A Comparative Audit of Privacy Policies from Healthcare Organizations in USA, UK and India
share
Data privacy in healthcare is of paramount importance (and thus regulated using laws like HIPAA) due to the highly sensitive nature of patient data. To that end, healthcare organizations mention how they collect/process/store/share this data (i.e., data practices) via their privacy policies. Thus there is a need to audit these policies and check compliance with respective laws. This paper addresses this need and presents a large-scale data-driven study to audit privacy policies from healthcare organizations in three countries – USA, UK, and India. We developed a three-stage novel workflow for our audit. First, we collected the privacy policies of thousands of healthcare organizations in these countries and cleaned this privacy policy data using a clustering-based mixed-method technique. We identified data practices regarding users' private medical data (medical history) and site privacy (cookie, logs) in these policies. Second, we adopted a summarization-based technique to uncover exact broad data practices across countries and notice important differences. Finally, we evaluated the cross-country data practices using the lens of legal compliance (with legal expert feedback) and grounded in the theory of Contextual Integrity (CI). Alarmingly, we identified six themes of non-alignment (observed in 21.8% of data practices studied in India) pointed out by our legal experts. Furthermore, there are four potential violations according to case verdicts from Indian Courts as pointed out by our legal experts. We conclude this paper by discussing the utility of our auditing workflow and the implication of our findings for different stakeholders.
READ FULL TEXT