The views expressed by contributors are their own and not the view of The Hill

Americans’ data should be protected, no matter who holds it

by Steve Forbes, opinion contributor - 03/09/22 12:30 PM ET

Getty Images
Tech giants may rely more on European Union laws than U.S. laws to police what happens on their sites.

The recent appointment of Alan Davidson to head the National Telecommunications and Information Administration with a focus on privacy and Big Tech gives the Biden administration a huge opportunity to put data privacy back where it belongs — in the hands of Americans. Among his first orders of business should be closing a major regulatory loophole that could allow Big Tech to exploit Americans’ most sensitive health information.

The background is simple. Most companies that deal with health data — from hospitals to the technology companies that create and manage electronic health records (EHRs) — have to abide by strict regulations governing the use of patient data. The rules are in place to protect patient privacy, an important goal in the age of data breaches and identity theft.

But the Big Tech companies Biden claims to be committed to reining in are exploiting a massive loophole in these protections. As “technology” companies, they can release health applications for smartphones that are not subject to the same regulations, even though in some cases they connect to and siphon data from the user’s protected EHR.

Once private data moves from the EHR to the app, it isn’t protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Nor is data the user gives to the app directly that a reasonable person would consider private health information. App makers aren’t accountable for storing it safely in the cloud. And they can sell your data to the highest bidder with little more consent than a perfunctory check box on the terms of service the app makers know no one reads. Even more concerning is that some of these apps want to use government mandates to not just take user data from the EHR, but also to write their own information into the EHR with little regulatory oversight.

A federal lawsuit filed in California last year highlights the risks consumers face when using health apps that don’t protect their data. The plaintiffs allege that a fertility-tracking app shared their sensitive personal data with Big Tech companies so they could sell them targeted advertising. A regulated electronic health record could never use a patient’s personal data in this way, so why do we allow apps to do so?

There is an effort underway to make sure that private health data shared with these apps falls under the same regulatory structure. In a recent letter to the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services, a group of associations using and overseeing EHRs asked the regulators to include apps and the like under the same rules.

And there is now a bipartisan effort led by Sens. Tammy Baldwin (D-Wis.) and Bill Cassidy (R-La.) to examine the way this loophole can harm patients and determine a fair way to regulate how Big Tech uses personal information without hampering important innovation.

It’s common sense. Your data should be protected no matter who holds it. If an app functions like an EHR, it should have to protect your data the same way an EHR does. The Biden administration has made a lot of noise about reigning in Big Tech, yet so far has not addressed a loophole that gives these companies tremendous power over users’ most sensitive data. President Biden and leaders such as Alan Davidson would do well to endorse the efforts to close this loophole and ensure that Americans’ personal health information is protected no matter who holds it.

Steve Forbes is chairman and editor-in-chief of Forbes Media. Follow him on Twitter @SteveForbesCEO.