral models inevitably encourage differential levels of protection, and that more often promotes a race to the bottom rather than to the top. Worse, high levels of protection can be characterized as outliers and targeted for "reform." This sectoral limitation of substantive law spills over into rulemaking and enforcement. Inter-agency cooperation has never been a core strength of the federal government, and turf wars likely exacerbate regulatory gaps. It is one thing not to have a comprehensive privacy model. It is another not to have a unified data-protection agency. For example, the European Union has had a (relatively) uniform law since 1995 .29 The new General Data Protection Regulation (GDPR)o has attracted interest because of its erasure' and breach 22. See 15 U.S.C. § 6805(a) (2012). Notwithstanding, the FTC does have some broad residual powers. See Privacy of Consumer Financial Information; Final Rule, 65 Fed. Reg. 33,646 (May 24, 2000) (codified at 16 C.F.R. pt. 313). 23. 15 U.S.C § 6802(a)(1) (2012) (requiring non-disclosure of "nonpublic personal information" to "nonaffiliated third parties"). 24. See 15 U.S.C. §§ 6803(a), (c) (2012). 25. 15 U.S.C. §§ 1681-1681x (2012). 26. Pub. L. No. 100-618, 102 Stat. 3195. See generally Mollett v. Netflix, Inc., 795 F.3d 1062 (9th Cir. 2015). For more examples of narrow, sectoral legislation see Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for Information Privacy, 53 STAN. L. REv. 1393, 1440-44 (2001). 27. See, e.g., Press Release, Sen. Ed Markey, Sens. Markey & Hatch Reintroduce Bipartisan Legislation to Protect Student Privacy (May 13, 2015), http://www.markey.senate.gov/news/press- releases/sens-markey-and-hatch-reintroduce-bipartisan-legislation-to-protect-student-privacy [https://perma.cc/AD5Y-7JP9]. 28. Press Release, Sen. Ed Markey, Sens. Markey, Blumenthal Introduce Legislation to Protect Drivers from Auto Security, Privacy Risks with Standards & "Cyber Dashboard" Rating System (July 21, 2015), http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal- introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks-with-standards-and-cyber- dashboard-rating-system [https://perma.cc/2ZMZ-BMWA]. 29. Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data, 1995 O.J. (L 281/31), http://eur-lex.europa.eu/legal- content/en/ALL/?uri=CELEX:31995LOO46 [https://perma.cc/S49Z-VL4V]. 30. Commission Regulation 2016/679 of the European Parliament and of the Council of 27 150 https://digitalcommons.law.yale.edu/yjhple/vol17/iss1/3 8 Terry: Regulatory Disruption and Arbitrage in Health-Care Data Protectio HEALTH-CARE DATA PROTECTION notification32 provisions. However, arguably one of its most significant achievements is to make enforcement and interpretation more consistent across the EU by designating a primary, "one-stop shop" regulator33 and promoting additional coordination through the European Data Protection Board.34 Of course, the observation that U.S. data protection is flawed because of its sectoral nature is only part of the story. The sectors (including health care) are narrowly defined. After conventional health and, arguably31 financial services, the drop off in protections is sharp. In large part, this is because the United States has favored relatively-low-protection models, most of which are downstream. B. Upstream vs. Downstream Protection Models The upstream-downstream typology described here may appear somewhat complex. However, its origins can be traced to a much simpler relationship-that between privacy and confidentiality. According to Tom Beauchamp and James Childress: [A]n infringement of a person's right to confidentiality occurs only if the person or institution to whom the information was disclosed in confidence fails to protect the information or deliberately discloses it to someone without first-party consent. By contrast, a person who, without authorization, enters a hospital record room or computer database violates rights of privacy but does not violate rights of confidentiality. Only the person or institution that obtains information in a confidential relationship can be charged with violating rights of confidentiality. This description captures a clear process chronology. First, "privacy" April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119) 1 (General Data Protection Regulation), http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC [https://perma.cc/R5NP-FR2Z]. 31. Id. art. 17. 32. Id. arts. 33-34. 33. Id. arts. 56-65. 34. Id. arts. 68-76. 35. Cf Kathleen A. Hardee, The Gramm-Leach-Bliley Act: Five Years After Implementation, Does The Emperor Wear Clothes?, 39 CREIGHTON L. REv. 915 (2006). 36. Tom L. BEAUCHAMP & JAMES F. CHILDRESS, PRINCIPLES OF BIOMEDICAL ETHICS 316-17 (7th ed. 2013); see also Humphers v. First Interstate Bank of Oregon, 696 P.2d 527 (Or. 1985) ("Although claims of a breach of privacy and of wrongful disclosure of confidential information may seem very similar in a case like the present, which involves the disclosure of an intimate personal secret, the two claims depend on different premises and cover different ground ... [T]he most important distinction is that only one who holds information in confidence can be charged with a breach of confidence. If an act qualifies as a tortious invasion of privacy, it theoretically could be committed by anyone.") 151 Published by Yale Law School Legal Scholarship Repository, 2017 9
Description: