Biohacking Village - What's Up with Proposed Privacy Legislation and how to influence the debate
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/49894 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON Safe Mode195 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
Natural languageInformation privacyRule of inferenceMedizinische InformatikDigital libraryBit rateInternet service providerSet (mathematics)BitPhysical systemOffice suiteRegulator geneElectronic mailing listFitness functionDatabase transactionHypermediaoutputKey (cryptography)Numbering schemeLatent heatFacebookAreaRegular graphState of matterPhysical lawGroup actionAdditionData conversionSelf-organizationPoint (geometry)Right angleMathematicsMultiplication signInformationVertex (graph theory)MereologyExpert systemDifferent (Kate Ryan album)File formatTelecommunicationMultilaterationRow (database)Reading (process)Ocean currentAddress spaceMeasurementTwitterPower (physics)GoogolService (economics)Coordinate systemInequality (mathematics)WebsitePortable communications deviceMeeting/Interview
09:38
QuicksortRight angleMathematicsPhysical lawState of matterKolmogorov complexitySystem callGroup actionVirtualizationZoom lensSpectrum (functional analysis)Vapor barrierSound effectDifferent (Kate Ryan album)Coordinate systemOffice suiteTable (information)Scaling (geometry)Latent heatVotingSelf-organizationWebsiteExistenceRule of inferenceMultiplication signMobile WebService (economics)Software developerMobile appSpacetimeLink (knot theory)Product (business)Total S.A.Field (computer science)Event horizonInformation securityOperator (mathematics)SoftwareDivision (mathematics)Context awarenessInformation privacyData conversionSystem administratorInformationGoogolRepresentation (politics)Descriptive statisticsMedizinische InformatikInternet service providerMereologyComputer programmingModulare ProgrammierungPlastikkarteFreewareAbsolute valueVideo gameArchaeological field surveyBitMoment (mathematics)AdditionStaff (military)Source codeFlowchartLevel (video gaming)GodHacker (term)Power (physics)Regulator geneMaterialization (paranormal)Expert systemGame controllerFocus (optics)Inheritance (object-oriented programming)Digital libraryTerm (mathematics)Independence (probability theory)TwitterPersonal digital assistantCivil engineeringVariety (linguistics)Complete metric spaceAutomatic differentiationFacebookNumberCondition numberTracing (software)Process (computing)Coefficient of determinationWater vaporRow (database)Physical systemCodeWritingFamilyCuboidEmailLocal ringOnline helpPerfect groupDecision theoryOptical character recognitionINTEGRALMechanism designDisk read-and-write headException handlingExecution unitStatement (computer science)Business modelTraffic reportingInformation technology consultingNoise (electronics)PlanningObservational studyLine (geometry)Perspective (visual)Internet forumTelecommunicationElectric generatorStress (mechanics)AuthorizationSquare numberArmMeeting/Interview
Transcript: English(auto-generated)
00:00
Hello, and welcome to Health Information Privacy, Ask an Expert. I'm Lucia Savage. I'm currently Chief Privacy and Regulatory Officer at Omada Health. Before joining Omada Health, I was Chief Privacy Officer at the Health and Human Services Office of the National Coordinator for Health IT. Yes, that's a mouthful. You can just say ONC for short. And that is the agency
00:21
that not only brought you regulated electronic health records, but also brought you app-based access to your own information. And we'll talk more about that later today. I'm really happy to be here today, recording live for the Biohacking Village at DEF CON. As you know, the format of the show is to cover the basics of a topic and then open the mailbag on that topic. Today, we're covering how health information privacy is regulated in
00:44
the US and the difference between health information in the healthcare system and outside of it, like on social media. We're also going to cover why there are lots of news headlines on the topic and what the headlines mean for ordinary people. Let's get started. I think the best place to start is why do people want health information
01:02
privacy? It's pretty simple. People want health information privacy to prevent them from being treated badly because of their health status. There's a few very current examples of that. Just look at Kim Kardashian's note about her husband's mental health situation. Or if you want a deeper dive, you can read Carrie Fisher's autobiography, or you can check out on social media the Royal
01:24
Highness's campaign to remove mental health stigma in Britain. All of those are areas where we have specialized privacy rules because we treat people badly when the health information gets out in public. And there's many, many areas as well, but those are three current examples.
