On October 22, 2018, Professor Stacey Tovino gave a presentation titled “Mobile Application-Mediated Research: Privacy and Security Challenges and Opportunities” at the federal Department of Health and Human Services (HHS) in Washington, D.C. as part of HHS’s “Data Min(d)ing: Privacy and Our Digital Identifies” symposium.
Professor Tovino’s presentation analyzed the data privacy, security, and breach notification statutes of all fifty states and the District of Columbia and applied these statutes to mobile application-mediated health research conducted by independent scientists, citizen scientists, and patient researchers. As background, prior scholars who have examined the privacy and security implications of health-related big data have suggested new federal laws or amendments to existing federal laws in an attempt to create comprehensive privacy and security protections for otherwise unprotected data. However, a recent study conducted by Professor Tovino showed that a consumer complaint involving a violation of federal health privacy and security rules has a one-tenth of one percent (.1%) chance of triggering a government-imposed settlement or civil money penalty. In the few cases that result in settlements or penalties, the federal government takes a significant amount of time—more than seven years in some cases—to execute the settlement agreement or to impose the civil money penalty. Professor Tovino’s presentation at HHS reported the results of her latest research, which assesses whether state law might serve as a viable source of privacy and security protections for big data subjects, including mobile health research participants.
Professor Tovino’s work on this topic is an outgrowth of a grant funded by the National Institutes of Health, “Addressing Ethical, Legal, and Social Issues in Unregulated Health Research Using Mobile Devices,” led by principal investigators Professor Mark Rothstein (University of Louisville) and John Wilbanks (Sage Therapeutics).