Bipartisan legislation has been introduced in the U.S. to create a commission to analyze federal and state health data privacy laws and make recommendations for closing regulatory privacy gaps.
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) sets minimum standards for privacy and security of healthcare data, including placing restrictions on uses and disclosures of personally identifiable “protected” health information (PHI). HIPAA applies to healthcare data collected, used, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses. Business associates are entities contracted with a HIPAA-covered entity that provide products or services that require contact with PHI.
Health apps and other emerging technologies collect, store, and transmit health data that would be classed as PHI if held by a HIPAA-covered entity or business associate, but these emerging technologies fall into a regulatory gray area and are often not covered by HIPAA nor the patchwork of state laws covering personally identifiable health data. There is currently no national privacy law covering health data collected by technology companies and health apps.
The Health Data Use and Privacy Commission Act Aims to Identify and Address Regulatory Gaps
Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) recently introduced the Health Data Use and Privacy Commission Act to bring health data privacy laws in the United States into the modern age.
“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”
The legislation would set up a new commission to analyze current federal and state laws covering health data privacy to determine whether they are effective and to identify any regulatory gaps. The commission is required to make recommendations to improve data privacy laws to cover today’s technology landscape. Within 6 months of the commission being formed by the Comptroller General, a report must be submitted to Congress and recommendations made on how best to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy.
The commission is required to provide details of the likely costs of changes to health data privacy laws, identify the burdens such changes would likely place on healthcare and technology firms, and identify any potential unintended consequences from introducing stricter privacy laws, including whether they may pose a threat to health outcomes.
Several healthcare organizations, privacy advocates, and technology firms have voiced their support for the legislation, including the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, IBM, and Epic Systems.
The HHS has published draft changes to the HIPAA Privacy Rule – which is now more than 20 years old – which should be finalized by the end of the year, but even if the changes are made, they will not address the issue of health data collected and used by non-HIPAA-covered entities and business associates. Additional legislation or further updates to HIPAA would be required to address the privacy gaps and better protect Americans’ health data.
“Folks across Wisconsin and the country are rightfully concerned about the security of their personal information, especially individual health care data, and it is time to give Americans better protection over these records,” said Senator Baldwin. “I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”