01:40
At the same time, it's really important to remember that here, a fifth of the way through the 21st century, digital health information can be used for really important purposes to help us address inequities, address discrimination, improve the care system. You can't fix what you can't measure. One example would be many years ago, we started measuring the rate of
02:03
breast cancer screening in women. And because we could measure it and identify the physicians that were not ordering mammograms for their patients, we increased the rate of screening and we saved lives. That's a really early example. But some more current examples are things like using the data to measure what kind of languages the healthcare providers speak
02:24
compared to their patients, or using the data to figure out immunization rates. So using it as important, but keeping it private is important, and therefore we have regulation. And I thought today I'd talk a little bit about how is health information regulated and then open
02:41
it up to questions from the mailbag. So the first thing I wanted to say is within the healthcare system, there's a very specific set of rules. You guys all have heard the acronym HIPAA. It stands for Health Insurance Portability and Accountability Act. And you'll notice that there's no privacy in that acronym. Privacy is a side product of the original effort,
03:01
which was to digitize the claims data so we could do this measurement. But we do have a very robust privacy rule. In fact, people equate HIPAA with privacy. And the way that works is the digital health information within the healthcare system is designed by regulation to move around for ordinary healthcare purposes. For example, if you go to the doctor's office and
03:23
you have insurance, you want your doctor to bill the insurance company without you having to do extra paperwork, or at least most people do. There are definitely a subsection of the American population that wants to manage it all themselves, but that's not most of us. And so that transaction, that care transaction is all digital, and it goes from your doctor's office to your
03:42
insurance company so your doctor can get paid and you get billed whatever your co-insurance is. And we know that could be high. That's a different panel. But you don't have to do anything. You don't have to collect the data. You don't have to send it somewhere. It doesn't have to be printed out. And all of that is designed to happen normally. In addition, the regulations are also designed to let us do this normalized measurement, to measure that
04:02
breast cancer screening rate, to measure the immunization rates, to measure language, to measure how expensive it is. And there's lots and lots of examples of that. But the last thing is the regulations are designed to not allow the data outside of the healthcare system in an identifiable way without you giving permission to it. And I don't have time today to give you
04:23
very specific and detailed technicalities of the regulations, but I will be providing a list of public resources where you can dig in yourself about that. That's the basics of within the healthcare system. But again, here we are, it's 2020, almost 2021, and we have lots and lots
04:41
of health information that's either directly collected from individuals that's outside the healthcare system, like fitness trackers and social media sites, or where we use data that's like grocery shopping data or banking data or driving data to impute health information
05:00
about people from other data sets. And all of that, not being in the regular healthcare system, is subject to a completely different regulatory scheme. So that regulatory scheme is basically about consumer privacy protection. So it's really the same rules apply to the health information Facebook collects as applied to the fashion information Facebook collects, or the dining
05:21
information your social media account collects. It's all the same set of rules. And that basic construct is, did the organization tell you what it was going to collect? We can have a long conversation about notice. And were they honest about it? So were their actions what they said they were going to be, or did they lie about their actions or mislead you about their actions?
05:43
So it sounds really good in concept, but very, very hard to prove in the detail. The ability to prove those consumer violations lies primarily with the Federal Trade Commission, which is a federal agency not in the healthcare system, and as well with state attorneys general.
