81 FR 90367 - Announcement of Requirements and Registration for “Privacy Policy Snapshot Challenge”
DEPARTMENT OF HEALTH AND HUMAN SERVICES Federal Register Volume 81, Issue 240 (December 14, 2016)
Federal Register Volume 81, Issue 240 (December 14, 2016)
| Page Range | 90367-90369 | |
| FR Document | 2016-29718 |
[Federal Register Volume 81, Number 240 (Wednesday, December 14, 2016)] [Notices] [Pages 90367-90369] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-29718] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Announcement of Requirements and Registration for ``Privacy Policy Snapshot Challenge'' AGENCY: Office of the National Coordinator for Health Information Technology, HHS. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The Model Privacy Notice (MPN) is a voluntary, openly available resource designed to help health technology developers who collect digital health data clearly convey information about their privacy and security policies to their users. Similar to a nutrition facts label, the MPN provides a snapshot of a product's existing privacy practices, encouraging transparency and helping consumers make informed choices when selecting products. The MPN does not mandate specific policies or substitute for more comprehensive or detailed privacy policies. The Privacy Policy Snapshot Challenge is a call for designers, developers, and health data privacy experts to create an online MPN generator. The statutory authority for this Challenge is Section 105 of the America COMPETES Reauthorization Act of 2010 (Pub. L. 111-358). DATES:Submission period begins: December 13, 2016 Submission period ends: April 10, 2017 Winners announced: May-June, 2017 FOR FURTHER INFORMATION CONTACT: Adam Wong, [email protected] (preferred), 202-720-2866. SUPPLEMENTARY INFORMATION: Award Approving Official B. Vindell Washington, National Coordinator for Health Information Technology Subject of Challenge In 2011, the Office of the National Coordinator for Health Information Technology (ONC) collaborated with the Federal Trade Commission (FTC) and released a Model Privacy Notice (MPN) focused on personal health records (PHRs), which were the emerging technology at the time (view 2011 PHR MPN). The project's goals were to increase consumers' awareness of companies' PHR data practices and empower consumers by providing them with an easy way to compare the data practices of two or more PHR companies. In the last five years, the health information technology market has changed significantly and there is now a larger variety of products such as mobile applications and wearable devices that collect digital health data. ONC recognized a need to update the MPN to make it applicable to a broad range of consumer health technologies beyond PHRs. More and more individuals are obtaining access to their electronic health information and using consumer health technology to manage this information. As retail products that collect digital health data directly from consumers are used, such as exercise trackers, it is increasingly important for consumers to be aware of companies' privacy and security policies and information sharing practices. Health technology developers can use the MPN to easily enter their information practices and produce a notice to allow consumers to quickly learn and understand privacy policies, compare company policies, and make informed decisions. Many consumer health technologies are offered by organizations that are not subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards. This is detailed in the HHS report, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA, released in July 2016 by ONC's Office of the Chief Privacy Officer with the cooperation of the HHS Office for Civil Rights (OCR) and the FTC. The Privacy Policy Snapshot Challenge leverages updated content developed recently by ONC, with feedback from OCR, FTC, and other private and public stakeholders. The [[Page 90368]] content also underwent informal consumer testing. The Privacy Policy Snapshot Challenge provides an award to the creators of the best MPN generator that produces a customizable MPN for health technology developers. The Challenge is a call for designers, developers, and health data privacy experts to create an online MPN generator that is easy for health technology developers to use in customizing a privacy notice that is compelling and understandable to consumers. Submissions will provide the code for an open source, web-based tool that allows health technology developers who collect digital health data to generate a customized privacy notice. The MPN generator must be able to produce privacy notices that adhere to the MPN content yet provide for customization by a health technology developer. Visit https://www.healthit.gov/sites/default/files/2016_model_privacy_notice.pdf to download the MPN. The code for the web-based generator must be posted to GitHub and be available through an open source license such that any app developer can implement and use it. The solution should