81 FR 10634 - Request for Information on Updates to the ONC Voluntary Personal Health Record Model Privacy Notice
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary Federal Register Volume 81, Issue 40 (March 1, 2016)
Office of the Secretary
Federal Register Volume 81, Issue 40 (March 1, 2016)
| Page Range | 10634-10635 | |
| FR Document | 2016-04239 |
[Federal Register Volume 81, Number 40 (Tuesday, March 1, 2016)] [Notices] [Pages 10634-10635] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-04239] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary Request for Information on Updates to the ONC Voluntary Personal Health Record Model Privacy Notice AGENCY: Office of the National Coordinator for Health Information Technology, Department of Health and Human Services. ACTION: Notice with comment; request for information. ----------------------------------------------------------------------- SUMMARY: The Office of the National Coordinator for Health Information Technology (ONC) seeks comments on the scope and content of the voluntary Personal Health Record Model Privacy Notice (MPN) developed by ONC and published in 2011. In response to stakeholder requests for an electronic means to inform consumers about how health technology products store, use, and share health information (especially products of health technology developers not covered by the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191), we have initiated a process to update the MPN to better align with the current consumer health technology landscape. DATES: To be assured consideration, electronic comments must be received at one of the addresses provided below, no later than 5 p.m. on April 15, 2016. ADDRESSES: You may submit comments, identified by MPN RFI, by either of the following two methods (please do not submit duplicate comments).ONC Web site: Follow the instructions for submitting comments. Attachments should be in Microsoft Word, Microsoft Excel, or Adobe PDF; however, we prefer Microsoft Word. https://www.healthit.gov/policy-researchers-implementers/personal-health-record-phr-model-privacy-notice. Email: [email protected]. FOR FURTHER INFORMATION CONTACT: Maya Uppaluru or Michael Lipinski, 202-690-7151. SUPPLEMENTARY INFORMATION: In June 2008, the Office of the National Coordinator for Health Information Technology (ONC) began a multi-phase and iterative project to develop an easy-to-understand, voluntary Personal Health Record (PHR) Model Privacy Notice (MPN) that any PHR company could adopt to communicate its information practices to its users. Developed in collaboration with the Federal Trade Commission (FTC), the project's goals were two-fold: (1) Increase consumers' awareness of PHR companies' information practices; and (2) empower consumers by providing them with an easy way to compare the information practices of two or more PHR companies. The MPN was designed to enable PHR companies to easily enter their information practices and produce a notice to allow consumers to quickly learn and understand privacy and security policies and information practices, compare PHR company practices, and make informed decisions. Similar to the Food and Drug Administration's Nutrition Facts Label, this approach did not mandate specific policies, but rather was meant to encourage user-friendly transparency of a company's existing practices. The MPN has two sections: (1) The ``Release'' section; and (2) the ``Secure'' section. Both sections of the MPN include model language that informs consumers about how a PHR company is using an individual's health information. The current MPN can be found here, but we note that it is no longer available for use. Additional background on the MPN can be found at: https://www.healthit.gov/policy-researchers-implementers/personal-health-record-phr-model-privacy-notice. Since the development of the MPN, the consumer health technology landscape has greatly evolved. More consumers are now able to electronically access their health information than ever before. Not only are consumers interacting with their clinical and claims data (often collected and maintained by health care providers and health plans regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (i.e., ``covered entities'')), but they are also interacting with fitness and wellness data from devices offered by health technology developers that may not be regulated by HIPAA. In general, HIPAA regulations govern how covered entities and their business associates maintain, access, use and disclose individually identifiable health information and protected health information, otherwise known as ``PHI''.\1\ Specifically, the HIPAA regulations include requirements for: keeping information private in the Privacy Rule,\2\ which also includes notifying individuals about how their PHI can be accessed, used, and disclosed; \3\ adopting administrative, technical and physical safeguards to secure electronic PHI; \4\ and mandating notice to affected individuals when a breach of PHI occurs.\5\ Health technology developers that may not be covered by HIPAA are often called ``non-covered entities'' or ``NCEs.'' --------------------------------------------------------------------------- \1\ 45 CFR 160.103. \2\ 45 CFR 164.501 et seq. \3\ 45 CFR 164.520; see also Office of Civil Rights Model Notices of Privacy Practices: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/. \4\ 45 CFR 164.301 et seq. \5\ 45 CFR 164.400-414. --------------------------------------------------------------------------- Health technology developers make available a diverse array of products, including mobile apps, wearable devices, and sensors, and often display notices of their privacy and information practices to consumers. These developers may be subject to other federal laws, including the FTC Act's prohibition on unfair or deceptive acts or practices,\6\ and the FTC's Health [[Page 10635]] Breach Notification Rule \7\ which requires notification