06:02
Then as the 21st century has gone on from 2000 to the present, states have begun to take a role. And so we have state breach notification laws to protect us from consumer harm when our consumer data is collected and then breached or misused or misdisclosed. And we have
06:20
states also beginning to take specific action about health information outside of the healthcare system. The last thing I want to say about this interplay between inside the healthcare system and outside the healthcare system has to do with states. So the federal law HIPAA is a baseline. It's the floor of regulation. And many states have very specific laws about, in general,
06:45
clinical verticals. So they'll have specific laws about HIV AIDS or specific laws about mental health data or specific laws about domestic violence or sexually transmitted diseases. There's eight or so key areas and they'll have a specialized rule about that and who gets to
07:03
use it and what is permission required and do you have to consent to the release of your data. And all of those rules sit on top of HIPAA. So in the healthcare system, if you're a healthcare provider like OMADA is, you have to think about HIPAA and you have to think about all your state laws. But again, those laws are about the healthcare system itself and not about
07:23
particular kinds of data outside the healthcare system in the consumer setting. Finally, we have an emerging set of laws. Many people here will have heard of the California Consumer Privacy Act and many people, I'm a California resident, will know that we have a ballot initiative coming to us in November where we can vote on an additional privacy law that,
07:44
ironically enough, the privacy advocates are fighting about whether it's any good. That's also a conversation for another day. You can look that up on social media. But other states are looking to California to see what it does and whether there are things those states can copy from the California landscape to protect their own residents in the
08:02
absence of federal regulation, which takes me to my final point. There have been a lot of headlines about this. Mr. Zuckerberg has been in front of Congress many times. Leaders from Google, leaders from Twitter, all have been in front of Congress talking about privacy. It is an important federal policy question and the important question is, will the federal
08:24
government change anything in the federal landscape to augment the FTC powers, to make the consumer rights more meaningful, to make the consumer rights more particularized to healthcare information outside of the healthcare system? So these conversations started in the wake of
08:41
the pandemic. I'm going to turn it over to you, Dr. Fauci, to talk a little bit more about Cambridge Analytica. A lot of us privacy advocates had great hopes for something happening. Remind you, Cambridge Analytica was two years ago now, a little bit more than two years ago now, so politics moves very, very slowly. It's an election year. We have COVID. Conventional wisdom says nothing's going to happen this year, and then it's very complicated
09:02
politically. There are three or four committees on the Senate side, another half a dozen committees on the House side. Each of them has jurisdiction. If you went back to, I'm just a bill from School House Rock, you would realize you have to have a bill on each side, then they have to come together and come to a compromise bill, and then both houses have to pass it again,
09:21
and then the president has to sign it. So lots and lots of moving parts. Lots of opportunities, therefore, for people who are interested to still make their voices heard, and we'll talk about that a little bit later. Eventually, I think we will have something national, but it could take another two to four years. So I have somebody with me today help me read the mail. My friend, Nina. Nina, what's in the mail bag?
09:45
First question. What are the big issues that are being debated in Congress about a nationwide privacy law? I think the two biggest issues are one is what we call preemption. So that is the idea that the federal law overtakes and supersedes any
10:03
active state law. So if you think about the CCPA construct, if there were a federal law, and if it were preemptive, it would override whatever California enacts in its own law. So you can see that that could be really contentious, because some states might want to be more aggressive or more protective of their consumers than other states or than the federal government.
