New Bill Would Update HIPAA to Address New Technology

The Health Data Use and Privacy Commission Act, introduced earlier this month in the Senate, would create a commission to study how HIPAA can be updated to take into account new technologies, including digital health and telemedicine.

A bill introduced earlier this month in Congress would update the Health Insurance Portability and Accountability Act (HIPAA) to account for new technology.

The Health Data Use and Privacy Commission Act, sponsored by US Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI), would cerate a new health and privacy commission to advise Congress on “how to modernize the use of health data and privacy laws to ensure patient privacy and trust while balancing the need of doctors to have information at their fingertips to provide care.”

The proposed legislation takes aim at a 25-year-old law that was instrumental in creating guidelines for the dissemination of personal health data, but has since come under attack for being outdated. The proliferation of online resources, telemedicine and digital health platforms has given healthcare organizations new avenues for accessing, collecting and analyzing information – and opened the door to new ways that such data can be misused.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” Cassidy said in a Feb. 9 press release. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

The commission would consist of 17 members, to be appointed by the Comptroller General, and would report back to Congress and the President six months after all members are appointed. That report would offer recommendations on:

• The potential threats posed to individual health privacy and legitimate business and policy interests;
• The purposes for which sharing health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent;
• The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy;
• Recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy, including reforms or additions to existing law related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices;
• An analysis of whether additional regulations may impose costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, health care cost containment, improved patient outcomes, public health or critical infrastructure protection, and whether such costs or burdens are justified by the additional regulations or benefits to privacy, including whether such benefits may be achieved through less onerous means;
• The cost analysis of legislative or regulatory changes proposed in the report;
• Recommendations on non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies; and
• A review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements.

The bill is supported by a number of organizations, including the American College of Cardiology, Association for Behavioral Health and Wellness, Association of Clinical Research Organizations, Executives for Health Innovation, Federation of American Hospitals, Heath Innovation Alliance, National Multiple Sclerosis Society and United Spinal Association. Also supporting the bill are Teladoc, Epic, IBM and athenahealth.

In a blog posted this week, Sydney Swanson, an associate with the Morgan Lewis law firm, and W. Reece Hirsch, a partner with the firm, said HIPAA doesn’t regulate digital health companies that collect data from consumers or reference new technologies like mHealth apps and wearables. The bill, they said, “seeks to close the gap between existing protections and risk to personal health information (PHI) created by new healthcare technology that extends beyond the scope of HIPAA.”

“Recommendations based on the above studies could involve updates to HIPAA to cover a broader range of entities using PHI or new federal legislation covering health data, as the commission would be instructed to assess ‘any gaps in the privacy protections [under HIPAA] resulting from data collection and use by non-covered entities,’” they wrote.  “Any such legislation might alter the Federal Trade Commission’s current authority to regulate many direct-to-consumer digital health products that are not subject to HIPAA pursuant to Section 5 of the FTC Act.”

“Proposed legislation stemming from the studies may be based on state law, such as the California Consumer Privacy Act of 2018 (CCPA), as the commission would be instructed to evaluate relevant proposed state legislation and existing state law,” Swanson and Hirsch added. “New legislation may also be inspired by General Data Protection Regulation (GDPR), as the commission would be instructed to evaluate privacy protections undertaken by foreign governments and international governing bodies.”