Senator Bill Cassidy (R-LA), Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee,released a report to propose policy recommendations to revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA) framework and ensure privacy protections for health data and information. In the report, Senator Cassidy highlights recent reports of breaches and violations of patients’ health data privacy and outlines several proposals to modernize the HIPAA framework and other privacy regulations.
Senator Cassidy released a request for information (RFI) in late 2023 regarding updating health privacy laws. In response to the RFI, trade association, hospitals, electronic health record (EHR) vendors, health technology companies, and think tanks submitted responses. The report’s recommendations are informed by stakeholders’ public comments in response to the RFI.
Key Takeaways
- Senator Cassidy’s report on health data privacy considers data and proposes policy recommendations in the following categories: (1) proposals to update HIPAA; (2) proposals to address health data in the HIPAA “gray area”; and (3) proposals to address data outside of HIPAA. The report emphasizes the need for Congress to pass legislation and provides insight into proposals that may be included in forthcoming legislation. Stakeholders should review the report’s policy recommendations and be aware of the health data policy gaps identified in the report.
- The release of this report is part of a larger Congressional effort to enact national data privacy legislation. On April 7, Representative Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) released a draft bipartisan, bicameral federal privacy framework, the American Privacy Rights Act (APRA). Entities in compliance with HIPAA would be deemed to be in compliance with the proposed framework’s requirements, other than its data security requirements. Additionally, the proposed framework would impact how companies handle consumers’ “sensitive covered data,” including certain health, biometric and genetic information.
- The report did not specifically address interoperability but notes that Congress needs to consider advancing interoperability while discussing privacy protections. The report states that Congress should create guardrails around how non-HIPAA covered data is shared to ensure interoperability does not sacrifice patient privacy and create a more sustainable framework for future information sharing.
Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era
- Proposals to Update HIPAA
The report states that public comments in response to the RFI focused on proposing modifications to HIPAA to account for a more technically advanced digital health care system. It stated that discrete updates and clarifications could better enable HIPAA to function for the future.
- The “minimum necessary standard”: Under HIPAA, the “minimum necessary” standard requires covered entities to limit the use and disclosure of protected health information (PHI) to the most limited information that would fulfill a request in order to limit inadvertent unauthorized disclosure of PHI. The report states that this standard has been a useful safeguard to limit unauthorized disclosure of PHI, but the increased digitization of health care information has created technical challenges for compliance.
The report states that Congress needs to clarify the minimum necessary standard to better allow for a more digital health care system. Specifically, it recommends that Congress direct the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to provide clear guidance on how the minimum necessary standard aligns with other regulatory requirements, including health data system interoperability requirements mandated by the 21st Century Cures Act.
- Release of information/third party directive: The patient right of access to medical records requires that patients are charged a reasonable rate based on the cost of labor, supplies and postage. Patients may also request a third party (e.g., another provider) get their medical records; in those cases, the patient rate applies. However, there are some bad actors who use the patient rate to receive records that are not directly for the patient and should not be charged the patient rate, according to the report.
The report states that Congress should address uncertainty in HIPAA’s “third party directive” by clearly defining which requests should be eligible for the patient rate to ensure only true requests on behalf of patients receive that benefit.
- Align treatment of all health data: The report cites recent legislative and regulatory action to protect specific types of health data, namely substance use disorder health data and reproductive health data. The report expresses support for the recent Coronavirus Aid, Relief, and Economic Security (CARES) Act, which removed barriers for the sharing of substance use disorder data among treating providers (i.e., “Part 2” data).
The report also cited a Biden Administration proposed rule that would enact barriers to sharing certain reproductive health records in response to the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision. It raises concern about regulations that would treat certain health data differently, which could create uncertainty and confusion and lead to inappropriate withholding and disclosure of health information. The report states that HIPAA should treat all health data the same and should remain the federal floor for protecting medical records. It states that Congress should continue in these efforts and ensure a full alignment of all health data within HIPAA.
- Patient ownership of health data: HIPAA generally allows researchers to use patient health information for research purposes, provided that the health information is de-identified. However, as healthcare artificial intelligence (AI) continues to develop, there are concerns regarding patient ownership and autonomy over their health data, since developing algorithms requires large datasets.
The report states that Congress should examine whether the existing research exemptions permitting use of de-identified data should consider a patient’s ability to opt-in or opt-out of participation and to examine risk of re-identification of patient information during research. It also states that Congress should examine whether patients should have the right to be compensated for sharing their identifiable data that is used to develop AI systems and technologies, similar to how patients are compensated for clinical trial participation.
