On 4 Nov., U.S. Sen. Bill Cassidy, R-La., introduced the Health Information Privacy Reform Act. The bill's goal is to protect "Americans' private health data by expanding health privacy protections to account for new technologies that are not currently required to have privacy protections, such as smartwatches and health apps."
Putting aside the question of whether this bill will become law, does this bill make any sense?
And will it help ease the growing chaos in overall health care privacy?
My brief conclusion. There's clearly an issue here that needs addressing. The convoluted history of the Health Insurance Portability and Accountability Act has resulted in a strong set of privacy rules for entities subject to HIPAA, but no clear and obvious protection for the wide range of health care data that is not subject to the HIPAA Rules. This bill largely says, "let's treat this area just like HIPAA." For me, there are lots of reasons not to act this way, and this bill also creates a big set of confusing issues that may not easily make the growing mess any better — and will likely make it worse.
Key ideas of the bill
Much of the substance of the legislative proposal defaults the key details to the regulatory process. At a broad level, the bill instructs the Secretary of the Department of Health and Human Services "in consultation with the FTC" to draft regulations setting privacy, security, and breach notifications standards for the processing of "applicable health information" by "regulated entities" and their "service providers." Conceptually, these standards will provide consumer protections that "are at least commensurate with, and wherever feasible and appropriate harmonize with," the protections set by the HIPAA rules.
Right away two questions arise: Does it make sense for the HHS secretary, rather than the Federal Trade Commission, to be the primary driver, and later the enforcer, of these rules for these newly covered businesses, many of which will not be core health care businesses? Next, the core idea of this proposal is to develop protections that are commensurate with and generally harmonize with the HIPAA rules. Does that concept make sense here?
In drafting the rules, the regulators are instructed to address a series of specific topics, which already provide more detail than the analogous — but very limited — instructions to HHS in the HIPAA statute. These topics include details about privacy, security and data breach notification obligations — again matching the structure of the HIPAA rules.
As with any privacy law, it is important to understand who is subject to the law and who is protected by the law — and what information about them is protected. A covered company is called a regulated entity, which means a company who "alone or jointly with others, determines the purpose and means of processing applicable health information" — tracking the EU General Data Protection Regulation idea of a controller. The statute applies as well to a service provider, which means a legal entity that processes applicable health information on behalf of a regulated entity — a GDPR processor. There is a critical exclusion here which raises many questions — a service provider is only an entity that "is not a covered entity or business associate." This raises the likelihood, similar to some of the entity-wide exemptions in state comprehensive privacy laws, that a company could be excluded from coverage under this law because a small portion of their business also is subject to HIPAA. Consider an accounting or consulting firm that does work for hospitals — they are a business associate under HIPAA for that specific activity and therefore likely excluded from this law for all their other business activities.
This applicable health information essentially tracks the HIPAA idea of protected health information — without the limitation to involve a HIPAA covered entity. Because it tracks HIPAA, this definition also includes the HIPAA idea of information that relates to "the past, present, or future payment for the provision of health care to an individual," an odd inclusion for smartwatches or mobile apps unless payment for these apps would trigger obligations, and thus could extend — as HIPAA does — to any information the smartwatch has about the individual, whether obviously health related or not.
The substantive requirements of this proposal
Tracking the HIPAA rules, the proposal incorporates various categories of activities with different levels of consumer permission. There is a category of permitted disclosures where no specific patient authorization is required where such disclosures would be "consistent with the individual’s reasonable expectations." This category matches — at least to some extent — the concept of disclosures with assumed consent under HIPAA for treatment, payment and health care operations purposes.
A key question for regulators will be whether this provision is intended to mirror these concepts under HIPAA, which seems likely given the structure and language of the bill but may not make any real sense for a smartwatch, or whether this is an opportunity for the regulators to develop an entirely new set of areas where consumers would reasonably expect disclosures. Like HIPAA, there is a separate set of public policy categories where disclosure would be permitted — with each example tracking a HIPAA counterpart. There would also be a category of permitted disclosures with the consumer’s written authorization. Unlike HIPAA, there also would be a category of “prohibited” uses and disclosures of applicable health information.
Beyond this core element, there are several other core privacy considerations. Like HIPAA, the rules will develop a minimum necessary approach for uses and disclosures of this information. This would include guidance on the application of the minimum necessary standard to data used for artificial intelligence and other machine learning applications and relevant requirements. The regulators are obligated to develop standards and requirements related to service providers, which seems to indicate that these service providers will be directly subject to certain portions of these rules rather than only through a contract.
The rules would implement various individual rights similar to HIPAA, including access, amendment and the right to receive a privacy notice. This provision seems to drop one of my least favorite parts of the HIPAA Privacy rule, the accounting obligation. It would also implement a right to deletion, which does not exist under HIPAA.