be developed as an HTML Web page styled using CSS (or SASS) that is powered by a framework, library, or plugin developed in JavaScript that is packaged and made available as one of the following: JQuery Plugin Node.JS Module Standalone Script The final output of a successful submission is an MPN generator that can create customized privacy notices that would be accessible from an app or other consumer health technology; the privacy notices must, following the MPN, inform and educate the app or technology user so that they understand how the app or technology uses their personal health data. What the privacy notices created by the MPN generator look like and how they educate the user is up to the submitter--for example, the notices can be interactive or use graphics and images; however, it cannot be a simple static document such as a pdf. The MPN generator should create privacy notices that factor in accessibility, clean web design, and the differences between reading and understanding content on paper versus online, for which resources like Health Literacy Online (https://health.gov/healthliteracyonline/), the Draft U.S. Web Design Standards (https://standards.usa.gov/getting-started/), and Usability.gov can be helpful. Submitters are also required to undertake consumer testing of the final customizable MPN produced by the MPN generator, which is intended to help bring in direct user feedback. Testing can be formal (such as standardized assessments or focus groups) or informal (such as among family members or individuals in a waiting room). Submitters must provide evidence of testing with at least five people. A larger amount of time spent with each tester, greater formal rigor, and the number and diversity of people used for testing will result in a more positive assessment under the selection criteria. Evidence demonstrating consumer testing could include sample feedback, quotes, or pictures, and should include how it affected development of the language, design, and/or structure of the customizable MPN. Resources like https://methods.18f.gov/discover/stakeholder-and-user-interviews/ can help. Submission Requirements Submitters must submit the following through the challenge Web page: Framework, library, or plugin file(s) for the MPN generator. ReadMe file that documents usage and installation instructions and system requirements (including supported browsers). Link to a demo Web page of the MPN generator. Slide deck of no more than ten slides that describes how the submission functions, addresses the application requirements, and includes evidence of consumer testing of the customizable MPN with a minimum of five people. Video demo (five minute maximum) showing implementation and use of the MPN generator and creation of the customizable MPN, and may also address consumer testing. Link to a GitHub Repository that includes the submission elements above. Submitters can make the Repository private so that their code is not out in the open during the submission and review phase, but are required to make it public if designated as challenge winners. How to Enter To enter this Challenge, submitters can access http://www.challenge.gov and search for ``Privacy Policy Snapshot Challenge.'' On the challenge Web page, click ``Submit Solution'' and follow the instructions. Eligibility Rules for Participating in the Challenge To be eligible to win a prize under this Challenge, an individual or entity: 1. Shall have registered to participate in the Challenge under the rules promulgated by ONC. 2. Shall have complied with all the stated requirements of the Privacy Policy Snapshot Challenge (parentheses above). 3. In the case of a private entity, shall be incorporated in and maintained a primary place of business in the United States, and in the case of an individual, whether participating singly or in a group, shall be a citizen or permanent resident of the United States. 4. Shall not be an HHS employee. 5. May not be a federal entity or federal employee acting within the scope of their employment. We recommend that all non-HHS federal employees consult with their agency Ethics Official to determine whether the federal ethics rules will limit or prohibit the acceptance of a COMPETES Act prize. 6. Federal grantees may not use federal funds to develop COMPETES Act challenge applications unless consistent with the purpose of their grant award. 7. Federal contractors may not use federal funds from a contract to develop COMPETES Act challenge applications or to fund efforts in support of a COMPETES Act challenge submission. 