Maddie Gilmore, Class of 2023, Belmont Law.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) was first enacted more than twenty-five years ago. As such, the drafters of that legislation could not foresee the proliferation of new and emerging technologies that collect and process private health information of users which exists today. On February 9, 2022, legislators reached across party lines to come up with a solution to the non-regulation of this private data. HIPAA focused on privacy and preventing potential abuse of private health information of individuals, but only contemplated regulation as to health care providers and the like. What was not contemplated, or regulated, was digital health companies that collect health information directly from consumers.
Although the Department of Health and Human Services Office for Civil Rights (OCR) have attempted to address these companies using interpretive guidance, such guidance is non-binding on the industry. Furthermore, the regulation of digital health companies and data harboring apps is exceedingly difficult to regulate given the untraceability between the initial collection of any given dataset and its ultimate sale and use. Newly proposed bipartisan legislation called The Health Data Use and Privacy Commission Act, is intended to modernize HIPAA. Thus, Congress is attempting to address the problem head-on, by delegating the research and discovery process to individuals better suited than Congress themselves, the job of analyzing modern issues and possible modern solutions to health data privacy.
If passed, the Act would establish a Commission to assess any gaps in the privacy protections under HIPAA resulting from data collection and use by non-covered entities. However, the Act would not only have obvious ripple effects on the application of HIPPA, but other legislation as well, such as Section Five of the FTC Act which gives the Federal Trade Commission its current authority to regulate many direct-to-consumer digital health products that are not subject to HIPAA.
Under the current statutory framework, there are major risks to personal health information (PHI) created by new healthcare technology that extends beyond the scope of HIPAA given the onset of technologies like apps, wearable devices, and social media, and the increase in generating, collecting, using, sharing, and selling PHI. Such actors have generally been beyond the bounds of the Acts reach, creating a necessity to restructure the legislation to account for emerging health care technologies. The Health and Privacy commission formed under the Act, which would be made up of representatives with competing interests (such as providers, health plans, health technology developers, researchers, and consumers) would be charged with conducting research, creating reports, and submitting reform recommendations to Congress and the President.
Interestingly, the proposal may be based on state law, such as the California Consumer Privacy Act of 2018 (CCPA). The Act has been referred to the U.S. Senate Committee on Health, Education, Labor, and Pensions and it is still in its early stages of development. The Act is not only supported by a variety of industry healthcare representatives (such as the Association of Clinical Research Organizations), but also by both Democrat and Republican representatives alike, being bipartisan legislation. This agreement demonstrates the consensus that updates to HIPAA are necessary. Furthermore, the U.S. is now echoing international consensus on this emerging issue and is closely tied to the General Data Protection Regulation (GDPR) which is a European law. If the new Act can apply consistently with the GDPR, then American companies will no longer face two different standards depending on where their operations are taking place.