Privacy Matters | Congress turns its attention to federal privacy legislation, Kristen Rosati advocates for a national standard for de-identification, & more

March 9, 2023 | By

Privacy Matters

Privacy Hub's fortnightly synthesis of the major news items
affecting and shaping health data privacy,
with expert analysis and commentary

To subscribe to our newsletter, click here


The last few weeks in a flash:

  • Congress turns its attention to federal privacy legislation
  • The FTC sanctions another healthcare player over improper health data sharing practices
  • New federal bill is introduced with the purpose of preventing the use of health data for advertising

Leading Stories

Amidst Flurry of State Proposals, Congress Holds Hearing on ADPPA
WilmerHale (March 6, 2023) 
"On March 1st, the Innovation, Data, and Commerce Subcommittee of the House Committee on Energy and Commerce held a hearing titled 'Promoting U.S. Innovation & Individual Liberty through a National Standard for Data Privacy.' The main subject of the hearing was the American Data Privacy Protection Act (ADPPA)– a comprehensive privacy proposal that made history last year by being the first bill of its kind to make it out of committee. Though the bill did not get a vote in the full House of Representatives or get formally introduced in the Senate, this hearing indicates that Congress once again has an appetite for federal privacy legislation and for the ADPPA specifically." Keep reading

A first-of-its-kind bill to protect healthcare data is on its way to the Senate
NBC (March 4, 2023) 
"The House of Representatives in Olympia is leading the fight for consumer healthcare data. House bill 1155, also known as the My Health, My Data Act, passed the House with a 57-39 vote on Saturday, March 4. The bill is a partnership with Attorney General Bob Ferguson. It will ban the sale of health data shared with apps and websites not protected under HIPAA, The Health Insurance Portability and Accountability Act of 1996. Additionally, the bill will require consent from the user before any health data can be collected or shared." Keep reading

FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat
Legal Health Information Exchange (March 2, 2023) 
"Today, the FTC issued a proposed order requiring BetterHelp, Inc., an online counseling service App, to pay $7.8 million to consumers to settle charges that it shared consumers’ health data (including sensitive mental health information) with third-party advertising platforms, including Facebook, Pinterest, Snapchat, and Criteo, after promising to keep such data private." Keep reading

Senators Introduce UPHOLD Privacy Act to Prevent Use of Health Data For Advertising
Health IT Security (March 6, 2023) 
"US Senators Amy Klobuchar (D-MN), Elizabeth Warren (D-MA), and Mazie Hirono (D-HI) introduced the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act, aimed at preventing the use of health data for advertising purposes. If passed, the UPHOLD Privacy Act would prohibit the use of 'personally identifiable health data collected from any source, including data from users, medical centers, wearable fitness trackers, and web browsing histories' from being used for commercial advertising." Keep reading

  • Klobuchar's press release states that the UPHOLD Privacy Act would ban the use of personally identifiable health data collected from any source, including data from users, medical centers, wearable fitness trackers, and web browsing histories, for commercial advertising. The restrictions would not apply to public health campaigns (e.g., college students for vaccinations); place additional data minimization and disclosure restrictions on companies’ use of personal health data without an individual user’s consent; and prohibit the sale of precise location data to and by data brokers.

HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years
HHS (February 27, 2023) 
"Today, the U.S. Department of Health and Human Services, through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. As HHS’ law enforcement agency, OCR enforces 55 civil rights, conscience and privacy statutes, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). . . 'OCR’s caseload has multiplied in recent years. . .' said OCR Director Melanie Fontes Rainer. . . OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to be more reflective of their work and role in cybersecurity." Keep reading


Experts Expound

As this fortnight’s guest commentator, Kristen Rosati, a Partner at Coppersmith Brockelman, PLC and a Past President and Fellow of the American Health Law Association, advocates for a federal standard prohibiting the re-identification of individuals represented in de-identified data sets and a national standard for de-identification.

Kristen Rosati

De-identified data is essential to innovation in health care. But there are headwinds developing that may threaten the continued use of de-identified data, including rumblings of requiring individual consent to use de-identified data and the prospect of federal and state requirements diverging from the HIPAA de-identification standards. To ensure the continued ability to use de-identified health care data—in a manner that rigorously protects the individuals represented in that data—the industry should push for two goals.

First, we need a strong federal prohibition on re-identification of individuals from de-identified datasets (with limited exceptions, such as IRB-approved research on re-identification or with individual consent). Currently, there are prohibitions against re-identification only in California and Arizona, and even in those states the scope of the prohibitions are limited. Without strong federal protection against re-identification, we likely will see increasing calls to require individual control over the use of de-identified data. Requiring individual consent will result in substantial costs that could shut down essential research and compromise the quality of research by introducing consent bias into data.

Second, we need to ensure the well-established HIPAA de-identification standards will be used in evolving state laws related to consumer data, patient health information, and genetic privacy. Having one consistent and well-crafted de-identification standard is crucial for research and other data collaborations involving entities across the country.

Many health care organizations are exercising good data stewardship and imposing downstream contractual protections over de-identified data to reduce the risk of re-identification of their patients. But the efforts of individual organizations will not assure the public that de-identified information is secure and will not be used to re-identify individuals. We need one federal standard that better protects individuals and preempts state laws.


