FTC targets consent

As the Federal Trade Commission asserts a greater role in U.S. privacy policy and enforcement, it is diverging from the path forged by HHS, particularly on the question of whether individual consent should be a threshold for the gathering, sharing and storage of sensitive information such as health records.

The FTC released a report last week on online consumer privacy issues. The 122-page document described as a preliminary staff report was clearly a warning shot at collectors and brokers of data gleaned from consumers' online activities. “We are not calling for legislation yet, but it's clear that this report is also a recommendation for lawmakers,” FTC Chairman Jon Leibowitz said in a phone call with reporters.

The report focused on a wide spectrum of personal information, such as the data stored in everyone's Web browser, but it also addressed problems arising from the growing volume of healthcare information created or stored outside the regulatory fence of the chief federal privacy law, the Health Insurance Portability and Accountability Act of 1996 (Nov. 22, p. 26).

“Retention of such data, and its use to build consumer profiles, raises important privacy concerns,” according to the report. “For instance, the retention of location information about a consumer's visits to a doctor's office or hospital over time could reveal something about that consumer's health that would otherwise be private.”

The FTC staff, according to the report, concluded that “certain types of sensitive information warrant special protection, such as information about children, financial and medical information, and precise geolocation,” and that “companies should seek affirmative express consent” before collecting, using and sharing it.

In contrast, in a 2002 HHS-written revision of the HIPAA privacy rule, a requirement for patient consent for the disclosure of medical information was replaced with a provision granting “regulatory permission” for healthcare providers and other “covered entities” to disclose medical records for treatment, payment and many other healthcare operations without patient consent.

In defining privacy, the FTC referenced former Supreme Court Justice Louis Brandeis, co-author in 1890 of “The right to privacy,” a seminal Harvard Law Review article that equated the constitutionally protected right to life with “the right to be let alone.” The article went on to explain that the right to privacy is extinguished by that person's consent.

In 2008, the Office of the National Coordinator for Health Information Technology at HHS released its Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, in which it defined privacy not as a right but “an individual's interest in protecting his or her individually identifiable health information.” The ONC did not respond to requests for comment on the FTC report.

California Privacy and Security Advisory Board advocate Pam Dixon, founder of the not-for-profit World Privacy Forum, said she participated in several roundtable discussions the FTC held to obtain public comment before drafting its report.

“I think the heart and soul of this report is the one sentence that industry self-regulation has not worked,” Dixon said, and she also praised the FTC for a “bold approach” that includes data collectors such as Google and third-party data brokers such as Acxiom in its proposed privacy guidelines. “The bottom line is this: The trend is toward the consumer having the right to opt in when there are sensitive issues involved,” Dixon said.

The FTC, in seeking to bring Brandeis forward more than a century, recognized that “the application of this concept in modern times is by no means straightforward.”