to affected individuals when a breach of data occurs. --------------------------------------------------------------------------- \6\ 15 U.S.C. 45(a) (Section 5 of the FTC Act). \7\ 16 CFR part 318. --------------------------------------------------------------------------- We are considering creating a new version of the MPN that would expand its scope beyond PHR companies and include more types of information practices. A modernized MPN would serve as a voluntary resource for health technology developers who want to give notice of their information practices to their users in an understandable way. Therefore, ONC requests public comment from consumers, mobile and web application developers, privacy advocates, user experience and design experts, and other health technology stakeholders on any updates that should be made to the content of the MPN to make it more useful to both health technology developers and consumers. While we encourage comments on all aspects of the MPN, ONC specifically seeks comment on the topics specified below. We note that the MPN does not recommend best practices to health technology developers, and we do not seek recommendations about best practices. Rather, ONC seeks comment concerning what information practices health technology developers should disclose to consumers and what language should be used to describe those practices in an updated MPN. Examples of information practices below are included to clarify the intent of the questions, but are not intended to be exhaustive. ONC invites commenters to discuss any examples that are relevant to the broad issues of which types of personal information and information practices should be addressed in an updated MPN. 1. User scope: What types of health technology developers, including non-covered entities and potentially HIPAA-covered entities, could and should use an updated voluntary MPN? 2. Information type: What information types should be considered in and out of scope for the MPN? Examples could include, but are not limited to: Names, account access information, credit card numbers, IP address information, social security numbers, telephone numbers (cell and landline), GPS or geo-location data, data about how a consumer's body functions ranging from heart rate to menstrual cycle, genomic data, and exercise duration data such as number of steps or miles clocked. 3. Information practices: What types of practices involving the information types listed in Question 2 above should be included in the MPN? An information practice is what the company does with the data that it has collected. Types of practices that could be in scope for the MPN include, but are not limited to: Sale of data, including geo- location data; sale of anonymized or de-identified data, with or without restrictions on re-identification; sale of identifiable data; sale of statistics aggregated from identifiable data; use of data by the original collector to market products to the consumer; allowing third parties to use the data for marketing purposes; allowing government agencies to access the data, and for what purposes (such as law enforcement or public health); allowing researchers at academic and non-profit institutions to access either identifiable or de-identified data; access to the data by employers, schools, insurance companies or financial institutions with or without the consumer's consent; and retention or destruction of consumer data when the relationship between the health technology developer and consumer terminates. 4. Sharing and storage: What privacy and security issues are consumers most concerned about when their information is being collected, stored, or shared? Examples could include whether a health technology developer stores information in the cloud or on the consumer's device, or whether the information collected is accessed, used, disclosed, or stored in another country. 5. Security and encryption: What information should the MPN convey to the consumer regarding specific security practices, and what level of detail is appropriate for a consumer to understand? For example, a health technology developer could state that the product encrypts data at rest, or that it uses 128-bit or 256-bit encryption. How can information about various security practices, often technical in nature, be presented in a way that is understandable for the consumer? Examples could include encryption at rest or encryption in transit, or whether information is encrypted on the device or in the cloud. 6. Access to other device information: What types of information that an application is able to access on a consumer's smartphone or computer should be disclosed? How should this be conveyed in the MPN? Examples include a health application accessing the content of a consumer's text messages, emails, address books, photo libraries, and phone call information. 7. Format: How should the MPN describe practices about the format in which consumer information is stored or transmitted (e.g., individually identifiable or de-identified, aggregate, or anonymized), particularly when their information is being shared with, or sold to, third parties? How should anonymized or de-identified information be defined for the purposes of the MPN? What existing definitions of ``anonymized'' or ``de-identified'' information are widely in use that could be potentially leveraged in conjunction with the MPN to clearly convey these practices to consumers? \8\ --------------------------------------------------------------------------- \8\ See, e.g., 45 CFR 164.514(a) (HIPAA Privacy Rule) as a potential standard for de-identification of protected health information. --------------------------------------------------------------------------- 8. Information portability: How should the MPN describe to consumers whether an application enables the consumer to download or transmit their health information? How should the MPN describe the consumer's ability to retrieve or move their data when the relationship between the consumer and the health technology developer terminates? Examples include if a consumer ends their subscription to a particular health technology service, or when a health technology developer's product is discontinued. ONC seeks broad input from stakeholders on updating the MPN so that the tool is useful for current health technology developers and consumers. Individuals and organizations with common interests are urged to both coordinate and consolidate their comments. Authority: 42 U.S.C. 300jj-11; Office of the National Coordinator for Health Information Technology; Delegation of Authority (76 FR 58006, Sept. 19, 2011). Dated: February 23, 2016. Karen DeSalvo, National Coordinator for Health Information Technology. [FR Doc. 2016-04239 Filed 2-26-16; 4:15 pm] BILLING CODE 4150-45-P