Government Watcher

American Data Privacy & Protection Act

  • Background: The ADPPA, or H.R. 8152, is a United States proposed federal online privacy bill that, if enacted into law, would regulate how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity. It was introduced in the House in June 2022. 
  • Latest Developments: 
    Governor Newsom, Attorney General Bonta and CPPA File Letter Opposing Federal Privacy Preemption (February 28, 2023)
    "Today, Governor Gavin Newsom, Attorney General Rob Bonta, and the California Privacy Protection Agency (CPPA) sent a joint letter to Congress opposing preemption language in H.R. 8152, the American Data Privacy and Protection Act (ADPPA). The ADPPA, introduced in the last Congressional session, sought to replace California’s landmark law with weaker protections and could compromise the ability of the California Privacy Protection Agency (CPPA) to fulfill its mandate to protect the privacy of Californians. California today calls on Congress to set the floor and not the ceiling in any federal privacy law, and to allow states to provide additional protections in response to changing technology and data privacy protection practices." Keep reading

The Office of Civil Rights' Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance + Report on Breaches of Unsecured Protected Health Information

  • Background & Latest Development: The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently submitted two annual reports to Congress setting forth a summary of complaints and breaches reported to the OCR during calendar year 2021, as well as the enforcement actions taken by the OCR in response.

Illinois Biometric Information Privacy Act

  • Background: On October 3, 2008, Illinois set forth the Biometric Information Privacy Act in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. Also known as BIPA, the first-of-its-kind law has, since 2008, made Illinois the only state that grants a private right of action to sue over the improper collection and mishandling of biometric data.
  • Latest Developments: 
    Illinois Supreme Court Finds that Biometric Information Privacy Act Claims Accrue with Each and Every Violation
    WilmerHale (February 23, 2023)

    "On February 17, 2023, the Illinois Supreme Court held in a 4-3 split opinion that claims under the state’s Biometric Information Privacy Act (BIPA) accrue each time there is a biometric collection or transmission constituting a potential violation, even if the same biometric identifier is being collected or transmitted by the same entity from the same individual repeatedly. This opinion follows a recent Illinois Supreme Court decision that found a five-year limitations period for BIPA claims." Keep reading

Food for Thought

How policymakers could tweak HIPAA to better protect abortion records
STAT News (February 7, 2023)
Article by Avani Kalra
"Patient privacy law offers little protection if law enforcement requests a person’s medical records — an issue that’s fueled concern as states impose restrictions on abortion after the Supreme Court overturned Roe v. Wade. 'I think it’s important to know that right now, your health records aren’t necessarily protected. And that is because HIPAA privacy protections weren’t prepared for this moment,' said Rep. Sara Jacobs (D-Calif.), referring to the Health Insurance Portability and Accountability Act, which protects patient medical records. Jacobs recently worked with Rep. Anna Eshoo (D-Calif.) to author the Secure Access for Essential Reproductive (SAFER) Health Act, which would prohibit lawmakers from sharing personal health information related to abortion or pregnancy loss without patient consent." Keep reading

  • Avani Kalra is a health and science reporter for Medill News Service. 

GoodRx, Health Data Brokerage, and the Limits of HIPAA
Lawfare (March 6, 2023)
Article by Justin Sherman
"While the Health Insurance Portability and Accountability Act (HIPAA) imposes some controls on the collection, use, and distribution of 'protected health information' by covered entities, such as health care providers, it is narrowly scoped and leaves a vast ocean of health data unprotected. Hence, as underscored by the FTC’s GoodRx action, current U.S. privacy regulation allows many companies to legally collect, share, and sell—in other words, broker access to—Americans’ health data, from surgical histories to drug prescriptions. This lack of regulation creates a range of privacy risks to individuals, particularly marginalized and at-risk populations, and raises urgent questions about Congress’s ability and willingness to respond." Keep reading

  • Justin Sherman is a nonresident fellow at the Atlantic Council's Cyber Statecraft Initiative and a senior fellow at Duke University's Sanford School of Public Policy, where he runs its data brokerage research project.

Clinical Research and Patient Data Protection are at a Complicated Intersection
Nelson Mullins Riley & Scarborough LLP (February 23, 2023)
"In this article, we will discuss three areas where evolving data privacy protections and clinical trials intersect, resulting in important considerations to ensure our ability to continue meaningful clinical research while protecting participating data subjects: (1) The importance of defining your role and knowing your responsibilities; (2) Cross-border transfers of Personal Data; and (3) The complicated reality of notice requirements." Keep reading

Best of the Rest

How synthetic data can boost efficiency for clinical researchers and IT leaders
Healthcare IT News (February 23, 2023) 
"In healthcare, with the important emphasis on patient privacy, synthetic data dramatically increases the number and types of users, especially external users, who can interact with data. For example, with robust and accurate synthetic data, health systems can give data access to algorithm developers to train a disease-progression predictive model." Keep reading

  • Josh Rubel is the Chief Commercial Officer at MDClone, a data analytics and synthetic data technology vendor.

Feedback or questions? We'd love to hear from you!
Reach us at

Related Newsletters

Privacy Matters | Two more states pass comprehensive consumer privacy legislation, David Copeland offers an introduction to unstructured health data within the privacy preservation space, & more

Privacy Matters | Two more states pass comprehensive consumer privacy legislation, David Copeland offers an introduction to unstructured health data within the privacy preservation space, & more

Privacy Matters | Data breach compromises Congress members' health information, Vera Mucaj on the privacy implications of linking RWD to clinical trial data, & more

Privacy Matters | Data breach compromises Congress members' health information, Vera Mucaj on the privacy implications of linking RWD to clinical trial data, & more

Privacy Matters | Several states introduce new privacy bills, Ofer Mendelevitch reflects on synthetic data's privacy capabilities, & more

Privacy Matters | Several states introduce new privacy bills, Ofer Mendelevitch reflects on synthetic data's privacy capabilities, & more