The American Data Privacy and Protection Act (ADPPA) is widely considered the best opportunity in a generation for comprehensive federal privacy legislation. The future of informatics for population health depends on involving public health professionals in the debate on new privacy laws such as the ADPPA. The 2017 World Health Organization (WHO) guidelines on ethical issues in public health surveillance provide excellent guiding principles for identifying and communicating public health needs and priorities in the proposed privacy legislation. Carefully crafted protections could establish a new social contract: when an individual provides data to help their community, that data will not be used against the individual.
First, public health stakeholders need to speak up to ensure that any new law does not harm existing public health data streams. Second, they must ensure that any new law provides space for public health information technology to evolve and develop under adequate governance. Finally, they should look for laws that meet ethical standards for the use of public health data.
Opportunity for comprehensive federal privacy legislation
Recently, the federal privacy bill, the American Data Privacy and Protection Act, was presented to Congress with broad support from the House and Senate. Like recent past federal and state privacy bills, however, the ADPPA drafting process sadly did not have the leadership of a public health community already burdened with the challenges of the pandemic response. Among other things, the ADPPA evidently lacks explicit provisions legitimizing the collection or transfer of data for public health purposes and may impose new legal restrictions, including restrictions on the use of secondary demographic data collected by nonprofits. to promote the health of the population. Although proponents of general privacy legislation have rightly focused on ensuring strong protections for the use of sensitive health data in the commercial sector, the legislative process has not had strong public health voices to ensure that the new legislative guardrails on use data does not inadvertently burden public health information technology as well.
Data privacy laws that allow personal information, beyond medical records, to be used for public health purposes are essential to enable cross-sectoral data sharing and promote population health. The future of public health informatics, such as precision public health applied to chronic, acute and infectious conditions, depends on the ability to harness and connect non-traditional and heterogeneous data sources for public health purposes. These links require the conciliation of different legal safeguards that apply to different data, such as HIPAA-regulated data, non-HIPAA health data (e.g. mobile health apps) and adjacent health data (e.g. social determinants). However, general privacy legislation is becoming increasingly fragmented, with five states having already adopted comprehensive privacy statutes, each different from the others. A comprehensive national privacy law, such as the ADPPA, offers the opportunity to address the challenges of public health data sharing by partially harmonizing a patchwork of U.S. data privacy laws that often inhibits data integration across silos and sectors .
The current flurry of legislative activity, both at the state and federal levels, also threatens to block ways to codify ethical principles of public health into privacy legislation. But public health professionals, experts and stakeholders can still set foot in the door to participate in the debates.
An ethical framework for data protection and public health
The 2017 WHO Guidelines on Ethical Issues in Public Health Surveillance provide excellent guiding principles for identifying and communicating public health needs and priorities in the proposed privacy legislation. They impose an ethical obligation on governments to conduct public health surveillance. Consequently, public health stakeholders should be vigilant so that the proposed privacy law does not disrupt or hinder existing legitimate public health data flows. The best way to protect and enable public health analysis is to include exceptions that expressly allow the reuse of protected data for public health purposes. The WHO guidelines also emphasize the importance of community values and concerns at all stages of public health surveillance. Notably, a 2020 US public survey shows that using data to promote population health is significantly more acceptable than other uses of data, such as commercial and law enforcement uses, which are generally permitted by law. on privacy. This and similar evidence can be compelling to policy makers who are concerned about the needs and views of their constituencies.
Good governance and political barriers are central to many of the WHO guidelines to ensure that public health professionals use data ethically and only for legitimate public health purposes. For example, transparency measures, such as public notice requirements, strengthen the decision-making process of individuals and enable accountability for organizations and government bodies. Consequently, public health stakeholders must ensure that new privacy laws do not overly favor public health uses and allow the use of data without adequate protections and limitations.
Likewise, WHO guidelines take a tough stance on the secondary use of public health data for purposes unrelated to public health. In particular, the guidelines argue that public health data should not be shared with “agencies that could take action against individuals”. In a post-Roe vs Wade world, there is growing concern and distrust that governments will acquire and use private data against individuals; for example, using data from a cycle tracking app to determine if a pregnancy has occurred. To prevent law enforcement overruns, you may need to consider additional protections for data received from public health authorities. For example, there are strong protections against law enforcement uses in the legal framework for substance use disorder treatment records. In fact, a group of 30 senators asked the administration to update the HIPPA regulations to prevent that overshoot. Similar and carefully crafted protections in new privacy legislation could serve as the basis for a new social contract: when an individual provides data to help their community, that data will not be used against the individual.
The state acts have so far disappointed
Unfortunately, the comprehensive state privacy laws passed so far have not lived up to these ethical access expectations. At the time of this writing, the following states have enacted comprehensive data privacy legislation (listed in chronological order of passage): California, Virginia, Colorado, Utah, and Connecticut. A recent analysis of the California, Virginia, and Colorado laws showed that while the California and Colorado laws broadly support public health data practices, the Virginia law risks reducing them in important ways and the Colorado law may not meet ethical standards for reporting data subjects.
There is still time for public health to set foot in the door
There is still time for public health to step in the door, and thus enter the debate and ensure effective and ethical public health provisions in the new legislation. Although the ADPPA exited the Chamber’s Energy and Commerce Commission in a solidly bipartisan 52-to-2 vote, Senator Nancy Pelosi withheld the bill from a grassroots vote, citing concern that the law does not provide the broad protections that she states California law provides. The Federal Trade Commission also recently notified a regulatory proposal, inviting the public and interested groups to comment on whether “it should implement new trade regulation rules or other regulatory alternatives regarding how companies collect, aggregate, protect, use, analyze and store consumer data “.
In the flow of debates over new US data protection laws, public health has opportunities for greater access to critical data. But the legislative debate has thus far been driven by diverging views between industry and privacy advocates on the appropriate scope of commercial data practices and the extent of preemptive state laws (such as California’s) governing data use. commercial. Public health prospects have largely been absent. Without public health involvement, the new laws may not improve access to data for public health purposes and may, in fact, prevent access to it.
Immediate actions for stakeholders
First, public health stakeholders need to speak up to ensure that any new law does not harm existing public health data streams. Second, they must ensure that any new law provides space for public health information technology for development, under adequate governance, as information technology develops or as new resources dedicated to public health infrastructure allow public health to expand current capabilities. One example is the current public health data modernization initiative. Finally, public health stakeholders must ensure that legislation respects the ethical limits imposed on the uses of public health data that WHO and others have articulated.
Note from the authors
The authors would like to thank Professor James G. Hodge, Jr., Dr Michael Morrisey, and Dr William Sage for their thoughtful comments on this work. This work was supported in part by Texas A&M University’s T3 program. Charles Curran is an independent consultant who advises industry members on data policy issues, including consent. Relationships with industry members are only tangential to the topic of this article (encouraging public health to engage in privacy legislative debates). However, the authors note that these industry members would be subject to ADPPA rules.