Today, the law of the land concerning the privacy of individuals’ health information is the Health Insurance Portability and Accountability Act (HIPAA), and more specifically, the HIPAA Privacy Rule. But one need only take a cursory look at the name of the underlying law (Health Insurance Portability…) to glean that it was never meant to serve as the central healthcare privacy mechanism. Indeed, because HIPAA’s primary function is to provide guardrails for those handling health insurance claims, its rules orient to entities that handle sensitive information, rather than the sensitive information itself.
More than two decades of HIPAA on, it’s clear this approach fails to reckon with the many ways one can generate health information that lives outside of those covered entities. Thanks to rapid advances in computing power, storage capabilities, and digital sensors, wearables and other connected heath devices are more accessible than ever before. These devices produce insight, meaning, and value for consumers who wish to supplement traditional care with a more personalized healthcare experience. Yet since much of this data exists without HIPAA protections, uncertainty abounds – creating barriers for those who wish to harness this revolutionary technology but desire clearer rules of the road. It’s high time for a healthcare privacy law that meets us in the 21st century.
Legislative Approaches
While many assume that the long-gestating comprehensive federal privacy bill is the logical vehicle for such a measure, those closely following the process recognize that negotiations have been slow and fraught. Some lawmakers now venture that a comprehensive bill might not be the most expedient vehicle for healthcare privacy after all, and in recent months we’ve seen a few efforts to fast-track healthcare privacy via a standalone measure. In the meantime, state policymakers have produced several laws, most notably the California Consumer Privacy Act (CCPA), that have major implications on healthcare privacy in the continued absence of a federal law.
Below we summarize some of these newer measures and proposals and assess how they interplay with the current consumer healthcare data ecosystem.
The Protecting Personal Health Data Act (S. 1842)
Introduced by Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) in June 2019, the Protecting Personal Health Data Act was the first federal effort to separately navigate the healthcare privacy space.
The bill would do so by requiring the Secretary of Health and Human Services (HHS) to promulgate new regulations to “help strengthen privacy and security protections relative to personal health data collected by consumer devices.” Those regulations would be based on recommendations from the National Task Force on Health Data Protection, an appointed body of 15 stakeholders selected by HHS and the Federal Trade Commission.
The definition of personal health data in the law is similar to that of Europe’s General Data Protection Regulation (GDPR) and includes “any information, including genetic information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”
Notably, the bill would expressly limit the scope of the HHS promulgated regulations to outside of HIPAA, as the regulations may not “supersede, alter, or otherwise affect any privacy and security requirements enforced by Federal agencies” – effectively bifurcating healthcare data into HIPAA and non-HIPAA regulated buckets. The bill does not discuss mechanisms for enforcing the proposed regulations.
Smartwatch Data Act (S. 2885)
Introduced just a few months after the Protecting Personal Health Data Act, the Smartwatch Data Act takes a far more proscriptive tack. The bill, crafted by Senators Jackie Rosen (D-NV) and Bill Cassidy (D-LA), would prohibit the transfer, sale, sharing, or access to any non-anonymized (de-identified) consumer health information, or other individually identifiable health information, that is: collected, recorded, or derived from personal consumer devices unless consent has first been obtained from the consumer. The bill would also prevent the transfer, sale, sharing, or accessing of covered data with domestic information brokers, other domestic entities, or entities based outside of the United States without prior consent.
The bill’s definition of ‘‘consumer health information’’ is also arguably more expansive than the Protecting Personal Health Data Act, as it covers “any information about the health status” of an individual, and specifically includes personal biometric information (DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings) and personal kinesthetic information (keystroke patterns or rhythms, gait patterns or rhythms, sleep information).
The Smartwatch Data Act would exempt from the consent provision information transfers to entities already covered under HIPAA but would require those entities and business associates to treat any consumer health information they receive as HIPAA-regulated personal health information (PHI).
For enforcement, the bill directs HHS to treat violations in the same manner and extent with which it would treat HIPAA violations.
CCPA
Meanwhile, in the absence of a federal privacy law or new healthcare-specific law, CCPA is likely to become the de-facto national privacy law so long as it remains the highest bar for companies to clear. With the caveats that we are still awaiting final California Attorney General (AG) regulations and much of the law is as-yet untested in the courts, it would appear CCPA also pulls previously un-regulated health information under its auspices.
As a general matter, CCPA’s provisions concern entities that handle “personal information,” defined as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.” Companies that handle personal information and do not otherwise meet one of the coverage exemptions must extend to consumers the various new rights delineated in the law, including rights of access, transparency, deletion, and to opt-out of third-party data sales.
The relevant healthcare-related exemption is elucidated in Section 798.145(c)(1)(A), which seems to create a blanket exemption for medical information governed by California’s state-specific health privacy law – the California Medical Information Act (CMIA), and “protected health information that is collected by a covered entity or business associate” already covered by HIPAA. Though there is some debate whether the healthcare exemption will cover all information at covered entities or just PHI maintained in a HIPAA compliant manner, the upshot is that most information residing at already covered entities is exempted.
Therefore, companies meeting CCPA’s underlying coverage threshold and handling any health data that falls under the definition of personal information not already covered by CMIA or HIPAA are subject to the new law’s provisions. Violations of CCPA will be enforceable by the California AG beginning July 1, 2020.
Conclusion
While each of these measures takes a different approach, they all recognize the deficient state of play when it comes to healthcare privacy and offer a valuable perspective to the debate – the first step toward creating a modern healthcare privacy law. Going forward, the App Association will continue to monitor proposals in this space and will ensure that the voices of developers remain well-represented in the conversation.