10:25
On the flip side, however, is the more laws there are, the harder it is to assure compliance. So from a consumer perspective, it might actually be better to have one single law that applies the same everywhere, so you don't have to be confused or have your rights change as you cross state lines. Many, many complex trade-offs there. The other big issue is,
10:45
should individuals be able to bring their own lawsuits for breaches of privacy? Now, there's a very long, complicated history about lawsuits and privacy and damages, but at the end of the day, it's about how does this get enforced? So right now, outside of healthcare, the FTC brings an action. Consumers under their individual state laws may or
11:05
may not have the right to sue, and in healthcare, consumers have no personal rights under HIPAA to sue. A federal law could change all that by giving individuals the right to sue. That can be a really effective enforcement mechanism, as has been true for automobile safety,
11:20
for example. Cars are safer because Ford got sued over the Pinto, but it also can make the cost of the business much more expensive. It can be a barrier to innovation because you have to worry about being sued. There are a lot of downstreams to widely available, empowering a lot of people to bring a lawsuit. So again, trade-offs there. Those are probably the two
11:43
biggest issues that people cannot agree on. Why can't people get to yes? There are a lot of economic interests involved in that. So you can see that the trial attorneys want to make money off the lawsuits, but the small businesses and the innovation community and
12:00
the venture capitalists want to keep growing new businesses with new ideas, and they don't want the threat of lawsuits hanging over their heads. Compliance can be complicated. There are philosophical differences. There are people who definitely believe in empowering consumers to sue, and people who don't believe in empowering consumers to sue. Those fall across the political spectrum, and that's probably why we can't get to yes, is there isn't enough people in any one
12:25
particular place on that spectrum to balance the scales to a yes, right? You have to have a majority vote in both sides. So what's the impact of CCPA? So in the healthcare system, CCPA
12:41
has a very specific carve-out for organizations that are actually already covered by HIPAA. For our public website, you guys might be browsing it right now, but our program itself is healthcare delivery, and it's within HIPAA. But if you are a company who is collecting health information, for example, because you are running a business that offers consumers gift cards
13:06
to answer surveys about their health conditions, that might be a business model. That's not within the healthcare system, and CCPA is going to apply, and all the rules of it are going to apply. Of course, it's a little bit of a moving target because the law was enacted a year ago.
13:21
It took effect in January, but the regulations didn't take effect till July, and actually they didn't get finalized till last week, and that might be upended by a ballot initiative, and who knows what's going to happen if there's court action about the ballot initiative. I'm not an expert on CCPA. I think it's something that's really important to people,
13:42
but to me, the most important part of it from a consumer is knowing that I can go and say to that organization, what did you collect about me, and can I please have a copy of it? That's a really important thing for consumers who want to take action. I completely agree with that. So what, if anything, did COVID change? You know, COVID hasn't changed very much
14:04
in the landscape, the overall regulatory landscape. There have been a couple of little things that eased because of the public health emergency, but that easement is temporary. But I think in terms of health information, what the impact COVID has had is really given
14:20
more people a stronger sense of the possibility that digital health has for us as a way of getting care, maintaining our health, getting the coaching or the assistance we need when we can't go to the doctor's office. And because of that, I mean, it's great for a digital health company like Omada, but because of that, people are now going to be thinking about their health information a lot more. That's one. The second one is I think that the arrival of
14:48
big tech at the COVID moment with their wide variety of contact tracing apps, you know, that Facebook both runs ads for legitimate academic research about COVID and also
15:02
runs not legitimate, you know, links to things that are not legitimate research. Arriving as it has two years after Cambridge Analytica, I think we're suffering from the skepticism that Cambridge Analytica brought to the doorstep of health information outside of HIPAA really and truly. People are concerned about the contact tracing apps. The uptake is very low.
