In this five-minute video, LDI Senior Fellow Matthew McCoy explains how online consumer data provides a “back door” to the kind of information HIPAA was designed to protect.

The rising era of artificial intelligence, ever greater computing power, massive commercialization of personal consumer data, and the lack of a comprehensive federal privacy law, are rendering the Health Insurance Portability and Accountability Act of 1996 (HIPAA) insufficient to protect personal health data. That’s according to LDI Senior Fellow Matthew McCoy, PhD who discussed the issue in relation to his new paper published in the American Journal of Bioethics, “Ethical Responsibilities for Companies That Process Personal Data.”

The paper lays out an Ethical Data Practices framework designed to both guide corporations in their use of personal data and establish the foundation on which legislation creating a comprehensive national data privacy law could be crafted. Unlike the widely held current view that the privacy regulation of consumer data and health data should be done in two different silos, the framework views both as critical components of the same national solution.

HIPAA-Like Consumer Data

McCoy, an Assistant Professor of Medical Ethics and Health Policy at the University of Pennsylvania’s Perelman School of Medicine, explained that while HIPAA provides robust protections for health information generated during clinical encounters, consumer data collection systems now gather information on purchases, social media use, website visits and myriad other sources that can be collated in ways that are very revealing about an individual’s or a family’s health.

“All that consumer information is outside the purview of HIPAA,” said McCoy. “A view that captures this paradox very nicely, first offered by Timothy Libert and LDI senior Fellows David Grande, MD, MPA, and David Asch, MD, MBA, is that when it comes to protecting health information in the United States, it’s as if the front door is locked by HIPAA, but the back door is wide open.”

The Ethical Data Practices framework developed by the eight-member research team is built around a structure of six underlying principles, the first three of which are substantive principles, and second three are procedural principles:

Practical Imperatives

“What we wanted to do in a very systematic and rigorous way was to ask, ‘What are the foundational ethical principles that we need to start with here?’ And then we worked very deliberately towards a set of practical imperatives for companies that collect and process personal data. That produced a very clear map that companies and regulators could operate from when figuring out how this data ecosystem could work better,” said McCoy.

Backgrounding the team’s work is the fact that the federal government lacks comprehensive privacy and data protection laws. There have been some recent attempts to pass such legislation, but none of those bills have succeeded. The work is also informed by skepticism around the idea that companies’ voluntary compliance with ethical data standards would be sufficient to protect consumers and patients from the kinds of harm inherent in the modern data economy.

Policy Implications

“We know what needs to be done,” said McCoy. “And we’re now at a position where we need to figure out how to actually put that into practice, how to pass legislation and how to build the regulatory apparatus that’s going to be necessary to ultimately make sure that some of these protections can actually be put into law.”

“The implications of this work for policymakers,” McCoy continued, “are that we know what a better privacy and data protection regime would look like, and now it’s incumbent upon policymakers and advocates putting pressure on policymakers, to figure out a way to actually pass legislation and to put into practice the kind of recommendations that we make in this paper.”

~ ~ ~

The three other LDI Senior Fellows who were part of this research team were Anita L. Allen, JD, PhD, a Professor at Penn’s Carey Law School; Steven Joffe, MD, MPH, a Professor at the Perelman School of Medicine; and Ezekiel J. Emanuel, MD, PhD, Penn’s Vice Provost for Global Initiatives and Professor at the Perelman School.


Hoag Levins

Editor, Digital Publications

See More LDI News