As my colleague observed in a recent piece, while 2019 did not quite pan out as the “year of privacy” that some predicted, lawmakers did achieve significant progress last year. In fact, Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) of the Senate Commerce Committee each recently unveiled privacy bills that were more striking in their similarity and the shrinking list of issues that separate the two sides more than anything else. As a result of these bills, the path to comprehensive privacy legislation arguably has a clearer roadmap than ever.

As Congress looks to reconcile the different privacy proposals in 2020, one of the remaining challenges it will face is deciding how to approach personal health information. Currently, a tranche of health information is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and a variety of state laws, but when that information leaves or is generated outside of traditional health institutions, protection typically lapses. So, while patients increasingly want the flexibility to monitor their well-being on their own terms, the regulatory environment for doing so remains less than welcoming. If Congress is to solve this complex dilemma, it will require careful thought and proper deliberation.

That’s why ACT |The App Association’s Connected Health Initiative (CHI) recently held a congressional briefing addressing this topic featuring a panel of stakeholders from across the digital health community.  In a room packed to capacity, Dr. Don Rucker, national coordinator for health information technology at the U.S. Department of Health and Human Services, kicked off the discussion with remarks highlighting the unique opportunity before Congress to modernize the health ecosystem. He urged policymakers to do so in a way that gives patients greater control over how their personal information is used and accessed. Dr. Rucker stressed that there are ways to maintain privacy and security for an individual’s health information without creating a walled garden for patient information, which only serves to further entrench the large incumbents. Such an arrangement stacks the deck against small app developers looking to connect patients with new, accessible, and highly personalized health services that fall outside the traditional conception of healthcare.

The subsequent panel discussion echoed the sentiment that Congress now has a great opportunity to recalibrate the treatment of both traditional and, importantly, non-traditional health information to keep pace with a rapidly changing connected health ecosystem.

Panelist A.J. Audino of Particle Health (an App Association member) is already hard at work building the infrastructure to facilitate the next generation of healthcare data access. Particle Health allows patients to receive and share their medical information digitally, seamlessly, and affordably. AJ delineated Particle Health’s role in the digital health ecosystem by way of analogy: Particle is the “Plaid of digital health.” If that comparison doesn’t ring any bells, Plaid (who was recently acquired by Visa) is the company that provides Venmo and other third-party financial services applications the programming interface to securely connect and transfer funds from a consumer’s bank account to that specific payment app. Particle wants to serve the same function for digital health records, so that consumers have an easier way to transfer their information from medical institutions to the various applications, platforms, and services they desire.

For fellow panelist Laura Hoffman of the American Medical Association (AMA), the key to any legislative re-think of health privacy is to retain consumer trust. Laura noted that when it comes to apps that handle consumer health information, AMA has advocated a three-part test: 1) does the app provide a model privacy notice to patients; 2) was the app developed using industry guidelines around privacy; and 3) does the app adhere to best practices for data use? Such a framework mirrors CHI’s own recommendations to the Office of the National Coordinator for Health IT (ONC) as it considers its final rules to define illegal health information blocking. Laura proposed that federal legislation touching health privacy ought to incorporate similar principles.

Finally, Innovators Network Foundation Privacy Fellow and former ONC Chief Privacy Officer Joy Pritts reminded the audience that HIPAA is by no means the comprehensive health “privacy” law that many assume it is. As the “I” in HIPAA indicates, HIPAA is only intended to cover information relative to the health insurance field, and as such, does not cover the range of information that may nowadays be considered health information. New legislation could bridge the gap that currently exists between information processed by HIPAA-covered entities and everything else, giving traditional health providers more confidence to release patient health records into the digital sphere. This would better situate patients to reap the cost-savings, improved care coordination, and precision decision-making that many connected health providers offer.

The App Association is a longtime proponent of any measure that helps consumers take greater control of their personal health information, and looking ahead to rest of this year, we are hopeful that Congress’ vision will soon align with our own.