Healthcare stakeholders have long warned of the need for better privacy protection for health data that falls outside the purview of the Health Insurance Portability and Accountability Act. If it passes Congress, the American Data Privacy and Protection Act may narrow some of those existing gaps.
The ADPA advanced the House Energy and Commerce Committee in July by a vote of 53-2 by and was lauded as a “major step forward” for national data privacy protections. The legislation was advanced aside two other bills seeking stronger federal ransomware reporting and requirements for IoT vendors on surveillance used in consumers’ connected devices.
Congressional efforts to create a unified privacy law stalled during the pandemic. But unlike past iterations that were held up by party differences, Deven McGraw, data stewardship & data sharing for Invitae, is hopeful the support from the business community will give the legislation some legs.
The legislation is “very comprehensive,” said McGraw. “It’s clearly a serious effort to address privacy issues that arise in what are currently under-regulated spaces. In a healthcare context, we have the HIPAA protections for data but they only apply to data in the hands of certain entities, doctors, hospitals, health plans, and their contracted vendors.”
“You have this robust digital health data economy that we’re trying to create for the benefit of all of us,” she continued. “And yet, we leave the data largely unprotected, or subject to the commitments made by private companies when we are outside of the HIPAA space.”
That means the current environment is rife with confusion for consumers of when data is or isn’t protected outside of HIPAA. Industry groups have long bemoaned gaps in the privacy regulation for health data generated by consumers or through health apps, but the onus for securing data falls on Congress, not the Department of Health and Human Services.
The proposed legislation would take major strides in closing these gaps, while giving federal agencies the resources and authority to better regulate data privacy, especially health information.
For health data, the benefits outweigh flaws
As noted in a recent Politico report, the HHS Office for Civil Rights’ resource challenges makes it difficult to pursue every violation of HIPAA. Few people could understand those challenges better than McGraw, the former deputy director of health information privacy for OCR.
On the regulatory side, OCR struggles with “making a dent” in tackling all of the complaints filed against providers and business associates over alleged HIPAA violations and potential cases that could be brought when a clear violation has been found because the agency’s resources “resources are always so constrained.”
For example, as HHS nears the enforcement period for its interoperability push to help patients access their own data, a federal privacy bill could ensure consumers aren’t inadvertently storing their data on a platform unregulated by HIPAA or storing it on a social networking site without rigorous privacy protections.
The ADPA could give the agency a much needed boost as it gives the Federal Trade Commission more resources and “frankly, more overt and obvious authority to regulate in certain spaces where the FDA [Food and Drug Administration] has struggled a little bit to stretch their existing Section Five authority,” McGraw explained.
The concern, however, is that sometimes the authority is challenged and then subjected to potential court rulings that “say they went further than they were supposed to do,” she added.
The bill does considerably strengthen the agency’s authority, and it’s “certainly welcomed for the FTC to become more active in the privacy space.” But McGraw warns they can only go as far as their existing authorities allow them to, and “even if they’re pushing that envelope a little bit, then there’s a possibility they can be overturned.”
Overall, arming the FTC with more resources and more authority is a serious win for health data privacy and a “significant step forward.”
McGraw is also concerned about how the bill would continue to facilitate the use of health data for research purposes. There is incredibly important medical research that happens with HIPAA’s de-identified data, but “there’s a lot of uncertainty about how it could move forward under the bill.”
“HIPAA has long had standards for how data gets de-identified, which, quite frankly, makes it unusual in privacy law,” said McGraw. “They actually have a legal standard to ensure there’s no reasonable basis to believe that the data in the hands of the recipient can be used to re-identify the patient.”
There are even two methodologies entities can “use to get data to the point of being deidentified: one requiring the removal of static identifiers and no knowledge that the data can be re-identified. The other is using an X: if you want to leave in data fields that increase the risk of re-identification, then you have to use other techniques to make the data less susceptible to being re-identified,” she explained.
These rules have long been understood, which allow data to be linked across datasets, as long the entity couldn’t determine who the patient was. But discrepancies between HIPAA and the ADPA may disrupt these standards, McGraw noted. But there’s hope these elements are “fixable.”
It’s important Congress addresses the concerns before the bill is brought to a final vote because it is unlikely to take up the issues again, if passed.
“When Congress acts in a really big way, they’re often reluctant to go back,” she said.
Benefits in the post-Dobbs era
Data privacy challenges exist in all industries, but healthcare’s app challenges have left a largely unregulated space. McGraw notes that data brokers and geolocation data generated by apps are especially problematic. As previously examined, after the upheaval of Roe v. Wade, those privacy gray areas will become an even greater risk to patients.
These issues are rooted in the “various aspects of the online universe that we live in today, where you’re leaving breadcrumb trails of all the things that you’re doing all over the place, and it’s very under- regulated,” said McGraw. “In some respects, these categories of sensitive data would receive even further protection that would be put into place by the proposed bill.”
“All of that is helpful. Is it sufficient in the post-Dobbs era?” she added. For example, a recent study published in JAMA found that nearly all abortion clinic webpages use third-party trackers that transfer user data.
The Dobbs opinion shines a spotlight on the need for this particular bill, but also on another critical issue: Any attempt to create a set of privacy rules primarily based on patient consent won’t necessarily hold up as well when there are law enforcement access exceptions and court-ordered exceptions.
“You’ll get a better environment, but you won’t get the perfect environment,” she added. “Even if the Dobbs’ decision just ratchets up the level of concern to a degree that even HIPAA, frankly, doesn’t cover,” particularly in circumstances where the intent of the gathering of the data, or the or a particular use of the data is going to harm someone.
In short, we shouldn’t be pinning privacy protections on the patients themselves to protect data. McGraw stressed that infrastructure rules that govern when data can be shared with law enforcement will be most effective.
Preemption of state privacy laws ‘sacrifice for the nation’
In 2019, Congress made numerous attempts to create a unified federal privacy law focused on giving consumers more control over data, penalizing companies for misusing or under-securing the data in their protection, and, perhaps most importantly, protecting troves of data currently unregulated by HIPAA.
At the time, there was a unified consensus that a federal privacy law was needed due to the increase in the patchwork of inconsistent state laws, known to be inefficient in protecting consumers. But the parties were divided on whether the law should supersede state laws.
As it stands, in healthcare and across all sectors, businesses must crosswalk a range of state laws and federal regulations to ensure compliance. It’s a hefty task and one that often leaves gaps.
By preempting state laws, a federal privacy law like the ADPA would reduce these hurdles and make it easier for businesses to comply. Although the latest privacy push would indeed preempt state laws, McGraw said she believes the prior sticking point won’t be problematic given the support from the business community.
The one outlier may be California, as it wants its own statute. The state’s privacy law is well known to be one of the strictest in the country, on par with the EU’s GDPR. However, it’s “not a slam dunk that California is universally stronger across the board.”
And even if California has the strongest privacy law in the country, “it doesn’t help the rest of us,” she added. “California’s law was passed with a very chaotic, haphazard process in which we have very little enforcement experience to help inform what the challenges are, what works well, what doesn’t work so well.”
“It does sort of strike me as weakening the argument, in my opinion, for California to be arguing that its law needs to be preserved,” said McGraw. “Take one for the team, sacrifice for the rest of the nation.” Particularly as the concessions would be relatively minute in comparison for what the rest of the country would gain with the proposed legislation.