Senator Seeks Information on How to Improve Health Data Privacy
Senator Bill Cassidy (R-LA), ranking member of the U.S. Senate Committee on Health, Education, Labor, and Pensions (HELP), is seeking feedback on how health data privacy can be improved while also supporting the need for medical research.
Over the past few years there has been a proliferation of new technologies that collect, store, and transmit health information, including wearable devices, smart devices, and health and wellness apps. These technologies have enabled better care and greater patient access to health information, but the health data collected, stored, and transmitted via these technologies largely falls outside the protection of HIPAA.
Senator Cassidy’s request for information seeks feedback from stakeholders on ways of improving health data privacy, especially data collected using technologies that were not in use in 1996 when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, and whether HIPAA needs to be modernized and expanded to cover data collected by non-HIPAA-regulated entities.
Senator Cassidy asks general privacy questions, such as what should be considered as health data and whether the term should only apply only to data covered by HIPAA, whether other types of health data should be treated differently, and which entities that are not currently classed as HIPAA-regulated entities should be accountable for handling health data and whether they should have a duty of loyalty to consumers/patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Senator Cassidy acknowledges that new regulations are likely to have implementation challenges and seeks feedback on ways that health data privacy can be improved without creating too great a burden, such as restricting the duty of loyalty based on the sensitivity of the collected data. He also seeks information from stakeholders on how well the HIPAA framework is currently working, whether HIPAA should be updated, the challenges legislative reforms of HIPAA would create, and how health data sharing can be structured, given the current patchwork of legal frameworks in different states.
Information is requested on biometric data, genetic information, and location data, and whether these types of information should be included in a new definition of health data, and what the obligations should be for collecting and safeguarding these types of data.
Consent should be obtained from consumers before health data is collected and data minimization is necessary to limit the information collected to what is reasonably necessary. Feedback is requested on how this can be achieved, how data practices should be communicated to consumers, whether consumers should have the right to request non-HIPAA-covered data be deleted, and if there should be an opt-in or opt-out method of data collection for health data not covered by HIPAA.
Feedback is also sought on the challenges that have been experienced in complying with the data privacy frameworks that have been implemented in 9 states since 2018, and whether any lessons have been learned as states have implemented these frameworks for the governance of health data.
Any new regulations or updates to HIPAA will need to be enforced, and that is also likely to create challenges. Currently, the HHS’ Office for Civil Rights is the main enforcer of HIPAA and has made it clear that it is operating under severe financial restraints and has a large backlog of investigations. The Federal Trade Commission has oversight of health data collected by non-HIPAA-covered entities and has recently taken action over breaches of health data. Suggestions are sought on how updates to HIPAA and new health data regulations should be enforced, and the role different agencies should have in enforcement.
Stakeholders have been given until September 28, 2023, to submit their responses.