While tracking HIPAA overall on these rights, there also are some meaningful differences. For example, there is no limitation to a designated record set which may indicate that all information held by a covered entity is subject to an access right. It also appears that service providers may have direct obligations to provide these individual rights — which, coupled with the broad scope of covered information, could create enormous challenges for service providers who typically do not have direct consumer obligations for individual rights. Some of the details about how to exercise these rights are also changed. For example, a full authorization is required. Also, there is a requirement to notify consumers when their data is moving from HIPAA coverage to this new area of coverage.
In addition to these individual rights, this proposal requires a variety of administrative safeguards which directly track HIPAA requirements, including designation of a privacy officer, policies and procedures, training of workforce members, nonretaliation, documentation and mitigation.
The proposed security requirements almost exactly track HIPAA's requirements, which may make more sense overall than some of the other provisions of this proposal, to set a baseline requirement for overall security, with the addition of applying generally to all forms of information, not just electronic data. Breach notification obligations would be substantially similar to the HIPAA provisions. This raises questions about the applicability of the FTC Health Breach Notification Rule which now applies to many of the same entities subject to this proposal — and which has more stringent requirements than the HIPAA Breach Notification provisions.
Enforcement of these rules would be by the HHS secretary in consultation with the FTC. It is not clear how this consultation would work or, more significantly, how this enforcement authority would overlap with the FTC’s authority for many of these business entities today under Section 5 of the FTC Act. In fact, this enforcement would appear to just be added onto the existing Section 5 authority, as the HHS authority would be, "In addition to any other sanctions or remedies that may be available under any provision of Federal law." The general civil penalties provision would track the current HIPAA rules.
The last substantive provision may in some ways be the most important to the overall usefulness of this proposal — the preemption requirement tracks the HIPAA standard, meaning that "more stringent" state laws will continue in effect. This lack of full preemption means that the broad range of state laws impacting health data likely will stay in effect — and covered companies will have growing confusion about when to apply which standards and how to deal with overlapping and sometimes inconsistent standards where what is more stringent may not be at all obvious.
Additional provisions
Beyond these core provisions, the proposal includes a variety of additional and perhaps tangential provisions. There is, for example, a separate section discussing wellness data which is defined as "means data generated for the purpose of promoting health or preventing disease, which may include vital statistics, step counts, and medical regimen compliance," which would seem to be a core activity of a smart watch, for example. Under this provision, companies collecting this data would need to, "(A) provide a written plain language notification to the individual in advance of initiating the generation of such data that such data will not be subject to the protections of the HIPAA privacy regulation; and (B) offer the individual an opportunity to opt out of such wellness data generation."
There is also a discussion of deidentified data under this proposal. The HHS secretary would be required to draft regulations "establishing unified national standards for rendering applicable health information as de-identified information, in a manner similar to the manner under HIPAA." Overall, the recognition of the gold standard status of the HIPAA deidentification standard and the broadening of this provision to non-HIPAA health data would be a positive step. The proposal requires one additional requirement beyond HIPAA the idea that an entity disclosing deidentified data to another entity must ensure that the receiving party "contractually agrees in writing not to re-identify or attempt to re-identify the information, and to require the same of any person or entity to whom such person or entity provides the information."
Conclusions and issues
The field of health care privacy has grown increasingly complicated in recent years. Between aggressive enforcement of health privacy matters by the FTC and state attorneys general under general consumer protection authority, the expanded reach of the FTC Health Breach Notification Rule, the impact of 19 state comprehensive privacy laws, the growing range of states consumer health laws and an enlarging sense of what kinds of information can qualify as "health data" under these laws, e.g., location data near a health care facility, there has been a growing sense of confusion and complexity bordering on chaos in the field. Many of these developments stem from the same idea that motivates the Cassidy bill — HIPAA, for all its strengths, is not an overall health information privacy law because of its jurisdictional limitations. That has led to a growing range of entities and laws to be focused on filling this gap. This bill is yet another attempt at filling this gap.
While well intentioned, it does not appear that the approach spelled out in this bill will be useful overall to either consumers or industry. HIPAA works well for the health care providers and health plans subject to it — but may not make sense outside of these environments. Setting aside resource issues, there is no reason to think HHS has the appropriate expertise to regulate the wide range of entities subject to this proposal. The proposal would seem to just add another enforcement agency (HHS) on top of the FTC's existing authority, which, depending on what administration is in charge, can actually be quite substantial. The bill would not preempt the growing array of state laws addressing portions of this gap — meaning the existing complexity would just grow with the addition of yet another framework on top of this existing array.
Clearly there is a long way to go before this proposal becomes law, which is unlikely in any event. As the debate about a national privacy law has proceeded in recent years, even if on fumes at this point, how to address health privacy often has been ignored. This bill — at a minimum — raises the visibility of health care privacy in this overall debate. If nothing else, this renewed visibility — coupled with a broader debate about how to address the wide range of critical issues involved in health care privacy — will be a useful contribution to the thinking on these critical issues.
Kirk Nahra, CIPP/US, is the co-Chair, Cybersecurity and Privacy Practice at WilmerHale.
