The HIPAA Journal’s Response to Sen. Cassidy’s RFI on Health Data Privacy
Dear Sen. Cassidy,
The HIPAA Journal appreciates the opportunity to submit comments per your September 7, 2023, request for information on improving health data privacy while balancing the need to support medical research and medical technology innovation, specifically with respect to potential Health Insurance Portability and Accountability Act (HIPAA) updates.
While HIPAA is not perfect, it has served as an effective framework that restricts uses and disclosures of protected health information (PHI) while allowing legitimate uses of healthcare data, and requires covered entities and their business associates that collect, store, maintain, and transmit PHI implement appropriate safeguards to ensure the privacy of PHI.
It has been two decades since the HIPAA Privacy and Security Rules were signed into law, during which time the amount of health information collected by non-HIPAA-regulated entities has been increasing to a point where the health data collected by non-HIPAA-covered entities through fitness trackers, mobile devices, and health apps likely exceeds the data collected by HIPAA-regulated entities. A great deal of the health data now being collected is not covered by HIPAA, even though much of that information would be classed as PHI if it was collected by a HIPAA-regulated entity.
Restrictions on uses and disclosures of health data and safeguards for protecting against unauthorized access should not depend on the entity that collects or processes the data. Health data is sensitive and needs to be protected no matter where it is maintained. Health data in combination with personally identifiable information should not be shared, used, or sold without consent and there should be a legal requirement for all entities to implement safeguards to protect against unauthorized access.
While HIPAA may appear to be an appropriate vehicle for implementing new regulations covering non-HIPAA-covered data, the HIPAA Journal feels that any changes to HIPAA to expand coverage to non-HIPAA-regulated entities would likely result in significant security gaps, cause a great deal of confusion compliance, and would make it even harder for the HHS’ Office for Civil Rights to enforce HIPAA compliance.
The HIPAA Rules were developed specifically for healthcare providers, health plans, healthcare clearinghouses and their business associates. HIPAA compliance has proven to be challenging enough for the healthcare entities for which the legislation was developed. Expanding a law written specifically for the healthcare industry to cover a swathe of consumer technologies and applications is likely to make compliance incredibly challenging for those entities and is likely to create security gaps that are difficult to plug. Any such expansion of HIPAA is likely to cause more problems than it solves. The HIPAA Journal believes HIPAA should remain focused on the entities currently covered by the legislation.
Health data collected by non-HIPAA-regulated entities does not currently have sufficient privacy and security protections under U.S. law, and due to the sensitive nature of health data further legislation is required; however, health data is not the only type of information that needs to be protected. What is needed is a federal privacy and security law covering all types of consumer data, with specific provisions for sensitive data types such as health information.
In 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. The GDPR covers the personal data of EU residents, places restrictions on the collection/processing of personal data, and gives consumers rights over their personal data, including a right to inspect personal information held by a company and have that information deleted. The GDPR has stricter requirements for special category data – types of personally identifiable information that are particularly sensitive. Under the GDPR, special category data include:
- Personal data revealing racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
- Data concerning health.
- Data concerning a natural person’s sex life or sexual orientation.
The collection and processing of special category data is prohibited, except in specific circumstances, such as if consent is obtained from consumers to collect that information. Any entity that collects that information is required to ensure that safeguards are in place to protect privacy and there are restrictions on how that data can be used, for how long the information can be stored, and that information can be deleted on request.
A similar federal privacy law should be enacted in the United States that covers all consumer data, with additional protections for particularly sensitive data, similar to the GDPR. To avoid upheaval within the healthcare industry, entities currently covered by HIPAA should be exempt from such a law, as the health data they collect, store, process, and transmit is already protected under the HIPAA Privacy and Security Rules.
A comprehensive federal privacy and security law has already been proposed – the American Data Privacy and Protection Act (ADPPA) – which covers consumer data, including health data. ADPPA has considerable bipartisan support; however, consensus cannot be reached on the content of the bill. At present, ADPPA does not have sufficient support to get over the line. What is needed is for all stakeholders to work toward a consensus and enact ADPPA – or similar legislation – to establish federal protections for all consumer data.
Such a law would need to be robustly enforced. The HHS’ Office for Civil Rights already has a massive remit together with a significant backlog of investigations due to the increase in healthcare cyberattacks and a budget that has remained flat for years. The FTC may be in a better position to enforce such a law, provided it is provided with sufficient resources to do so.
