In December 2016, the Council for International Organizations of Medical Sciences (CIOMS) released a new version of its International Ethical Guidelines for Health-Related Research Involving Humans, which outlines new procedures for obtaining consent of use and analysis of health-related data in research. While aimed at the biomedical industry, this has potential effects for the enterprise.
Privacy controls: Not just for health records
Just because someone consents to providing health-related data or biometrics doesn't mean that they consent to all downstream analysis and applications of it. This principle is one of several addressed in the new CIOMS guidelines that emphasize informed consent for derivative use of data. Subjects and individuals need to be given assurance that their data and subsequent findings will be properly protected and disclosed only in approved circumstances.
This is of interest to non-biomedical organizations for several reasons. Increasingly, the enterprise encounters "grey data" that is related to health, but not technically protected by legal privacy regulations such as the US's Health Insurance Portability and Accountability Act (HIPAA). While HIPAA and similar international regulations protect electronic health records (EHRs) and insurance data, they do not officially protect derivative health data such as biometric stats collected from wearables and wellness programs. Increasingly, businesses are in contact with this data.
This should serve as a warning sign for companies that might be eyeing this content to potentially circumnavigate regulatory protection. For organizations that are already collecting, storing, or analyzing this content, several questions asked today could be of use to prepare for potential regulation in the future:
Where is the biometric or health-related data currently being managed, and what entity has legal responsibility for it?
Have third parties responsible for handling data been properly vetted for their privacy and security policies?
What is the current consent process for employees who enroll in wellness programs or provide personal data for incentives?
Are there legal or HR mechanisms in place to ensure that "grey data" or its analysis does not result in unintentional discrimination?
Does the business have the ability to properly mask identity or anonymize health-related data?
As is the case with most industry guidelines, the first organizations to implement formal controls will be the ones directly subject to compliance. However, these practices and trends often trickle directly down to less-regulated industries and set the tone for management of similar data in the future.
2016 Trends to Watch: Health Technology, IT0011-000383 (December 2015)
Paige Bartley, Senior Analyst, Information Management