- Proposals to address health data in the HIPAA “gray area”
Public comment in response to the RFI raised concern about gaps between patient and consumer privacy expectations and identified different types of health information not explicitly covered by HIPAA or “gray areas,” including intake services, the removal of health data from HIPAA, patient generated wellness data, sensor generated data, and direct-to-consumer collected genetic data. The report states that Congress should provide clarity for companies and patients to address these “gray areas.”
- Intake services: Digital health companies, which are not HIPAA covered entities, offer platforms to patients allowing them to locate and match them with providers based on geographic and medical need. These platforms require patients to fill out intake forms, including extensive medical history and health data, which is not covered by HIPAA. The report cited that this gap had led to a recent Federal Trade Commission (FTC) enforcement action against BetterHelp over allegations that the company was sharing certain information with third-party companies for advertising purposes.
The report states that Congress should provide greater clarity by ensuring HIPAA protections include intake information that is collected through virtual platforms.
- Patient notification of removal of HIPAA protections. As patients use connected devices to share health data across platforms, they often have to authorize software to access these data. Where the application is direct-to-consumer (DTC), the data which was HIPAA protected, may lose that protection when it is shared at the patient direction with these applications.
The report did not issue specific recommendations for Congress but raised considerations for software developers. Specifically, the report states that software applications should provide notifications to users when transferring health information generated under the HIPAA framework from covered entities into environments where those protections would no longer legally apply. It also states that software applications should provide plain language descriptions of how an individual’s data would be collected and shared and require patient consent before selling or disclosing their data to third parties.
- Patient notification when they generate wellness data: Consumer use of wellness applications and devices has led to increased amount of non-HIPAA health data, which is not covered under HIPAA. Some of these applications are marketed as health applications and collect health data (i.e., information about fitness, nutrition, sleep, etc.).
The report states Congress should require developers to make clear to consumers that any information generated from using a wellness app is not covered under the HIPAA framework.
- Sensor data: Consumer data is increasingly collected via sensor technologies, including menstruation trackers, step counters, and smart watches with accelerometers and sensors for sudden falls. Data collected by sensors is also not generally protected under the HIPAA framework or considered PHI.
The report states that Congress needs to prevent discrimination of consumers based on collection of this identifiable wellness data and includes a reference to a bill that would require informed consent from consumers before their sensor data is sold to data brokers.
- Genetic data: Genetic data is contained in all patient samples and can be used to determine a range of health conditions about a patient. DTC companies that collect genetic data are not HIPAA-covered entities, and the genetic data they collect through patient provided samples is not subject to HIPAA protections. Thus, DTC companies fall under the authority of FTC regulation.
The report states that Congress should legislate appropriate notice and consent requirements and safeguards to protect consumers and meet their expectations, following the lead of states that have enacted such legislation. It also states that Congress should consider how to expand research protections to genetic data collected by DTC genetic testing entities, possibly by implementing certain human subject protections, similar to those in place for research conducted through the Common Rule.
- Preemption: The federal HIPAA framework serves as a floor for health privacy protections and does not completely preempt state law in this field. A number of states have passed comprehensive data privacy laws, some with health data specific provisions.
As Congress develops privacy legislation, the report states that it must consider existing state frameworks that govern health data. It recommends that Congress consider a similar model to HIPAA when creating a federal privacy framework for health data. This would provide additional regulatory certainty while allowing states to continue to supplement requirements to meet individual state needs.
- Enforcement: OCR is currently the primary enforcement authority over HIPAA violations while the FTC has taken an increased enforcement role over non-HIPAA covered data.
The report states that Congress should consider how to best balance this enforcement framework between the two agencies and continue to recognize OCR as the primary enforcement body over health data.
- Proposals to address data outside HIPAA
Data outside of HIPAA can include geolocation data, financial data, internet search history or biometric data. The report mentions that states have enacted state-level privacy laws and that federal agencies are initiating enforcement actions and releasing proposals to regulate non-HIPAA data. The report criticizes the recent OCR proposal to impose greater protections for health data privacy. For non-HIPAA covered data, the report states that Congress needs to enact comprehensive data privacy reform.
4. Interoperability
The report acknowledges advancements in interoperability and notes that protecting health data goes hand in hand with promoting interoperability. According to the report, as health care organizations become more interoperable with one another, the risk of inappropriate data disclosures increases as more entities have access to patient information. Creating a health data privacy framework as well as establishing guardrails around the sharing of non-HIPAA data will further encourage interoperability and help to balance data access with privacy and safety concerns.