8. All individual members of a team must meet the eligibility requirements. An individual or entity shall not be deemed ineligible because the individual or entity used federal facilities or consulted with federal employees during a Challenge if the facilities and employees are made available to all individuals and entities participating in the Challenge on an equitable basis. Participants must agree to assume any and all risks and waive claims against the Federal Government and its related entities, except in the case of willful misconduct, for any injury, death, damage, or loss of property, revenue, or profits, whether direct, indirect, or consequential, arising from my participation in this prize contest, whether the injury, death, damage, or loss arises through negligence or otherwise. Participants are required to obtain liability insurance or demonstrate financial responsibility in the amount of $500,000, for claims by a third party for death, bodily injury, or property damage, or loss resulting from an activity carried out in connection with participation in a Challenge. [[Page 90369]] Participants must also agree to indemnify the Federal Government against third party claims for damages arising from or related to Challenge activities. General Submission Requirements In order for a submission to be eligible to win this Challenge, it must meet the following requirements: 1. No HHS or ONC logo--The product must not use HHS' or ONC's logos or official seals and must not claim endorsement. 2. Functionality/Accuracy--A product may be disqualified if it fails to function as expressed in the description provided by the Submitter, or if it provides inaccurate or incomplete information. 3. Security--Submissions must be free of malware. Submitter agrees that ONC may conduct testing on the product to determine whether malware or other security threats may be present. ONC may disqualify the submission if, in ONC's judgment, it may damage government or others' equipment or operating environment. Prize Total: $35,000 in prizes First Place: $20,000 Second Place: $10,000 Third Place: $5,000 Payment of the Prize Prize will be paid by a contractor. Basis Upon Which Winner Will Be Selected The review panel will make selections based upon the following criteria: Accurate use of MPN content, including appropriate modification of flexible language and no deviation from standardized language. Use and demonstration of best practices in developing and presenting web content for consumption, including consumer testing, web design, and accessibility, as exemplified in the resources provided above. Visual appeal of the generated MPN. Ease of use for a developer to implement and use the MPN generator, including ability to customize the MPN. Additional Information General Conditions: ONC reserves the right to cancel, suspend, and/ or modify the Challenge, or any part of it, for any reason, at ONC's sole discretion. Access: Submitters must keep the submission and its component elements public, open, and available for anyone (i.e., not on a private or limited access setting) on GitHub. Open Source License: Winning submissions must use the open source MIT License. Representation, Warranties and Indemnification By entering the Challenge, each applicant represents, warrants and covenants as follows: (a) Participant is the sole author, creator, and owner of the Submission; (b) The Submission is not the subject of any actual or threatened litigation or claim; (c) The Submission does not and will not violate or infringe upon the intellectual property rights, privacy rights, publicity rights, or other legal rights of any third party; (d) The Submission does not and will not contain any harmful computer code (sometimes referred to as ``malware,'' ``viruses,'' or ``worms''); and (e) The Submission, and participants' use of the Submission, does not and will not violate any applicable laws or regulations, including, without limitation, HIPAA, applicable export control laws and regulations of the U.S. and other jurisdictions. If the submission includes any third party works (such as third party content or open source code), participant must be able to provide, upon request, documentation of all appropriate licenses and releases for such third party works. If participant cannot provide documentation of all required licenses and releases, ONC reserves the right, at their sole discretion, to disqualify the applicable submission. Participants must indemnify, defend, and hold harmless the Federal Government from and against all third party claims, actions, or proceedings of any kind and from any and all damages, liabilities, costs, and expenses relating to or arising from participant's submission or any breach or alleged breach of any of the representations, warranties, and covenants of participant hereunder. ONC reserves the right to disqualify any submission that, in their discretion, deems to violate these Official Rules, Terms & Conditions. Authority: 15 U.S.C. 3719 Dated: December 7, 2016. Jon White, Deputy National Coordinator for Health Information Technology. [FR Doc. 2016-29718 Filed 12-13-16; 8:45 am] BILLING CODE 4150-45-P
![Federal Register / Vol. 81, No. 240 / Wednesday, December 14, 2016 / Notices 90367
unconfirmed, unreliable, or lacks number 1500027 to identify the FOR FURTHER INFORMATION CONTACT:
sufficient strength of evidence is not an guidance you are requesting. Adam Wong, adam.wong@hhs.gov
emerging signal. (preferred), 202–720–2866.
