Society understands the role of fiduciaries such as expert defense lawyers when facing the powerful state or expert physicians when facing powerful health care business interests. We value the ability to have an expert that we freely choose to advise us when facing power and knowledge imbalance. With few exceptions, the laws around surveillance capitalism do not give me an opportunity to choose an expert intermediary to look out for my interests. The laws that Kirk describes merely double down on the fox guarding the chicken house.

We’re starting to see examples of privacy laws that do actually empower people with expert fiduciaries when it comes to using and not abusing our personal information. In Europe, PSD-2 is forcing banks to accept patient-selected payment processors as the intermediary agent between one’s bank and the merchants they deal with. A similar bill is making it’s way in India. This kind of agent can be a true fiduciary and has to compete on the basis of their expertise. This agent greatly dilutes the power of the bank to decide our credit card policies or the hospital over to decide who is “safe” to analyze our personal data.

Closer to home, the ACCESS Act by U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) is the one in ten pending Federal privacy bills that gets this. It states “… and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.”

In healthcare, this would vastly increase the effectiveness of patient communities that chose to take on the role or recommend a third-party data controller. It would also break down the artificial distinction between HIPAA and non-HIPAA personal data thereby making personalized medicine, machine learning and decision support that much better informed. Support for patient-designated personal agents is the mission of the HEART Workgroup, co chaired by ONC, that now needs to rise to the core in TEFCA policy and protocol development. This can be started without any changes to either HIPAA or other privacy laws by stressing and enforcing the agency-enabling aspects of 21C Cures and the draft regulations.

Here’s bit more about this https://thehealthcareblog.com/blog/2019/10/31/access-act-points-the-way-to-a-post-hipaa-world/

My biggest takeaway:

“The United States does not, today, have a national privacy law….

“Today, while the healthcare industry, the patient community, and broad variety of interested stakeholders all pay close attention to these privacy programs and the overall protection of patient data, this perspective is not obviously a part of the expanding national debate. This is a mistake.”

Part of my orientation and occasional training updates included the HIPAA privacy rules delivered with a level of inflexible authority equivalent to directives from the Pentagon or the Vatican. I was taught never to mention the name of a patient, even in the privacy of a restroom, lest someone in one of the stalls overhear something of a private nature. Since I worked in a senior living environment among the system’s revenue-generating properties I was dealing with residents, not patients, but the same privacy rules applied.

As I plowed my way through this post, making note of the endless acronyms — GDPR, CMIA, CCPA and of course HIPAA (the only one I already knew) the magnitude of the challenge seemed insoluble. I did wonder how the insurance industry seems to have access to so much presumably private information, and how drug companies maintain an incestuous relationship with endless layers of the medical infrastructure without somehow accessing “private” information. But those were not what I thought about as I read.

What bothered me most as I was reading, and even now as I reflect on what little I retained, is whether (or if) the resources getting all this attention will ever move the system closer to the multitudes of ordinary people never concerned with privacy, or who in many cases will never have access to any medical professional who might discover a condition about which they, as patients, would even know themselves.

Excuse me for drifting off topic in my comment but I’m an old fan of The Health Care Blog. But I have drifted away over the years, partly because I have graduated to Medicare (which tends to dull one’s attention to details) and buried both of my parents as Medicaid beneficiaries, thanks to America’s health care system which insures that one must be either rich or certifiably destitute to receive long-term care (if at all) after 99 days. I was an avid commenter years ago at this site, but that was when PPACA was being crafted. At that time I hoped that a better system might happen to benefit the hourly employees I managed all those years, nearly all of whom could not even afford group insurance.

I apologize for my off-topic comment, but no one else has said anything so my comment may start a discussion of some kind. I have learned a lot at The Health Care Blog and have deep respect for the professionals writing and commenting here. I follow Matthew via Twitter to keep up, but no longer get too involved. But there was a time when I found the posts and comments much more stimulating than I do now.