At the “It's 9 a.m.: Do You Know Where Your Data Is?” session at Fox Rothschild's second annual Privacy Summit on Wednesday, a group of health care in-house privacy attorneys highlighted that there remains a lack of privacy controls in the health care industry, despite current regulations.

Panelists at the summit included Michael DePalma, a nonlawyer and CEO of data rights organization Hu-manity; Rachel Hammond, a New Jersey Department of Health data privacy attorney; Nikkia Squires, senior counsel at the Christiana Care Health System; and Lauren Steinfeld, chief privacy officer for Penn Medicine.

The panel tackled an array of data privacy topics, including the lack of a federal framework governing data privacy. Steinfeld stressed the need for federal regulation to serve as a a guide for how companies should protect individuals' data.

“In my mind you need a good regulatory piece, which says regardless of what the patient knows or cares about, there will be some rules to the road of what you can do,” she said. “We still are in the country where if you ask about the biggest privacy problems, it's mostly in the unregulated spaces, mostly unregulated data. The GDPR and the CCPA are changing that, but without [federal statutes], we have a huge swath of industry that's unregulated.'”

To be sure, the U.S. does regulate the disclosure of and requests for protected health data to the “minimum necessary to accomplish the intended purpose” standard under the Health Insurance Portability and Accountability Act (HIPAA).

For example, Squires said after her company decides if a third party can use their collected data for a permissible purpose, she sits down with the vendor to verify every requested data set is only the minimum necessary needed by the vendor. 

However, the confirmed data sets may change after the contract is signed. She noted that in some cases, the vendor may contact the person responsible for the data and request more information that was deemed not necessary and not included in the contract.

That caution over providing the minimum necessary is a critical precaution for any company, and not just those in health care, Litten said. 

“You don't want to be the next example of a company that took in data for one purpose and used it in a way that seemed OK at the moment, or you didn't check your vendor contract and you didn't realize what was happening on the back end and it comes back and shows that you weren't a good steward of your customers' or employees' data,” Litten said.

For those in health care, HIPAA also requires patient's data to be de-identified, but the panel agreed that the de-identified data doesn't provide a veil of secrecy.

“To say that information is safe once it's de-identified is a hilarious joke to a technologist,” DePalma said. “Because I can collect bits of information about you guys and I can take three, 10 or 1,000 data sets and bang them against each other and re-identification is an absolute certainty—and I'm not talking about using A.I. or advanced algorithms.”

Steinfield added that while de-identification is a good privacy control for companies to deploy,  it doesn't solve an individual's quest for anonymity: “Even if it we're perfectly de-identified, it doesn't remove every privacy problem. There is still just the basic idea that we are being tracked. Whether the tracker knows my name or not.”