IV. Paperwork Reduction Act of 1995
This guidance describes the factors SUPPLEMENTARY INFORMATION:
CDRH intends to consider in deciding This guidance refers to previously
approved collections of information Award Approving Official
whether to notify the public about
emerging signals and the processes and found in FDA regulations. These B. Vindell Washington, National
timelines it intends to follow in issuing collections of information are subject to Coordinator for Health Information
and updating the notification. Timely review by the Office of Management and Technology
notification about those emerging Budget (OMB) under the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501– Subject of Challenge
signals based on the factors described in
this guidance document is intended to 3520). The collections of information in In 2011, the Office of the National
provide health care providers, patients, 21 CFR parts 801, regarding labeling, Coordinator for Health Information
and consumers with access to the most have been approved under OMB control Technology (ONC) collaborated with the
current information concerning the number 0910–0485 and the collections Federal Trade Commission (FTC) and
performance and potential benefits and of information in 21 CFR part 803, released a Model Privacy Notice (MPN)
risks of marketed medical devices so regarding medical device reporting, focused on personal health records
that they can make informed patient have been approved under OMB control (PHRs), which were the emerging
management decisions about their numbers 0910–0291, 0910–0437, and technology at the time (view 2011 PHR
treatment and diagnostic options. 0910–0471. MPN). The project’s goals were to
In the Federal Register of December increase consumers’ awareness of
Dated: December 9, 2016.
companies’ PHR data practices and
31, 2015 (80 FR 81829), FDA announced Leslie Kux, empower consumers by providing them
the availability of the draft of this Associate Commissioner for Policy. with an easy way to compare the data
guidance. Interested persons were [FR Doc. 2016–29989 Filed 12–13–16; 8:45 am] practices of two or more PHR
invited to comment by February 29, BILLING CODE 4164–01–P companies. In the last five years, the
2016. In the Federal Register of January
health information technology market
27, 2016 (81 FR 4632), FDA extended
has changed significantly and there is
the comment period to March 29, 2016. DEPARTMENT OF HEALTH AND now a larger variety of products such as
FDA received and considered 21 sets of HUMAN SERVICES mobile applications and wearable
public comments and revised the
devices that collect digital health data.
guidance as appropriate. CDRH also Announcement of Requirements and ONC recognized a need to update the
intends to provide periodic public Registration for ‘‘Privacy Policy MPN to make it applicable to a broad
updates on the implementation of this Snapshot Challenge’’ range of consumer health technologies
guidance. beyond PHRs. More and more
AGENCY: Office of the National
II. Significance of Guidance Coordinator for Health Information individuals are obtaining access to their
Technology, HHS. electronic health information and using
This guidance is being issued consumer health technology to manage
consistent with FDA’s good guidance ACTION: Notice.
this information. As retail products that
practices regulation (21 CFR 10.115). collect digital health data directly from
The guidance represents the current SUMMARY: The Model Privacy Notice
(MPN) is a voluntary, openly available consumers are used, such as exercise
thinking of FDA on ‘‘Public Notification trackers, it is increasingly important for
of Emerging Postmarket Medical Device resource designed to help health
technology developers who collect consumers to be aware of companies’
Signals (’Emerging Signals’).’’ It does privacy and security policies and
not establish any rights for any person digital health data clearly convey
information about their privacy and information sharing practices. Health
and is not binding on FDA or the public. technology developers can use the MPN
You can use an alternative approach if security policies to their users. Similar
to easily enter their information
it satisfies the requirements of the to a nutrition facts label, the MPN
practices and produce a notice to allow
applicable statutes and regulations. provides a snapshot of a product’s
consumers to quickly learn and
existing privacy practices, encouraging
III. Electronic Access understand privacy policies, compare
transparency and helping consumers
company policies, and make informed
Persons interested in obtaining a copy make informed choices when selecting
decisions. Many consumer health
of the guidance may do so by products. The MPN does not mandate
technologies are offered by
downloading an electronic copy from specific policies or substitute for more
organizations that are not subject to the
the Internet. A search capability for all comprehensive or detailed privacy
Health Insurance Portability and
Center for Devices and Radiological policies. The Privacy Policy Snapshot
Accountability Act (HIPAA) privacy and
Health guidance documents is available Challenge is a call for designers, security standards. This is detailed in
at http://www.fda.gov/MedicalDevices/ developers, and health data privacy the HHS report, Examining Oversight of
DeviceRegulationandGuidance/ experts to create an online MPN the Privacy & Security of Health Data
GuidanceDocuments/default.htm. generator. The statutory authority for Collected by Entities Not Regulated by
Guidance documents are also available this Challenge is Section 105 of the HIPAA, released in July 2016 by ONC’s
at http://www.regulations.gov. Persons America COMPETES Reauthorization
sradovich on DSK3GMQ082PROD with NOTICES
Office of the Chief Privacy Officer with
unable to download an electronic copy Act of 2010 (Pub. L. 111–358). the cooperation of the HHS Office for
of ‘‘Public Notification of Emerging DATES: Civil Rights (OCR) and the FTC.
