Bill Proposes Panel to Study Health Data Privacy Law GapsBipartisan Legislation Seeks Recommendations to Protect Data Falling Outside HIPAA
Bipartisan legislation introduced by two U.S. senators aims to kick-start the process of modernizing "outdated" health privacy laws by creating a commission to examine regulatory gaps, including how to address health data falling outside of HIPAA's umbrella.
The Health Data Use and Privacy Commission Act was announced Wednesday by Sens. Bill Cassidy, R-Louisiana, and Tammy Baldwin, D-Wisconsin.
The use of technology for healthcare and health information is expanding beyond the reach of the 25-year-old HIPAA privacy rule, which applies only to certain covered entities - such as hospitals, doctors and health plans and their business associates that handle protected health information, the senators say in a joint statement.
HIPAA does not protect health data on "emerging technologies," including mobile phones and smart watches, the senators say.
The legislation calls for forming a health and privacy commission to research and make recommendation to Congress "on how to modernize the use of health data and privacy laws to ensure patient privacy and trust while balancing the need of doctors to have information at their fingertips to provide care," according to the senators.
That includes conducting comprehensive review and comparison of existing protections of personal health information at the state and federal level, as well as current practices for health data use by the healthcare, insurance, financial services, consumer electronics, advertising, and other industries.
The commission would include 17 members to be appointed by the Comptroller General and would submit a report to Congress and the president six months after all members have been appointed, the senators say.
If signed into law, they say the new commission would be charged with drafting recommendations and "conclusions" on the following:
- Potential threats posed to individual health privacy and legitimate business and policy interests;
- The purposes for which sharing health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent;
- The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy;
- Whether federal legislation is necessary, and if so, specific suggestions on proposals, including how to reform, harmonize, or augment current health privacy laws and regulations;
- Analysis of whether additional regulations may impose costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement and medical research;
- Nonlegislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices and new technologies;
- Review of the effectiveness and use of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements.
A group of a dozen medical associations and technology vendors - including the American College of Cardiology, Federation of American Hospitals, National Multiple Sclerosis Society, athenahealth, Epic Systems Corp. and IBM - signed a letter to the two senators, endorsing the bill.
"Secure and private health information should not be the enemy of medical innovation, clinical process improvement, or public health response," the letter says. "Careful consideration of these issues by the commission will inform policy makers to achieve the necessary balance of data liquidity and confidentiality necessary for a highly functional and trusted health system."
Proposed HIPAA Changes
The senators' bill comes more than a year after the Department of Health and Human Services' Office for Civil Rights issued proposed modifications to the HIPAA privacy rule (see: HHS Reveals Proposed Changes to HIPAA Privacy Rule).
Among the proposed changes are allowing more flexibility to healthcare providers in making decisions to share patient information with family members and dropping the requirement for healthcare entities to obtain and retain for six years patients’ signed acknowledgements of notices of privacy practices.
Even if those and other proposed changes to HIPAA are finalized, however, the modifications to the privacy rule would not address other concerns, such as the privacy of health data that would still fall outside of HIPAA's regulatory reach, some experts say.
"HHS' final rule will not address the concerns addressed by the senators and may even increase them," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"The proposed bill is intended to address the issue that HIPAA only applies to covered entities and business associates and does not apply to health apps that are not tied to a covered entity," he says.
The proposed amendments to HIPAA will not extend HIPAA beyond covered entities and business associates, "but will potentially increase the authority of individuals to have their data sent to 'personal health applications' - the types of unregulated apps that are the subject of the proposed legislation," he says.
"The current HIPAA rules work fairly well," according to Greene. "Congress is seeking to address health apps that fall outside of HIPAA, though, and the current HIPAA regulations are not a great fit for such apps." He says a complementary set of standards focused on such apps would make a lot of sense.
Privacy attorney Kirk Nahra of the law firm WilmerHale offers a similar assessment.
The proposed legislation appears focused on the issue of "non-HIPAA" health data - "the large and growing volume of health data that is collected, used and analyzed outside the scope of the HIPAA rules," he says.
"This is a long-standing issue. HIPAA is not an overall health information privacy rule. It is a set of rules - because of the limits of the authorizing statute - that applies to certain information held by certain entities for certain purposes," according to Nahra.
The proposed legislation to set up a commission is "fine, but a long way away from having answers," he says.
Nahra says: "I am skeptical that expanding HIPAA itself is the right answer, because the entities that collect and use this non-HIPAA health data often have nothing to do with the core purposes established under the HIPAA rules."
He says the issues are important and complicated and, "while there certainly are regulatory agencies that pay attention to these issues - mainly the Federal Trade Commission and state attorneys general - it would be helpful both for consumers and the industry to have specific rules."
Privacy attorney Iliana Peters of the law firm Polsinelli says she would expect the commission to look closely at current requirements under both state and federal law regarding the privacy of health data of all types.
She also expects the commission to closely examine initiatives by HHS and other state and federal entities to promote data sharing for purposes such as improved quality of care and decreased costs in the healthcare system, she says.
"However, reconciliation of state and federal laws related to any type of data privacy, security and breach notification requirements is extremely difficult, and I will be very interested to see what the reports from the commission look like, if the legislation is passed."