The draft American Data Privacy and Protection Act that is the focus of current attention raises many complex issues. I want to focus on one detail from the bill. My basic objective is to illustrate some of the difficulties of regulating health information that exists outside the health care system.
The bill defines sensitive covered data to include “Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.” That definition for what we can call here health data seems pretty broad and perhaps appropriately so. There is similar language in the Health Insurance Portability and Accountability Act. The HIPAA language expressly covers payment, but it’s not clear if the ADPPA covers payment data too.
Given the bill’s broad definition, what exactly is health data in practice? I offer some examples of issues that will arise. Pay attention to the details. The question in each case is whether the consumer information is health data regulated under the ADPPA. For purpose of discussion, assume that the merchant records the consumer’s information.
- A consumer in a restaurant orders a sandwich on gluten-free bread. Health data? Is your answer different if the consumer tells the waiter of an allergy to gluten and asks if there is gluten-free option?
- A consumer buys gluten-free bread; yogurt that promises to help with digestive health; “heart-healthy” cereal; a bottle of aspirin; an over-the-counter supplement designed to assist with the control of tinnitus (ringing in the ears). These are just a few of the many non-prescription health-related items widely available.
- A consumer in a health supplement store buys creatine, an amino acid used to treat mitochondrial disease and also for body building. The store may or may not know how the consumer will use the product.
- A consumer buys reading glasses with 3X magnification. Another buys a book with large print. Another buys a book titled “Eat To Beat Depression and Stress.”
- An overweight consumer on an airplane asks for a seat belt extender.
- A consumer shows proof of COVID-19 vaccination as a condition of entry to a store or theatre.
- A consumer’s social media page reveals membership in an advocacy group for a named disease.
- A consumer’s social media posts reveal a medical condition for which inheritance is 50% chance. Is that health information about the consumer? The consumer’s children?
- A consumer tells an airline that he has a broken leg and needs special treatment. Another consumer with flying anxiety brings an emotional support animal on the plane.
- A gym (or an app or a smartwatch or an activity monitor) records information from a user about a user’s workouts, steps, sleep patterns or heart rate.
- A consumer reserves a hotel room designed for people in a wheelchair. Another consumer refuses a room on the thirteenth floor.
- A website monitors public and private posts to assess whether individuals display signs of mental instability, threatening behavior or suicidal thoughts.
- A car transportation service delivers a consumer to an address that is a hospital; a dialysis center; or a psychiatrist’s office.
- An office building asks an entering consumer for identification and copies the consumer’s driver’s license that reveals height, weight, need for vision correction and other medical conditions.
One can continue endlessly with these types of examples. The problem is that you often cannot tell what is health information without a context. Almost any personal information can reveal something about health status in some context, where I live, what I ate for lunch, what I read, where I work, what kind of sneakers I wear, etc. Further, the context may depend on whether the information is collected by observation, from a transaction, by disclosure by the data subject, from a third-party record, from a doctor’s record, or from a public record.
HIPAA solves the context problem by defining covered entities as health care providers and health insurers. Given that, health information is any personal information about an individual held by a covered entity. It doesn’t matter if the information is the patient’s diagnosis or the color of the patient’s car. It’s all protected the same under HIPAA. But, when HIPAA-protected information is transferred to someone outside of HIPAA, the privacy rules do not follow the information, and no privacy protections may apply. This approach has its shortcomings, but we know absolutely what information is regulated in the hands of HIPAA covered entities. That is not the case with the ADPPA.
Not all categories of sensitive information in the ADPPA present the same need for context as health data. A credit card number is a credit card number no matter the context. Yet even that may be harder than you think. Are the last 12 digits of your 16-digit credit card regulated as a credit card number? If it’s a Visa card, the first four digits are the same for just about everyone. Does that matter?
When a privacy law has different standards for different types of data, questions and problems arise at the borders between the categories. The ADPPA leaves a lot of consumer information with different levels of protection. Perhaps a better solution would be to impose a higher and more consistent level of protection for all routinely processed personal information so that it’s not so important if a piece of data is “sensitive” or not.
By the way, the same problem identified here with health data arises with genetic information. You might know someone’s genetic information just by observation (sex, hair color, height, etc.) but you also might know the same information from a genetic test. Is it all genetic information under the bill, and how can you tell?
Finally, I end with an overtly trick question about the bill. A consumer applies for a loan at a bank to pay for heart surgery. Is that health information in the hands of the bank health information under ADPPA?
The answer is that the bank isn’t covered by the ADPPA because the bill exempts financial institutions regulated by the Gramm-Leach-Bliley Act. Yet GLB offers no meaningful privacy protection to consumers so all consumer information, health or otherwise, held by banks is virtually unregulated for privacy. See my previous column on GLB. The banks use GLB as a shield against real privacy rules, and they succeed everywhere, laughing all the way to the … you get the idea.
Meanwhile, it’s an example of personal health data that has no privacy protections under the ADPPA.
Photo by Hush Naidoo on Unsplash