Postmarket Medical Device Signals • Submission period begins: December The Privacy Policy Snapshot
(’Emerging Signals’)’’ may send an email 13, 2016 Challenge leverages updated content
request to CDRH-Guidance@fda.hhs.gov • Submission period ends: April 10, developed recently by ONC, with
to receive an electronic copy of the 2017 feedback from OCR, FTC, and other
document. Please use the document • Winners announced: May-June, 2017 private and public stakeholders. The
VerDate Sep<11>2014 18:45 Dec 13, 2016 Jkt 241001 PO 00000 Frm 00050 Fmt 4703 Sfmt 4703 E:\FR\FM\14DEN1.SGM 14DEN1](https://thefederalregister.org/doc/81_FR_90607/page/1.svg)
![Federal Register / Vol. 81, No. 240 / Wednesday, December 14, 2016 / Notices 90369
Participants must also agree to Open Source License: Winning DEPARTMENT OF HEALTH AND
indemnify the Federal Government submissions must use the open source HUMAN SERVICES
against third party claims for damages MIT License.
arising from or related to Challenge Meeting of the National Advisory
activities. Representation, Warranties and Committee on Children and Disasters
Indemnification and the National Preparedness and
General Submission Requirements Response Science Board
By entering the Challenge, each
In order for a submission to be eligible
applicant represents, warrants and AGENCY: Department of Health and
to win this Challenge, it must meet the
following requirements: covenants as follows: Human Services, Office of the Secretary.
1. No HHS or ONC logo—The product (a) Participant is the sole author, ACTION: Notice.
must not use HHS’ or ONC’s logos or creator, and owner of the Submission; SUMMARY: As stipulated by the Federal
official seals and must not claim (b) The Submission is not the subject Advisory Committee Act, the
endorsement. of any actual or threatened litigation or Department of Health and Human
2. Functionality/Accuracy—A claim; Services (HHS) is hereby giving notice
product may be disqualified if it fails to that the National Advisory Committee
function as expressed in the description (c) The Submission does not and will
not violate or infringe upon the on Children and Disasters (NACCD) and
provided by the Submitter, or if it the National Preparedness and Response
provides inaccurate or incomplete intellectual property rights, privacy
rights, publicity rights, or other legal Science Board (NPRSB) will be holding
information. a joint public teleconference.
3. Security—Submissions must be free rights of any third party;
DATES: The NACCD and NPRSB will
of malware. Submitter agrees that ONC (d) The Submission does not and will
may conduct testing on the product to hold a joint public meeting on January
not contain any harmful computer code 9, 2017, from 2:00 p.m. to 3:00 p.m.
determine whether malware or other (sometimes referred to as ‘‘malware,’’
security threats may be present. ONC EST. The agenda is subject to change as
‘‘viruses,’’ or ‘‘worms’’); and priorities dictate.
may disqualify the submission if, in
(e) The Submission, and participants’ ADDRESSES: Individuals who wish to
ONC’s judgment, it may damage
use of the Submission, does not and will participate should send an email to
government or others’ equipment or
operating environment. not violate any applicable laws or naccd@hhs.gov and nprsb@hhs.gov with
regulations, including, without ‘‘NACCD Registration’’ or ‘‘NPRSB
Prize limitation, HIPAA, applicable export Registration’’ in the subject line. The
• Total: $35,000 in prizes control laws and regulations of the U.S. meeting will occur by teleconference.