15:25
It even bleeds over into human to human contact tracing where I might call you, Nina, and say, hey, you know, it looked like you were at that concert or did you know there was a big concert and were you there and who were you with and who were they with and that's, you know, contact tracing. We've been doing it for decades, really centuries, because we do contact
15:43
tracing for sexually transmitted diseases that are contagious. And so we also have erosion of trust of the human to human contact tracing and we'll suffer from that as a society for a while. How important is this issue to Congress? You know, it's a little bit of a drink of water
16:04
before this question. You know, it's a little bit of Kentucky windage, right? Issues are important that constituents care about. And that's pretty much how the democratic process works. So right now, constituents care about COVID. And some constituents care about election
16:23
security, which is hugely important. We won't get a privacy anything this year, although I know there are still people working on little pieces of privacy. I saw a draft bill the other day about COVID and contact tracing apps about a month ago. But if you as a constituent
16:40
think this is important, you should tell your Congress person, House or Senate. And in fact, if you have a senator or a representative who's on a committee of jurisdiction, you should most definitely tell them. If you think back to 2017 and the original attempts in the current administration to undermine the Affordable Care Act, who went to Congress, people with
17:00
sick children and sick family members, and they were constituents. So you know, you call over there and they will ask what your zip code is. And you should be honest about that. I happen to have a representative who chugs along doing what I think is right without ever having me ever having to call her. But I can imagine being in a different state and having to call my representative
17:20
every week. Or ask for an appointment for the office to the office with local staff to say, hey, did you know this is happening? And this is how it's impacting our community and me. And you should fix it. No squeaky wheels totally get the grease in politics. So that's when it becomes important. Perfect segue. So how can the biohacking community get involved and move the
17:45
needle on issues in privacy? I think there are a few things I'm going to sort of try to list as many as I can in this materials, Nina of, you know, bills that people might want to look at and committees of jurisdiction and where you go, but it's pretty simple. If you want to know,
18:01
you go to finance.senate.gov and you look at the members and you figure out if they're your senator. And then you call your Senate's office, you call them and you say, I'm Savage and I'm a resident of blah, blah, blah state. And I understand that you're looking at such and such an issue. Here's what I think about it. And if you have a bunch of friends,
18:20
you know, you can do a house party and everyone can get on their cell phone. You can call serially. You can email, but it's probably not as carefully read or paid attention to as a phone call. Can do a house party after COVID. You can do a, well, well, you could do a virtual house party, right? Like set it up on zoom. You can have all the contact information
18:40
on a document that you're sharing. People can just, you know, call on mute. They weren't talking, just have a good time. So how can biohackers be more involved in the privacy needs and changes that are taking place? How do we get people to listen aside from talking to our conventional person? So I think stories are really, really important. People listen to stories.
19:05
So I'm always compelled by, that's why I love that the reference to Kim Kardashian or Carrie Fisher, right? It gives us a context for why people have privacy issues. Why, why are we working on mental health? Why is there so much stigma? How do we remove the stigma? And we
19:22
analogize that to privacy. So in your family or in your community, what has been a bad impact of poor privacy practices or poor security practices for that matter? How has it impacted people? Whether it's a neighbor who got doxed and somebody, you know, something terrible happened
19:42
to them or people that, you know, or even yourself, that's how we got anti-doxing legislation is people went to their representative and said, Hey, this happened to me and there ought to be a law. So it's really about stories and it's very, politics is very personal. It's, you know, there are white papers, there are studies, there is data, we can explain all that,
20:03
but it's really the compelling personal stories that tip the scales when somebody's on the edge. It's the story about the constituent that's going to push somebody where you want them to go. And since I don't know about everyone's personal life who might be listening to this,
20:20
it's really hard for me to know after that, like what would be a story that would be compelling. But I know I had a, my mother was bipolar and in all my work as a privacy advocate, particularly the work I did in the last administration, I would always talk about that. Like I get it, I get stigma, I get why this is important and I get why
20:40
we need to understand it better. Can I get my personal moment in here? Absolutely. So I give this story a lot about why I'm in healthcare and why this matters so much to me. My father, fire department of New York, paramedic captain, he was at 9-11.
21:02
My mother, stage four, one of the rarest cancers in the world and I learned about it. I learned about both of their health issues the same week. Oh my god. So my father's issue was that he has bilateral lung nodes from being at the World Trade Center. Right. And it's that, it's that very compelling story of I suddenly became a caretaker.
21:26
My parents were super independent. They were doing their things. And now it's, I own all of their medical data. I have all of their physician numbers in my phone. And if something happens, I immediately make a call for them. And if I'm not available,
21:40
they understand that they, the physicians will call me right after to give me that data and the update of their condition. So I'm in complete agreement with the story is so compelling because we all have something that we can talk about and gives us that emotion to say, there needs to be a change. It's not a question I'm not asking you and telling you that moment.
