Next President Must Protect Consumer Privacy Online
October 13, 2008
Filed under Health Privacy
[Ed. Note: this is the third in a series of blog posts addressing a range of technology and civil liberties issues we believe America's next President and Congress will have the chance to take a fresh look at, and the opportunity to set a policy course for the Internet that will keep it open, innovative and free.] Americans are increasingly living their lives online and taking advantage of all the benefits that the Internet has to offer. Consumers do things online today that were unthinkable even a handful of years ago: shopping for houses, maintaining personal medical records, or searching for friends sitting at nearby coffee shops. But they remain justifiably apprehensive about the privacy and security of the information they share with companies and divulge online. It has become more and more difficult for consumers to keep track of when, where, how, and to whom their information is disclosed. That difficulty is exacerbated by the trend towards greater distribution and data-sharing (part of the "Web 2.0" revolution). Meanwhile, high-tech scammers are seizing on these trends, capitalizing on consumers' access to more content from more sources on an increasing array of devices, to find new opportunities to commit fraud. Left unchecked, these developments may leave consumers open to privacy invasion while undermining the trust necessary for commerce to thrive online. Internet users need to be confident that the data they divulge online will be protected. At the same time, law enforcers at all levels must have the resources they need to aggressively pursue fraudsters and malicious scammers, protect consumers, and deter future online crimes. Baseline Protections Across the Board American consumers currently face a confusing patchwork of privacy standards that offer only weak protections for much of the personal information collected by businesses; some information is left unprotected in surprising ways. For example, financial privacy laws have major exceptions and, while there is a strong privacy law for video rental records, no law protects travel records or online purchasing data. As a succession of new online threats have cropped up over the last several years - from spyware to RFID tags to behavioral targeting and beyond - some observers have supported adding additional complexity to this already-tangled legal patchwork with new laws that are technology and sector specific; each law addressing each of these threats independently. But such an approach will only create more gaps in legal protections, confusing consumers and law enforcers alike. Dealing with each new threat as it arises is far too reactive of a strategy, leaving consumers out in the cold until specific laws can be passed to deal with each new online threat. A better approach would be to craft a single, consistent privacy law to protect consumer data across the board. A baseline law would bolster consumer trust while giving both businesses and law enforcers a comprehensive standard for protecting consumers. A flexible, technology-neutral regime would guarantee data protections while allowing new technologies to continue to flourish. The next president and Congress should work together to enact a law that will protect the information of American consumers both online and in the "brick and mortar" world. Privacy as a Cornerstone of Electronic Personal Health Information The next president faces an especially crucial task in ensuring that the potential for information technology to improve health quality can be realized. A majority of Americans want their health information to be available to them, and exchanged by their health care providers, on-line, but they have significant privacy concerns about that process, too. Technology has a greater capacity to protect sensitive personal health information than is the case now with paper records; however, the computerization of personal health information, in the absence of strong privacy and security safeguards, magnifies the privacy risks. Building public trust in health information technology (health IT) is essential, and now, in the early stages of adopting these systems, is the critical window of opportunity to address privacy. To build public trust in health IT requires the adoption of a comprehensive privacy and security framework that sets clear parameters for access, use and disclosure of personal health information for all entities engaged in e-health. Such a framework should be based on fair information practices, such as those in the Common Frameworks developed by the Markle Foundation's multi-stakeholder Connecting for Health Initiative. Enhancing the role of individual consent with respect to the sharing of information on-line is one key issue to address - but giving consumers greater control of their health data will not by itself resolve the critical privacy issues that threaten progress on health IT. The privacy and security rules enacted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the first federal health privacy framework, but the rules are insufficient to cover the new and rapidly evolving e-health environment. The president and Congress need to strengthen HIPAA for electronic records kept by traditional health system entities and back it up with vigorous enforcement of the law. Policymakers also need to address the increased migration of personal health information outside of the health care system, for example, through personal health records offered by employers and Internet companies. For these entities, regulation under HIPAA would fail to address the most serious threats to patient privacy and could inadvertently promote inappropriate sharing of consumer data. Instead, the president and Congress need to establish additional legal protections that target the threats to privacy faced by consumers storing and sharing their personal health information on-line.