• First Place: $20,000 and other jurisdictions. To attend via teleconference and for
• Second Place: $10,000 If the submission includes any third further instructions, please visit the
• Third Place: $5,000 party works (such as third party content NACCD and NPRSB Web sites at
or open source code), participant must www.phe.gov/naccd or www.phe.gov/
Payment of the Prize nprsb.
be able to provide, upon request,
Prize will be paid by a contractor. documentation of all appropriate FOR FURTHER INFORMATION CONTACT:
Basis Upon Which Winner Will Be licenses and releases for such third Please submit an inquiry via the NPRSB
Selected party works. If participant cannot Contact Form or the NACCD Contact
provide documentation of all required Form located at www.phe.gov/
The review panel will make selections
licenses and releases, ONC reserves the NACCDComments or www.phe.gov/
based upon the following criteria:
right, at their sole discretion, to NBSBComments.
• Accurate use of MPN content,
including appropriate modification of disqualify the applicable submission. SUPPLEMENTARY INFORMATION: Pursuant
flexible language and no deviation from Participants must indemnify, defend, to the Federal Advisory Committee Act
standardized language. and hold harmless the Federal (FACA) of 1972 (5 U.S.C., Appendix, as
• Use and demonstration of best Government from and against all third amended), and section 2811A of the
practices in developing and presenting party claims, actions, or proceedings of Public Health Service (PHS) Act (42
web content for consumption, including any kind and from any and all damages, U.S.C. 300hh–10a), as added by section
consumer testing, web design, and liabilities, costs, and expenses relating 103 of the Pandemic and All Hazards
accessibility, as exemplified in the to or arising from participant’s Preparedness Reauthorization Act of
resources provided above. submission or any breach or alleged 2013 (Pub. L. 113–5), the HHS
• Visual appeal of the generated breach of any of the representations, Secretary, in consultation with the
MPN. warranties, and covenants of participant Secretary of the U.S. Department of
• Ease of use for a developer to hereunder. Homeland Security, established the
implement and use the MPN generator, NACCD. The purpose of the NACCD is
ONC reserves the right to disqualify to provide advice and consultation to
including ability to customize the MPN.
any submission that, in their discretion, the HHS Secretary with respect to the
Additional Information deems to violate these Official Rules, medical and public health needs of
General Conditions: ONC reserves the Terms & Conditions. children in relation to disasters.
right to cancel, suspend, and/or modify Pursuant to section 319M of the PHS
sradovich on DSK3GMQ082PROD with NOTICES
Authority: 15 U.S.C. 3719
the Challenge, or any part of it, for any Dated: December 7, 2016.
Act (42 U.S.C. 247d–7f) and section 222
reason, at ONC’s sole discretion. of the PHS Act (42 U.S.C. 217a), HHS
Access: Submitters must keep the Jon White, established the NPRSB. The NPRSB
submission and its component elements Deputy National Coordinator for Health shall provide expert advice and
public, open, and available for anyone Information Technology. guidance to the Secretary on scientific,
(i.e., not on a private or limited access [FR Doc. 2016–29718 Filed 12–13–16; 8:45 am] technical, and other matters of special
setting) on GitHub. BILLING CODE 4150–45–P interest to HHS regarding current and
VerDate Sep<11>2014 18:45 Dec 13, 2016 Jkt 241001 PO 00000 Frm 00052 Fmt 4703 Sfmt 4703 E:\FR\FM\14DEN1.SGM 14DEN1](https://thefederalregister.org/doc/81_FR_90607/page/3.svg)
Document Created: 2016-12-14 00:48:33
Document Modified: 2016-12-14 00:48:33
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Dates | <bullet> Submission period begins: December 13, 2016 <bullet> Submission period ends: April 10, 2017 <bullet> Winners announced: May-June, 2017 | |
| Contact | Adam Wong, [email protected] (preferred), 202-720-2866. | |
| FR Citation | 81 FR 90367 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR