Who Owns Your Personal Health Data? Who Deserves to Hold It?

It seemingly happens every other week -- a financial institution, health system, or other company announces its systems have been hacked, and user (or patient) data is at risk, being held ransom, or otherwise compromised.

In April, Under Armour-backed MyFitnessPal, a company that collects health data via a wearable digital, announced the information of 150 million user had been exposed. These announcements happen with an increasing frequency that tempts us all to sigh and move on.

But as wearables and digital companies become more common, and more integrated into the wider healthcare system, complacency is not a viable option -- not for digital health companies, patients, or incumbent health plans and systems. Instead, these breaches should become a rallying cry, and a recognition the when it comes to personal health information (PHI), protecting the privacy and security of patients and users must be a business imperative.

At Omada Health, the fact that we are covered by HIPAA makes our responsibilities, obligations, and opportunities crystal clear. Federal laws and regulations prescribe privacy and security minimums, as well the exact rules governing or collection, storage, and transfer of participant data. And we’ve accrued a lot of data; currently we have millions of data points on food intake, weight loss, lesson completion, and other activities on our more than 150,000 (cumulative) participants. We use this data to personalize interventions in the Omada Program and to substantiate our outcome-based billing. At the same time, our secure mobile and desktop platforms provide real-time health information back to participants so they can track their progress towards their health goals, or share with family and with their care teams.

But none of this is possible if we don’t take all reasonable steps to ensure our participant data is safe and secure. For health innovators, strong privacy practices and security controls are key to customer trust and to growth.

One of Omada’s core values is “Participants First” -- and this ethos applies directly to how we work to secure user PHI. For example, our Information Security team uses some of the latest best practices, like adopting the revised NIST 800-63b series for internal access credentials. Consistent with our HIPAA obligations, we’ve also worked to secure third-party validation on the security/integrity of our systems and processes. In the last year, we’ve achieved a HITRUST Certification, and successfully completed a SOC 2 Type 1 Audit. Effective this spring, we are clarifying our terms of service to ensure that participants retain ownership of the data they share with us.

Digital healthcare is enabling a patient-centric approach to care that meets our participants where they live -- at home or on the go, with the ability to access the Omada program when and where they need it most. Our system generates data that enables us to bill based on the outcomes we achieve, not based on the mere quantity of services offered.

Across the healthcare industry, there is wide acknowledgement there is work to do improving security -- whether that information is collected via traditional in-person care, through a direct-to-consumer wearable tools, or digitally-enabled clinical interventions like ours. At Omada, we’re working to interpret and apply existing standards even as we iterate for personalization and constant improvement. And as digital interventions increasingly become standard in an individual’s healthcare experience, we’re proud to be working to set the bar high for what users, and customers, should expect from innovators.

Last month, each of us participated in Health Datapalooza in Washington, DC. A coalition of stakeholders from across healthcare -- policymakers, regulators, academics, innovators, and those whose data is being utilized for their own care, or for population health initiatives -- came together to discuss how this data can be used, effectively and responsibly, to improve care. There’s wide consensus that data, and its proper application, holds the key to the evolution of healthcare. Now it’s on those in power to develop clear and practical guidance that sets the rules of the road, and for those of us who utilize that data in our programs to take its protection seriously.

Lucia Savage, JD is Omada’s Chief Privacy and Regulatory Officer; Bill Dougherty is the company’s VP of IT and Security.