22:00
Two things. If you think back about the 9-11 fund and you remember that John Stewart was on that like a dog on a bone week after week, it was embarrassing. He was intentionally embarrassing the politicians with these really compelling stories and it worked. So think about that. The other thing I would say just on a personal note,
22:20
Nina, and I don't know if we have time today, but you know, caretakers, we are, we baby boomers are a pretty big population and our kids are going to be taking care of us. And we should all have the ability as a caretaker, not just to call your parents doctor and have them call back, but have online on your phone access to their records. If they want you to have it. I had that for my mom through the Kaiser app.
22:43
She authorized it and it meant I could help care for her and she could call me and say, I don't understand this thing. What does it mean? And that is what digital health really means is not keeping data sacrosanct in a box under a cement floor, but putting it where it needs to be and where the patient wants it to be to get the care that they need.
23:02
And if that's what the family member, let the family member know if that's with a friend from church, let the friend from church know if that's you as a person, you're a DIY healthcare person and you want to broadcast your health status on that big billboard at times square, go right ahead. It's your data. How did the agencies that
23:25
command and control healthcare, how do they work together or how do they not work together? Sure. That's a great question. That's something I forgot earlier on. I wanted to be super clear about who really has authority over privacy. So in the federal realm, it is solely the health and human services office for civil rights.
23:44
They write the privacy regulation, they write the security regulation, they investigate those, they find people for them and they enforce them. Now the FDA, which has a lot to say about digital tools, their remit or their jurisdiction is really about, is the thing safe, clinically safe? Like it's not going to cause you,
24:06
you know, a glucometer isn't going to burn your arm or whatever. And is it doing clinically what you say it's going to do? So remember it's the food, drug action, cosmetics act and the enabling legislation, which dates back to Teddy Roosevelt
24:21
is about not having health products in the field that are dangerous, right? And actually the FDA covers veterinary science as well. So just think about that in totality. So I love the cool, I know everybody over there, great crowd, really interested in privacy
24:44
as a concept, but they don't actually regulate privacy. What they regulate is did your device that has software in it secure that software sufficiently that the device data is accurate and has integrity. That's pretty much what they regulate.
25:03
So that's the FDA. And then HHS OCR writes the privacy rule, and that applies to health insurance companies, employer sponsored coverage. If you have like a big employer, like you're at an Apple or Google or health health sponsored coverage physicians or any other provider who bills the government electronically, and then some additional sort of intermediate
25:24
companies called clearing houses. There's always a lot of talk around the medical devices and the security that surround those. But one of the parts that are normally lacking in conversation are the electronic medical records. And you talked before about the ONC owning them. So what's, how does that link in with the agency?
25:46
So the ONC has three specific powers. The first one is they write a regulation about what the software in a certified EHR has to do. And they're EHRs that are not certified by the way. So if you have a certified EHR, it has to have these minimum functional requirements,
26:02
and they've been getting more and more rigorous as time has gone by. The second thing they have is to educate the provider workforce primarily, especially the small doctor's offices. Remember, while there are some really big systems, most healthcare is provided in very small business practices that have two or three physicians in them. So educate the physicians and the nurses
26:22
and the people out in the field about how to safely, privately, and securely use certified EHRs to deliver care. And the third is to run sort of the policy making for the agency about both what that software package should be. It's a very unusual power, a federal agency that writes a prescriptive rule for software, but also in general about health information technology policy
26:45
writ large. So for example, ONC has a specific duty of coordinating Office of the National Coordinator across agencies. And I might bring people to the table that would be the FDA and the FTC and Office of Civil Rights to stand up a tool that in fact exists. So on the FTC website
27:05
is the mobile health app developer tool. And if you were to go to that tool, you would see in kind of a Q&A fashion, it moves you through a flow chart to help you make sure if you're a developer, you know which rules you have to deal with for the thing you're envisioning.
