The American Data Privacy and Protection Act (ADPPA) is widely considered the best opportunity in a generation for comprehensive federal privacy legislation. The future of population health informatics hinges on public health professionals’ involvement in the debate over new privacy laws such as the ADPPA. The 2017 World Health Organization (WHO) Guidelines on Ethical Issues in Public Health Surveillance provide excellent guiding principles to identify and communicate public health needs and priorities in proposed privacy legislation. Carefully crafted protections could establish a new social contract: When an individual contributes data to help their community, that data will not be used against the individual.
First and foremost, public health stakeholders must speak up to ensure that any new law does no harm to existing public health data flows. Second, they must ensure that any new laws provide public health informatics room to evolve and develop under appropriate governance. Finally, they should seek laws that satisfy ethical standards for public health data uses.
Opportunity For Comprehensive Federal Privacy Legislation
Recently, draft federal privacy legislation—the American Data Privacy and Protection Act—was introduced in Congress with broad House and Senate support. Like recent federal and state privacy bills before it, however, the ADPPA’s drafting process has unfortunately lacked guidance from a public health community already burdened with the challenges of the pandemic response. Among other things, the ADPPA conspicuously lacks express provisions that legitimize data collection or transfer for public health purposes, and may impose new legal restrictions, including restrictions on secondary data uses of demographic data collected by nonprofits to promote population health. Although proponents of general privacy legislation have rightly focused on ensuring robust protections for sensitive health data use in the commercial sector, the legislative process has lacked strong public health voices to help ensure that new legislative guardrails on data use do not also inadvertently burden public health informatics.
Data privacy laws that permit personal information, beyond health records, to be used for public health purposes are essential to enable cross-sector data sharing and promote population health. The future of public health informatics—such as precision public health applied to chronic, acute, and infectious conditions—depends on the ability to leverage and link non-traditional and heterogeneous data sources for public health purposes. These linkages require reconciling the different legal protections applying to different data, such as HIPAA-regulated data, non-HIPAA health data (for example, mobile health apps), and health-adjacent data (for example, social determinants). However, general privacy law is becoming increasingly fragmented, with five states already having adopted comprehensive privacy statutes, each different from the others. A comprehensive national privacy law—such as the ADPPA—presents an opportunity to address public health data-sharing challenges by partially harmonizing a patchwork of US data privacy laws that often inhibits data integration across silos and sectors.
The current flurry of legislative activity—at both state and federal levels—also threatens to block routes to codify public health ethics principles in privacy legislation. But public health professionals, experts, and stakeholders can still get a foot in the door to join the debates.
An Ethical Framework For Data Protection And Public Health
The 2017 WHO Guidelines on Ethical Issues in Public Health Surveillance provide excellent guiding principles to identify and communicate public health needs and priorities in proposed privacy legislation. They impose on governments an ethical obligation to conduct public health surveillance. Consequently, public health stakeholders should be vigilant so proposed privacy legislation does not interrupt or impede existing legitimate public health data flows. The best way to protect and enable public health analytics is to include exceptions that expressly permit protected data to be re-used for public health purposes. The WHO guidelines also stress the importance of the values and concerns of communities in all stages of public health surveillance. Notably, a 2020 survey of the US public shows that using data to promote population health is significantly more acceptable than other data uses—such as commercial and law enforcement uses—that are typically permitted in privacy laws. This and similar evidence can be persuasive to policy makers who are concerned about their constituencies’ needs and views.
Good governance and policy guardrails are central to many of the WHO guidelines to ensure that public health professionals use data ethically and only for legitimate public health purposes. For example, transparency measures—such as public notice requirements—empower individuals’ decision making and enable accountability for organizations and government entities. Consequently, public health stakeholders must ensure that new privacy laws do not excessively favor public health uses and permit data to be used without appropriate protections and limitations.
Similarly, the WHO guidelines take a hard stance on the secondary use of public health data for purposes unrelated to public health. Specifically, the guidelines argue that public health data should not be shared with “agencies that are likely to take action against individuals.” In a post-Roe v. Wade world, there is increasing concern and distrust that governments will acquire and use private data against individuals; for example, by using data from a period-tracking app to determine whether a pregnancy occurred. To prevent law enforcement overreach, it may be necessary to consider additional protections for data that public health authorities receive. For example, there are strong protections against law enforcement uses in the legal framework for substance use disorder treatment records. In fact, a group of 30 senators have asked the administration to update HIPPA regulations to prevent such overreach. Similar, and carefully crafted, protections in new privacy legislation could serve a foundation for a new social contract: When an individual contributes data to help their community, that data will not be used against the individual.
State Acts So Far Have Disappointed
Unfortunately, the comprehensive state privacy acts passed so far have fallen short of these expectations of ethical access. As of this writing, the following states have adopted comprehensive data privacy legislation (listed in chronological order of passage): California, Virginia, Colorado, Utah, and Connecticut. A recent analysis of the California, Virginia, and Colorado acts showed that while the California and Colorado acts broadly support public health data practices, the Virginia act risks curtailing them in important ways, and the Colorado act may not meet ethical standards for providing notice to data subjects.
There Is Still Time For Public Health To Get A Foot In The Door
There is still time for public health to get its foot in the door, and thus to enter the debate and ensure effective and ethical public health provisions in new legislation. Although the ADPPA passed out of the House Energy and Commerce Committee on a solidly bipartisan 52-to-2 vote, Senator Nancy Pelosi has withheld the bill from a floor vote, citing concerns that the law does not provide the extensive protections that she asserts the California law provides. The Federal Trade Commission also recently gave a notice of proposed rule-making, inviting the public and interested groups to comment on whether it “should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data.”
In the flux of debates over new US data protection laws, public health has opportunities for greater access to critical data. But the legislative debate has to date been driven by divergent viewpoints between industry and privacy advocates on the appropriate scope of commercial data practices and over the scope of preemption of state laws (such as California’s) regulating commercial data use. Public health perspectives have largely been absent. Without public health engagement, new laws may not enhance access to data for public health purposes and may, in fact, impede access.
Immediate Actions For Stakeholders
First and foremost, public health stakeholders must speak up to ensure that any new law does no harm to existing public health data flows. Second, they must ensure that any new laws provide public health informatics room to develop—under appropriate governance—as information technology develops or as new resources that are dedicated to public health infrastructure enable public health to expand current capabilities. One example is the current public health data modernization initiative. Finally, public health stakeholders must ensure that legislation respects the ethical limits placed on public health data uses that the WHO and others have articulated.
The authors would like to thank Professor James G. Hodge, Jr., Dr. Michael Morrisey, and Dr. William Sage for their thoughtful comments on this work. This work was supported in part by the Texas A&M University T3 Program. Charles Curran is an independent consultant who advises industry members on data policy issues including consent. The relationships to industry members are only tangential to the subject of this article (encouraging public health to engage in privacy legislative debates). However, the authors note that these members of industry would be subject to the ADPPA rules.