tion in the publication of genetic privacy principles. The other two companies didn’t respond to requests for comment.)

Other participants felt the project's ambitions were slanted toward corporate interests. But that opinion wasn't necessarily universal – one participant, Laura Hoffman, formerly of the American Medical Association, said the for-profit companies were frustrated by "constraints it would put on profitable business practices that exploit both individuals and communities."

Broadly, self-regulatory plans work as a combination of carrot and stick. Membership in the self-regulatory framework "could be a marketing advantage, a competitive advantage," said Mary Engle, executive vice president for BBB National Programs. Consumers might prefer to use apps or products that promise to protect patient privacy.

A group of nonprofits and corporations released a report calling for a self-regulatory project to guard patients' data when it's outside the health care system, an approach that critics compare with the proverbial fox guarding the henhouse.

But if those corporations go astray – touting their privacy practices while not truly protecting users – they can get rapped by the Federal Trade Commission. The agency can go after companies that don't live up to their promises under its authority to police unfair or deceptive trade practices.

But there are a few key problems, said Lucia Savage, a privacy expert with Omada Health, a startup offering digital care for prediabetes and other chronic conditions. Savage previously was chief privacy officer for the U.S. Department of Health and Human Services' Office of the National Coordinator for Health Information Technology. "It is not required that one self-regulate," she said. Companies might opt not to join. And consumers might not know to look for a certification of good practices.

"Companies aren't going to self-regulate. They're just not. It's up to policymakers," said Mozilla's Caltrider. She cited her own experience – emailing the privacy contacts listed by companies in their policies, only to be met by silence, even after three or four emails. One company later claimed the person responsible for monitoring the email address had left and had yet to be replaced. "I think that's telling," she said.

Then there's enforcement: The FTC covers businesses, not nonprofits, Savage said. And nonprofits can behave just as poorly as any rapacious robber baron. This year, a suicide hotline was embroiled in scandal after Politico reported that it had shared with an artificial intelligence company online text conversations between users considering self-harm and an AI-driven chat service. FTC action can be ponderous, and Savage wonders whether consumers are truly better off afterward.

Difficulties can be seen within the proposed self-regulatory framework itself. Some key terms – like "health information" – aren't fully defined.

It's easy to say some data – like genomic data – is health data. It's thornier for other types of information. Researchers are repurposing seemingly ordinary data – like the tone of one's voice – as an indicator of one's health. So setting the right definition is likely to be a tricky task for any regulator.

For now, discussions – whether in the private sector or in government – are just that. Some companies are signaling their optimism that Congress might enact comprehensive privacy legislation. "Americans want a national privacy law," Kent Walker, chief legal officer for Google, said at a recent event held by the R Street Institute, a pro-free-market think tank. "We've got Congress very close to passing something."

That could be just the tonic for critics of a self-regulatory approach – depending on the details. But several specifics, such as who should enforce the potential law's provisions, remain unresolved.

The self-regulatory initiative is seeking startup funding, potentially from philanthropies, beyond whatever dues or fees would sustain it. Still, Engle of BBB National Programs said action is urgent: "No one knows when legislation will pass. We can't wait for that. There's so much of this data that's being collected and not being protected."

KHN reporter Victoria Knight contributed to this article.

ABOUT THE AUTHOR:

Darius Tahir, Correspondent, is based in Washington, D.C., and reports on health technology with an eye toward how it helps (or doesn't) underserved populations; how it can be used (or not) to help government's public health efforts; and whether or not it's as innovative as it's cracked up to be. He joins KHN after stints with Politico, Modern Healthcare, and The Gray Sheet. He's a graduate of Stanford University and grew up in Rochester, New York.