HIPAA (Health Insurance Portability and Accountability Act of 1996) and its Privacy Rule protect patient data but this legislation has not been extended to cover other variables that are now emerging in the landscape of big data from social media, internet of things (IoT) and wearables. When a patient visits their doctor or uses a patient portal, there is a privacy disclosure and an expectation that the data will be private and secure.

In the realm of mobile apps, social media and IoT, terms and conditions take the place of informed consent. Where the language of informed consent must be placed in layman’s terms, terms and conditions are long, dense legalese documents that would take hours to read. If you have spare time, go read the terms for FitBit or the privacy policy statement of Uber

Here is a snippet from Uber:

New laws such as California Consumer Privacy Act (CCP) and the EU’s General Data Protection Regulation have created standards and privacy safeguards to secure data. “Opt in” and “Opt out” consents are now being used by several organizations but there is no uniform structure for this domestically or internationally. Considerations need to be made as the multitude of companies that collect data operate on a global scale, meanwhile smaller companies find the GDPR and CCP prohibitive to doing business, therefore creating data monopolies for companies that can afford to follow regulations. What is required is a universally defined consent process and transparency with how data is used and a set of rules for what can be done with data.

Here is a great article outlining the CCP and its strengths and weaknesses.