Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary
To subscribe to our newsletter, click here.
The last few weeks in a flash:
Amidst Flurry of State Proposals, Congress Holds Hearing on ADPPA
WilmerHale (March 6, 2023)
"On March 1st, the Innovation, Data, and Commerce Subcommittee of the House Committee on Energy and Commerce held a hearing titled 'Promoting U.S. Innovation & Individual Liberty through a National Standard for Data Privacy.' The main subject of the hearing was the American Data Privacy Protection Act (ADPPA)– a comprehensive privacy proposal that made history last year by being the first bill of its kind to make it out of committee. Though the bill did not get a vote in the full House of Representatives or get formally introduced in the Senate, this hearing indicates that Congress once again has an appetite for federal privacy legislation and for the ADPPA specifically." Keep reading
A first-of-its-kind bill to protect healthcare data is on its way to the Senate
NBC (March 4, 2023)
"The House of Representatives in Olympia is leading the fight for consumer healthcare data. House bill 1155, also known as the My Health, My Data Act, passed the House with a 57-39 vote on Saturday, March 4. The bill is a partnership with Attorney General Bob Ferguson. It will ban the sale of health data shared with apps and websites not protected under HIPAA, The Health Insurance Portability and Accountability Act of 1996. Additionally, the bill will require consent from the user before any health data can be collected or shared." Keep reading
FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat
Legal Health Information Exchange (March 2, 2023)
"Today, the FTC issued a proposed order requiring BetterHelp, Inc., an online counseling service App, to pay $7.8 million to consumers to settle charges that it shared consumers’ health data (including sensitive mental health information) with third-party advertising platforms, including Facebook, Pinterest, Snapchat, and Criteo, after promising to keep such data private." Keep reading
Senators Introduce UPHOLD Privacy Act to Prevent Use of Health Data For Advertising
Health IT Security (March 6, 2023)
"US Senators Amy Klobuchar (D-MN), Elizabeth Warren (D-MA), and Mazie Hirono (D-HI) introduced the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act, aimed at preventing the use of health data for advertising purposes. If passed, the UPHOLD Privacy Act would prohibit the use of 'personally identifiable health data collected from any source, including data from users, medical centers, wearable fitness trackers, and web browsing histories' from being used for commercial advertising." Keep reading
Klobuchar's press release states that the UPHOLD Privacy Act would ban the use of personally identifiable health data collected from any source, including data from users, medical centers, wearable fitness trackers, and web browsing histories, for commercial advertising. The restrictions would not apply to public health campaigns (e.g., college students for vaccinations); place additional data minimization and disclosure restrictions on companies’ use of personal health data without an individual user’s consent; and prohibit the sale of precise location data to and by data brokers.
HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years
HHS (February 27, 2023)
"Today, the U.S. Department of Health and Human Services, through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. As HHS’ law enforcement agency, OCR enforces 55 civil rights, conscience and privacy statutes, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). . . 'OCR’s caseload has multiplied in recent years. . .' said OCR Director Melanie Fontes Rainer. . . OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to be more reflective of their work and role in cybersecurity." Keep reading
De-identified data is essential to innovation in health care. But there are headwinds developing that may threaten the continued use of de-identified data, including rumblings of requiring individual consent to use de-identified data and the prospect of federal and state requirements diverging from the HIPAA de-identification standards. To ensure the continued ability to use de-identified health care data—in a manner that rigorously protects the individuals represented in that data—the industry should push for two goals.
First, we need a strong federal prohibition on re-identification of individuals from de-identified datasets (with limited exceptions, such as IRB-approved research on re-identification or with individual consent). Currently, there are prohibitions against re-identification only in California and Arizona, and even in those states the scope of the prohibitions are limited. Without strong federal protection against re-identification, we likely will see increasing calls to require individual control over the use of de-identified data. Requiring individual consent will result in substantial costs that could shut down essential research and compromise the quality of research by introducing consent bias into data.
Second, we need to ensure the well-established HIPAA de-identification standards will be used in evolving state laws related to consumer data, patient health information, and genetic privacy. Having one consistent and well-crafted de-identification standard is crucial for research and other data collaborations involving entities across the country.
Many health care organizations are exercising good data stewardship and imposing downstream contractual protections over de-identified data to reduce the risk of re-identification of their patients. But the efforts of individual organizations will not assure the public that de-identified information is secure and will not be used to re-identify individuals. We need one federal standard that better protects individuals and preempts state laws.
American Data Privacy & Protection Act
The Office of Civil Rights' Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance + Report on Breaches of Unsecured Protected Health Information
Illinois Biometric Information Privacy Act
How policymakers could tweak HIPAA to better protect abortion records
STAT News (February 7, 2023)
Article by Avani Kalra
"Patient privacy law offers little protection if law enforcement requests a person’s medical records — an issue that’s fueled concern as states impose restrictions on abortion after the Supreme Court overturned Roe v. Wade. 'I think it’s important to know that right now, your health records aren’t necessarily protected. And that is because HIPAA privacy protections weren’t prepared for this moment,' said Rep. Sara Jacobs (D-Calif.), referring to the Health Insurance Portability and Accountability Act, which protects patient medical records. Jacobs recently worked with Rep. Anna Eshoo (D-Calif.) to author the Secure Access for Essential Reproductive (SAFER) Health Act, which would prohibit lawmakers from sharing personal health information related to abortion or pregnancy loss without patient consent." Keep reading
GoodRx, Health Data Brokerage, and the Limits of HIPAA
Lawfare (March 6, 2023)
Article by Justin Sherman
"While the Health Insurance Portability and Accountability Act (HIPAA) imposes some controls on the collection, use, and distribution of 'protected health information' by covered entities, such as health care providers, it is narrowly scoped and leaves a vast ocean of health data unprotected. Hence, as underscored by the FTC’s GoodRx action, current U.S. privacy regulation allows many companies to legally collect, share, and sell—in other words, broker access to—Americans’ health data, from surgical histories to drug prescriptions. This lack of regulation creates a range of privacy risks to individuals, particularly marginalized and at-risk populations, and raises urgent questions about Congress’s ability and willingness to respond." Keep reading
Clinical Research and Patient Data Protection are at a Complicated Intersection
Nelson Mullins Riley & Scarborough LLP (February 23, 2023)
"In this article, we will discuss three areas where evolving data privacy protections and clinical trials intersect, resulting in important considerations to ensure our ability to continue meaningful clinical research while protecting participating data subjects: (1) The importance of defining your role and knowing your responsibilities; (2) Cross-border transfers of Personal Data; and (3) The complicated reality of notice requirements." Keep reading
INTERVIEW:
How synthetic data can boost efficiency for clinical researchers and IT leaders
Healthcare IT News (February 23, 2023)
"In healthcare, with the important emphasis on patient privacy, synthetic data dramatically increases the number and types of users, especially external users, who can interact with data. For example, with robust and accurate synthetic data, health systems can give data access to algorithm developers to train a disease-progression predictive model." Keep reading