![10634 Federal Register / Vol. 81, No. 40 / Tuesday, March 1, 2016 / Notices
Columbus, Ohio, as an addition to the Personal Health Record Model Privacy The MPN has two sections: (1) The
Special Exposure Cohort (SEC) under Notice (MPN) developed by ONC and ‘‘Release’’ section; and (2) the ‘‘Secure’’
the Energy Employees Occupational published in 2011. In response to section. Both sections of the MPN
Illness Compensation Program Act of stakeholder requests for an electronic include model language that informs
2000. means to inform consumers about how consumers about how a PHR company
FOR FURTHER INFORMATION CONTACT: health technology products store, use, is using an individual’s health
Stuart L. Hinnefeld, Director, Division and share health information (especially information. The current MPN can be
of Compensation Analysis and Support, products of health technology found here, but we note that it is no
NIOSH, 1090 Tusculum Avenue, MS C– developers not covered by the Health longer available for use. Additional
46, Cincinnati, OH 45226–1938, Insurance Portability and background on the MPN can be found
Telephone 1–877–222–7570. Accountability Act of 1996, Pub. L. 104– at: https://www.healthit.gov/policy-
Information requests can also be 191), we have initiated a process to researchers-implementers/personal-
submitted by email to DCAS@CDC.GOV. update the MPN to better align with the health-record-phr-model-privacy-notice.
current consumer health technology Since the development of the MPN,
SUPPLEMENTARY INFORMATION: On
landscape. the consumer health technology
February 18, 2016, as provided for landscape has greatly evolved. More
under 42 U.S.C. 7384l(14)(C),the DATES: To be assured consideration, consumers are now able to
Secretary of HHS designated the electronic comments must be received electronically access their health
following class of employees as an at one of the addresses provided below, information than ever before. Not only
addition to the SEC: no later than 5 p.m. on April 15, 2016. are consumers interacting with their
All Atomic Weapons Employees who ADDRESSES: You may submit comments, clinical and claims data (often collected
worked at the facility owned by the Battelle identified by MPN RFI, by either of the and maintained by health care providers
Laboratories at the King Avenue site in following two methods (please do not and health plans regulated under the
Columbus, Ohio, during the period from July submit duplicate comments). Health Insurance Portability and
1, 1956, through December 31, 1970, for a
number of work days aggregating at least 250 • ONC Web site: Follow the Accountability Act of 1996 (HIPAA)
work days, occurring either solely under this instructions for submitting comments. (i.e., ‘‘covered entities’’)), but they are
employment, or in combination with work Attachments should be in Microsoft also interacting with fitness and
days within the parameters established for Word, Microsoft Excel, or Adobe PDF; wellness data from devices offered by
one or more other classes of employees however, we prefer Microsoft Word. health technology developers that may
included in the Special Exposure Cohort. https://www.healthit.gov/policy- not be regulated by HIPAA. In general,
This designation will become researchers-implementers/personal- HIPAA regulations govern how covered
effective on March 19, 2016, unless health-record-phr-model-privacy-notice. entities and their business associates
Congress provides otherwise prior to the • Email: ONCMPN@hhs.gov. maintain, access, use and disclose
effective date. After this effective date, FOR FURTHER INFORMATION CONTACT:
individually identifiable health
HHS will publish a notice in the Maya Uppaluru or Michael Lipinski, information and protected health
Federal Register reporting the addition 202–690–7151. information, otherwise known as
of this class to the SEC or the result of ‘‘PHI’’.1 Specifically, the HIPAA
SUPPLEMENTARY INFORMATION: In June regulations include requirements for:
any provision by Congress regarding the 2008, the Office of the National
decision by HHS to add the class to the keeping information private in the
Coordinator for Health Information Privacy Rule,2 which also includes
SEC. Technology (ONC) began a multi-phase notifying individuals about how their
Authority: 42 U.S.C. 7384q(b). 42 U.S.C. and iterative project to develop an easy-
7384l(14)(C). PHI can be accessed, used, and
to-understand, voluntary Personal disclosed; 3 adopting administrative,
John Howard, Health Record (PHR) Model Privacy technical and physical safeguards to
Director, National Institute for Occupational Notice (MPN) that any PHR company secure electronic PHI; 4 and mandating
Safety and Health. could adopt to communicate its notice to affected individuals when a
[FR Doc. 2016–04415 Filed 2–29–16; 8:45 am] information practices to its users. breach of PHI occurs.5 Health
BILLING CODE 4163–19–P
Developed in collaboration with the technology developers that may not be
Federal Trade Commission (FTC), the covered by HIPAA are often called
project’s goals were two-fold: (1) ‘‘non-covered entities’’ or ‘‘NCEs.’’
