On February 9, 2022, US Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced bipartisan legislation designed to modernize health privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and account for emerging healthcare technologies not addressed by existing law.
First enacted over 25 years ago, HIPAA focuses on protecting interactions between patients and their providers, health plans, and healthcare clearinghouses, but does not regulate many digital health companies that collect health information directly from consumers. HIPAA also does not expressly reference mobile apps and other new healthcare technologies, but the Department of Health and Human Services Office for Civil Rights (OCR) has sought to address emerging technologies through interpretive guidance. The Health Data Use and Privacy Commission Act (the Act) seeks to close the gap between existing protections and risk to personal health information (PHI) created by new healthcare technology that extends beyond the scope of HIPAA.
The Act posits that given the proliferation of laws concerning health privacy and new technology, including apps, wearable devices, and social media, and the increase in generating, collecting, using, sharing, and selling PHI, a comprehensive review of existing protections for PHI is necessary. To facilitate such a review, the Act would form a health and privacy commission to conduct research and give official recommendations to Congress on how to reform health privacy laws. The commission would be required to submit its report with its conclusions and recommendations to Congress and the President within six months. The commission would be composed of individuals that represent various viewpoints within healthcare, including providers, health plans, health technology developers, researchers, and consumers.
The commission would focus on “issues relating to the protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of personal health information.” The commission would study the following:
- The potential threats posed to individual health privacy as well as business and policy interests
- The purposes for which sharing PHI is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too strict
- The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy
- Recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, or augment current laws and regulations relating to individual privacy, including changes to existing laws related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices
- Analysis of whether additional regulations may impose costs or burdens or cause unintended consequences in other policy areas, and whether such costs or burdens are justified, including whether benefits may be achieved through less onerous means
- The cost analysis of any legislative or regulatory changes proposed in the report
- Recommendations on non-legislative solutions to individual privacy concerns, including education, market-based measures, industry best practices, and new technologies
- Review of the effectiveness of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs.
Recommendations based on the above studies could involve updates to HIPAA to cover a broader range of entities using PHI or new federal legislation covering health data, as the commission would be instructed to assess “any gaps in the privacy protections [under HIPAA] resulting from data collection and use by non-covered entities.” Any such legislation might alter the Federal Trade Commission’s current authority to regulate many direct-to-consumer digital health products that are not subject to HIPAA pursuant to Section 5 of the FTC Act.
Proposed legislation stemming from the studies may be based on state law, such as the California Consumer Privacy Act of 2018 (CCPA), as the commission would be instructed to evaluate relevant proposed state legislation and existing state law. New legislation may also be inspired by General Data Protection Regulation (GDPR), as the commission would be instructed to evaluate privacy protections undertaken by foreign governments and international governing bodies.
The Act is supported by a variety of healthcare industry representatives, as reflected by a joint statement of support released by the American College of Cardiology, Association for Behavioral Health and Wellness, Association of Clinical Research Organizations, athenahealth Inc, Epic Systems Corporation, Executives for Health Innovation, Federation of American Hospitals, Health Innovation Alliance, IBM, National Multiple Sclerosis Society, Teladoc Health, and United Spinal Association.
Should the Act gain momentum and the commission be formed, it will be key to monitor if and how healthcare privacy and PHI will be managed under a modernized HIPAA and other federal privacy laws.