27:20
So that's an example of coordinating across the agencies. Enforcement is not really a coordinating event in federal law generally. I'm making a very broad statement, but OCR has its remit and a privacy breach is investigated by OCR and they investigate every single one that's reported to them. A safety violation by a device would be investigated by the FDA, if that makes sense.
27:45
And then of course, all of these agencies are within Health and Human Services, which is an agency run by Secretary Azar. And so how the agencies work together is really a factor of whether the secretary is making them work together and how much. Different secretaries have
28:02
different approaches to that. The FDA is very big agency. It's called an operating division. It's kind of freestanding and runs on its own, but the FDA administrator would be part of Azar's sort of kitchen cabinet or his cabinet. Similarly, CMS, operating division, kitchen cabinet. NIH, operating division, but in the cabinet. And then ONC, Office for Civil Rights, actually
28:24
report directly through the secretary, also in the cabinet, but literally under more of the secretarial vertical, if you can imagine that. So how do they work together? Let me just so I summarize it up. I think the staff work really well together when they're asked to, but people also have very specific portfolios and work that needs to get done. And so they
28:45
really focus on that. So I want to be clear with people that you and I have met once, and it was in a coffee shop and I watched you walk in and the conversation we had was extremely powerful. Thank you. And I instantly knew that you had so much information that you
29:04
needed to share it. And I feel like the community that we work in, we focus a lot on the medical devices because it's something very tangible that we can get our hands on. And this, even with all the knowledge that I have on how things function, this has engaged me and enlightened me. And now it's, okay, I can't focus so much here because they don't control this one thing
29:24
that I'm working on. It's I need to move over here. And maybe if I'm working over here, I can gauge this and make things happen. So that said, what other resources can we find for everything that you're talking about? So I'll put all these links in a document that you can hand out Nina, but I will tick off a few of them. They're going to be in that
29:43
document. The first one is when I was at ONC, we published actually a long white paper for Congress. So let's just say it's like publication book level clearance and editorial accuracy for 2016 about the way health privacy is regulated in healthcare and outside of healthcare.
30:02
And while the names of the companies may have evolved over time, Twitter is still Twitter. Facebook still operates the same way. None of the rules or laws that characterize that description have changed. So that is a public document. If you wanted to look for it right now, you'd Google ONC and uncovered entity report, and it would pop right up.
30:23
Free paid by the American taxpayer, no matter who else produces anything, the law firms, the consulting houses, the hacker community. This one is going to be the definitive source because it has to go through so many layers, including approval by the white house before it gets released to Congress. So that will be in there. I will provide some links
30:43
to educational materials that ONC and the office for civil rights publish about more details about how HIPAA works. Not only what people's individual rights are like you as the caregiver, what are your rights for you and your parents to collectively get the information you need to help them with their care, but also for people to understand what are the ordinary
31:03
disclosures that happen within the healthcare system to make it run between physicians, between physicians and health plans, et cetera. So there'll be some of that material in there. And then I'll probably link to some other think tanks in DC that are working on the federal privacy law space, and people can look at those organizations' websites and
31:23
decide what's of interest to them, but it would be Brookings Institute, Future Privacy Forum, Electronic Frontier Foundation, Epic, potentially American Enterprise, New America Foundation. They've all kind of worked in this space. So we'll put some links together that are those people's websites, and you can just go to them and check it out.
31:43
Yeah. Thank you so much. This is the stuff we don't talk about, and that is why this is so important. So thank you for coming. I completely and utterly appreciate your brain space. I'm really happy to be here. I think that the more people who can
32:01
bring the stories to the floor, the more likely we are to have traction. There's a lot of times when it's the same 300 people having this conversation and bringing the new voices, especially of the next generation, when they've been specifically impacted by this, or they understand the technology better than some of our older Congress people.
32:21
Awesome. Totally awesome. Thank you. You're welcome. Thanks for having me.