DEPARTMENT OF HEALTH AND Increase consumers’ awareness of PHR Health technology developers make
HUMAN SERVICES companies’ information practices; and available a diverse array of products,
(2) empower consumers by providing including mobile apps, wearable
Office of the Secretary them with an easy way to compare the devices, and sensors, and often display
information practices of two or more notices of their privacy and information
Request for Information on Updates to PHR companies. The MPN was designed practices to consumers. These
the ONC Voluntary Personal Health to enable PHR companies to easily enter developers may be subject to other
Record Model Privacy Notice their information practices and produce federal laws, including the FTC Act’s
AGENCY: Office of the National a notice to allow consumers to quickly prohibition on unfair or deceptive acts
Coordinator for Health Information learn and understand privacy and or practices,6 and the FTC’s Health
security policies and information
asabaliauskas on DSK5VPTVN1PROD with NOTICES
Technology, Department of Health and
Human Services. practices, compare PHR company 1 45 CFR 160.103.
ACTION: Notice with comment; request
practices, and make informed decisions. 2 45 CFR 164.501 et seq.
for information. Similar to the Food and Drug 3 45 CFR 164.520; see also Office of Civil Rights
Administration’s Nutrition Facts Label, Model Notices of Privacy Practices: http://
www.hhs.gov/hipaa/for-professionals/privacy/
SUMMARY: The Office of the National this approach did not mandate specific guidance/model-notices-privacy-practices/.
Coordinator for Health Information policies, but rather was meant to 4 45 CFR 164.301 et seq.
Technology (ONC) seeks comments on encourage user-friendly transparency of 5 45 CFR 164.400–414.
the scope and content of the voluntary a company’s existing practices. 6 15 U.S.C. 45(a) (Section 5 of the FTC Act).
VerDate Sep<11>2014 20:18 Feb 29, 2016 Jkt 238001 PO 00000 Frm 00070 Fmt 4703 Sfmt 4703 E:\FR\FM\01MRN1.SGM 01MRN1](https://thefederalregister.org/doc/81_FR_10674/page/1.svg)
![Federal Register / Vol. 81, No. 40 / Tuesday, March 1, 2016 / Notices 10635
Breach Notification Rule 7 which company does with the data that it has information is being shared with, or
requires notification to affected collected. Types of practices that could sold to, third parties? How should
individuals when a breach of data be in scope for the MPN include, but are anonymized or de-identified
occurs. not limited to: Sale of data, including information be defined for the purposes
We are considering creating a new geo-location data; sale of anonymized or of the MPN? What existing definitions
version of the MPN that would expand de-identified data, with or without of ‘‘anonymized’’ or ‘‘de-identified’’
its scope beyond PHR companies and restrictions on re-identification; sale of information are widely in use that could
include more types of information identifiable data; sale of statistics be potentially leveraged in conjunction
practices. A modernized MPN would aggregated from identifiable data; use of with the MPN to clearly convey these
serve as a voluntary resource for health data by the original collector to market practices to consumers? 8
technology developers who want to give products to the consumer; allowing 8. Information portability: How
notice of their information practices to third parties to use the data for should the MPN describe to consumers
their users in an understandable way. marketing purposes; allowing whether an application enables the
Therefore, ONC requests public government agencies to access the data, consumer to download or transmit their
comment from consumers, mobile and and for what purposes (such as law health information? How should the
web application developers, privacy enforcement or public health); allowing MPN describe the consumer’s ability to
advocates, user experience and design researchers at academic and non-profit retrieve or move their data when the
experts, and other health technology institutions to access either identifiable relationship between the consumer and
stakeholders on any updates that should or de-identified data; access to the data the health technology developer
be made to the content of the MPN to by employers, schools, insurance terminates? Examples include if a
make it more useful to both health companies or financial institutions with consumer ends their subscription to a
technology developers and consumers. or without the consumer’s consent; and particular health technology service, or
While we encourage comments on all retention or destruction of consumer when a health technology developer’s
aspects of the MPN, ONC specifically data when the relationship between the product is discontinued.
