ONC picks top three model privacy notice generators

In a push to make it easier for consumers to understand their health IT products' privacy and security policies, federal regulators have given the creators of three promising model privacy generators awards of up to $20,000.

The Office of the National Coordinator for Health Information Technology distributed the awards to the winners of its Privacy Policy Snapshot Challenge.

The generators, analogous to nutrition fact labels, display information about the privacy and security policies of companies that collect electronic health data—a practice the ONC says promotes transparency and helps customers choose products. These include products such as fitness trackers and their associated apps, which record protected health information that would be subject to Health Insurance Portability and Accountability Act rules if stored by a HIPAA-covered organization but are not subject to the rules when stored by a product developer.

The ONC launched the challenge late last year shortly after releasing the 2016 version of its model privacy notice. That version was a revision to the original notice, which was created by the ONC and Federal Trade Commission in 2011 and centered around personal health records. Because the health IT market had matured since then, products like the aforementioned fitness tracker apps, along with other mobile apps, necessitated an updated version of the model privacy notice.

"As more technologies collect users' digital health information, it's increasingly important for consumers to be aware of the privacy and security of their data when using these products," an ONC spokesman said.

The winners of the challenge created open-source, web-based tools that generate customizable model privacy notices for health IT companies. Jason Cronk and Daniel Solove won the first place prize of $20,000 for a tool that displays information in visuals and text, a combination the ONC praised for its "clarity and simplicity." The second-place winner, 1uphealth, designed a tool that performs live checks of information that's entered in the notice. Madeclear.io won third place for a generator that uses a Google Forms-style interface.

Health IT developers do not have to use model privacy notices, and the notices do not meet HIPAA requirements for privacy practices notices. But the hope, according to the ONC's original personal health record model privacy notice implementation guide, is that consumers are more likely to trust—and use—products that are transparent about the privacy and security of the information they collect.