Regardless of your personal perspective on the recent U.S. Supreme Court ruling overturning the constitutionality of family planning services, the ripple effects this decision will have on our industry are more than subtle: they will approach the magnitude of a tidal wave. We all know that consumers have consented to end-user licensing agreements (EULAs) for apps that they use without regard to the details regarding how long their data will be shared and how it will be used. When combined with other data that comes from the device itself (such as geographic data and usage data) or data that is readily available through a data broker, that data can now be used to accuse someone of committing a crime and even putting them in jail.

If, on the other hand, you think that the data being shared is not important or relevant, consider the recently released information that some U.S. hospitals and provider practices are sharing personal health information and personally identifiable data (PHI and PII, respectively), with Facebook via its Meta Pixel tracking feature. Yes, this includes what type of services you’re browsing and even what medications you’re using or browsing for consideration.

Although the Federal Trade Commission and the U.S. Department of Health and Human Services Agency have started issuing guidance on protecting and sharing patient data, the fact remains: your personal information has been shared and stored across many platforms. And now the manufacturers and customers of these products must grapple with how that data is stored, protected and available for legal review, if necessary.

In short, there is no doubt that how we manage sensitive data is going to become a primary focus of our industry for at least the next 5–10 years. We need a new approach to sensitive data management that gives us the flexibility and ongoing monitoring that will be required for the healthcare providers and patients who will be working to provide and receive services in this turbulent, almost chaotic environment. Because we don’t have a single national data privacy law in the U.S., we have more than 50 (counting US territories) data privacy laws. Adding to the complexity, layered on top of this fragmented, non-universal approach to privacy, is the existing and currently proposed privacy legislation of our international clients.

It’s easy to see that the old go-to plan of “following the rule (or spirit) of the law” isn’t going to be satisfactory because the meaning of “the law” changes based on where and what type of services are being offered and provided to patients and their families. Too many in our industry have kicked the can down the road by thinking that satisfying the very broad requirements of HIPAA satisfies the obligation to protect provider and patient data. Those days are now behind us. Welcome to the Wild West of Sensitive Data Protection.

At Altera Digital Health, we’re making these conversations specific by focusing on scenarios:

• Are we sharing PHI or PII with Facebook, Apple, Google or a similar data aggregator? Answer: we aren’t.
• How are we going to ensure a minor’s data is adequately labeled and protected?
• How are we going to audit the request and provision of family planning services to patients that cross legal boundaries to seek care?
• How are we going to monitor and protect patient data for teleservices for what some US states will see as “highly controlled” and/or illegal substances?
• Should all family planning services be shared with insurers now?
• Will there be a state or national data registry that we have to provide data to?
• How are we going to protect the data that we do share, when required?

Again, the answers to these questions are complex. At Altera, we have a baseline of data protection standards that are the best way to prepare us for these new times: our OneVision security framework. OneVision has a dedicated collection of standards specific to protecting sensitive data, starting with documenting where sensitive data is acquired, where it is stored and where it exits the product or platform. It continues by dictating how to label and respect privacy-related tags in the data that you receive and the data that you share, as well as how these interactions are stored, audited, used for forensic and auditing purposes.

Finally, it’s worth restating that the world of privacy is shifting, and new legislation is being proposed in the U.S. and in other countries that forces new mandates on how we treat data. At Altera, we have certified Privacy Subject Matter Experts who can help you understand and navigate how to begin protecting data and satisfying the nuances of legal data requests, technical data sharing arrangements and regulatory requirements. For more about Altera’s cybersecurity, go here.