The Consumer Technology Association (CTA) has released new guidance for companies that handle consumer health and wellness data. The guidance, which is voluntary, is designed to serve as the basis for healthcare companies when it comes to establishing consumer trust.
In a document, "Guiding Principles for the Privacy of Personal Health and Wellness Information," (.PDF) the CTA outlines five principles that organizations can follow in order to be a good data steward.
CTA is a standards and trade organization that serves the needs of over 2,000 technology companies; it also puts on the annual Consumer Electronics Show (CES) - one of the longest running technology trade shows - in Las Vegas each year.
The five principles are as follows:
1. Be open and transparent about the personal health information you collect and why
2. Be careful about how you use personal health information.
3. Make it easy for consumers to access and control the sharing of their personal health information, and empower them to do so.
4. Build strong security into your technology.
5. Be accountable for your practices and promises.
The nitty gritty of the principles are fairly straight forward. CTA encourages companies to maintain a privacy policy if they haven't already to explain how they collect, use, and share consumer data, and exercise caution around how that data is used. That includes ensuring there are requirements and safeguards in place around who can process that data. Companies can use anonymization or de-identification to mitigate risk, as well.
In light of recently passed - and soon to go into effect - data privacy legislation, CTA is also recommending companies give consumers the ability to access and control how their personal health information is shared, the ability to correct it, if wrong, and grant them the right to deletion, portability, or objection if the law dictates it.
When it comes to safeguarding data, companies should perform regular information security risk assessments to ensure the confidentiality and integrity of data, work in tandem with their IT team to identify and remedy risks, and use encryption to protect it while at rest and in transit.
Lastly, the organization is stressing healthcare companies to appoint a data protection officer or something akin to one, to oversee the security and privacy of personal health information, educate staff on the principles, and if necessary, report security issues and breaches to personal data.
The trade group says that it developed the principles on currently present and developing U.S. law and that its goal is to have it complement, not supplant, legal requirements. The CTA is also leaving the guidance open to interpretation; if a company wants to use it to guide their practices around consumer data that isn't health related, it's available.
