Way back in 2009, Congress asked for a report that would essentially outline where HIPAA privacy protections begin and end. It was no small task. In fact, it took nearly seven years before the U.S. Department of Health and Human Services published a report to that effect. It was clear from the report that health wearables and other fitness trackers were quickly outpacing HIPAA's mandate and general consumer awareness.
To help empower consumers and aid mobile health app developers, the HHS's Office of the National Coordinator for Health Information Technology announced a Privacy Policy Snapshot Challenge last December aiming to create a new Model Privacy Notice generator addressing health wearables.
Earlier this week, the ONC awarded Enterprivacy Consulting Group's Jason Cronk, CIPP/US, CIPM, CIPT, FIP, and George Washington University Law Professor Daniel Solove $20,000 for their MPN generator. The ONC also awarded second and third place awards to 1upHealth and MadeClear.io respectively.
"Compared to when the original (MPN) was released in 2011, the consumer-facing health IT market now features a much larger variety of digital health technologies that collect information," said Principle Deputy National Coordinator for Health IT Genevieve Morris in a press release. "The winners designed innovative tools that will help make privacy notices easier for consumers to understand, so they can know how and why their health information is being shared."
Cronk and Solove's generator is smartly simple and easy-to-use. It includes a side-by-side feature that updates the notice in real time to ensure the developer can assess whether each section has been addressed. It also features icons and a privacy nutrition-style label to help aid comprehension.
"Many app developers don't have privacy expertise," Cronk pointed out to Privacy Tech during a phone conversation. "Plus, many startups and small companies don't have the resources to hire an outside privacy attorney" to help put together a comprehensive privacy notice. He said it's a daunting task for developers, who often end up copy and pasting privacy notices from other companies, if they post a notice at all.
Cronk said this generator will be useful for health wearables, exercise tracking, and pill announcements, among others.
"We wanted a nice clean format with software to help the mobile health developer," he said. "We created a simple form that asks MPN questions. As you answer, it builds the notice for you in a nice graphic form that is pleasant to the eye." He also said he and Solove ran it through a number of online testing tools to ensure appropriate color contrast and that it's HTML5-compliant to avoid messing up screen readers.
After a developer goes through the questionnaire and fills in the necessary data, she can scroll to the bottom of the MPN and copy and paste the code right to her website.
One edge Cronk recognized, as both a lawyer and engineer, was the precise language in the ONC announcement. "I felt tech respondents (to the contest) would have missed the law nuances," he said. He also said they received consumer feedback prior to and after building out the generator. He said this provided significant feedback for comprehension and usability.
Though it's designed for the health wearable space, Cronk said he and Solove think it could potentially be used elsewhere for other applications. "We are thinking about taking this template to other very narrow use cases," he said. "Can we develop a generator for a smart meter or another narrow category?"
Stay tuned. Perhaps there will be one on the horizon.