seeks comment on the topics specified health technology developer and ONC seeks broad input from
below. We note that the MPN does not consumer terminates. stakeholders on updating the MPN so
recommend best practices to health 4. Sharing and storage: What privacy that the tool is useful for current health
technology developers, and we do not and security issues are consumers most technology developers and consumers.
seek recommendations about best concerned about when their information Individuals and organizations with
practices. Rather, ONC seeks comment is being collected, stored, or shared? common interests are urged to both
concerning what information practices Examples could include whether a coordinate and consolidate their
health technology developers should health technology developer stores comments.
disclose to consumers and what information in the cloud or on the Authority: 42 U.S.C. 300jj–11; Office of the
language should be used to describe consumer’s device, or whether the National Coordinator for Health Information
those practices in an updated MPN. information collected is accessed, used, Technology; Delegation of Authority (76 FR
Examples of information practices disclosed, or stored in another country. 58006, Sept. 19, 2011).
below are included to clarify the intent 5. Security and encryption: What Dated: February 23, 2016.
of the questions, but are not intended to information should the MPN convey to Karen DeSalvo,
be exhaustive. ONC invites commenters the consumer regarding specific security
National Coordinator for Health Information
to discuss any examples that are practices, and what level of detail is Technology.
relevant to the broad issues of which appropriate for a consumer to
[FR Doc. 2016–04239 Filed 2–26–16; 4:15 pm]
types of personal information and understand? For example, a health
BILLING CODE 4150–45–P
information practices should be technology developer could state that
addressed in an updated MPN. the product encrypts data at rest, or that
1. User scope: What types of health it uses 128-bit or 256-bit encryption. DEPARTMENT OF HEALTH AND
technology developers, including non- How can information about various HUMAN SERVICES
covered entities and potentially HIPAA- security practices, often technical in
covered entities, could and should use nature, be presented in a way that is Office of the Secretary
an updated voluntary MPN? understandable for the consumer?
2. Information type: What information Examples could include encryption at Health IT Policy Committee and Health
types should be considered in and out rest or encryption in transit, or whether IT Standards Committee: Schedule and
of scope for the MPN? Examples could information is encrypted on the device Recommendations
include, but are not limited to: Names, or in the cloud.
account access information, credit card 6. Access to other device information: AGENCY: Office of the National
numbers, IP address information, social What types of information that an Coordinator for Health Information
security numbers, telephone numbers application is able to access on a Technology, Department of Health and
(cell and landline), GPS or geo-location consumer’s smartphone or computer Human Services.
data, data about how a consumer’s body should be disclosed? How should this ACTION: Notice.
functions ranging from heart rate to be conveyed in the MPN? Examples SUMMARY: This notice fulfills obligations
menstrual cycle, genomic data, and include a health application accessing under the Health Information
the content of a consumer’s text
asabaliauskas on DSK5VPTVN1PROD with NOTICES
exercise duration data such as number Technology for Economic and Clinical
of steps or miles clocked. messages, emails, address books, photo Health (HITECH) Act, Title XIII of
3. Information practices: What types libraries, and phone call information. Division A and Title IV of Division B of
of practices involving the information 7. Format: How should the MPN
the American Recovery and
types listed in Question 2 above should describe practices about the format in
Reinvestment Act of 2009 (Pub. L.
be included in the MPN? An which consumer information is stored
information practice is what the or transmitted (e.g., individually 8 See, e.g., 45 CFR 164.514(a) (HIPAA Privacy
identifiable or de-identified, aggregate, Rule) as a potential standard for de-identification of
7 16 CFR part 318. or anonymized), particularly when their protected health information.
VerDate Sep<11>2014 20:18 Feb 29, 2016 Jkt 238001 PO 00000 Frm 00071 Fmt 4703 Sfmt 4703 E:\FR\FM\01MRN1.SGM 01MRN1](https://thefederalregister.org/doc/81_FR_10674/page/2.svg)
Document Created: 2018-02-02 15:00:22
Document Modified: 2018-02-02 15:00:22
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice with comment; request for information. | |
| Dates | To be assured consideration, electronic comments must be | |
| Contact | Maya Uppaluru or Michael Lipinski, 202-690-7151. | |
| FR Citation | 81 FR 10634 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR