The Health Insurance Portability and Accountability Act (HIPAA) is more than 25 years old, and it was more than 20 years ago that the HIPAA Privacy Rule was added to limit uses and disclosures of healthcare data and better protect patient privacy. Changes to the Privacy Rule have now been proposed and are expected to be finalized later this year, but even these changes will not address regulatory privacy gaps which could threaten the confidentiality and privacy of sensitive health data.
One of the main issues with HIPAA is it is not a universal law covering all health data, only health data collected, used, stored, and transmitted by healthcare providers, health plans, healthcare clearinghouses, and their business associates. HIPAA does a good job at making sure safeguards are in place to protect patient privacy with respect to those entities, but does not cover many of the emerging technologies that interact with health data, such as health apps and wearable devices.
Health apps collect health data that would be covered by HIPAA if the health apps were used or provided by a HIPAA-covered entity or business associate, but in most cases the health data collected, stored, and transmitted by those apps and new technologies is not protected by the same stringent privacy and security controls. Further, regulatory changes have made it easier for patients to request their health information be transmitted to unregulated health apps by their healthcare providers, potentially placing the information at risk.
Bipartisan legislation has now been introduced in the U.S. that aims to modernize HIPAA and other health data privacy laws to better protect the privacy of health data. Modernizing U.S. privacy laws to account for changes in technology is unlikely to be a quick process, but it is important for that process to start, hence the introduction of the Health Data Use and Privacy Commission Act.
The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aims to start the modernization process by forming a commission to analyze current health data privacy laws and then make recommendations on how to better protect health data, whether that is through updates to current legislation, the introduction of new legislation, or to address the privacy gaps using non-regulatory measures.
“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”
The Health Data Use and Privacy Commission Act calls for the Comptroller General to appoint commission members, who will be given 6 months to analyze current laws and make their recommendations to Congress on the best way to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy.
In addition to identifying regulatory privacy gaps and suggesting potential changes, the commission must also provide an estimate of the cost of making changes to health data privacy laws, identify any burdens the proposed changes would place on tech firms and healthcare organizations, and any unintentional consequences from stricter privacy laws, including if the changes may threaten health outcomes.
The legislation has attracted strong early support from healthcare groups and tech firms, with the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, IBM, and Epic Systems already voicing their support for the Health Data Use and Privacy Commission Act
“Folks across Wisconsin and the country are rightfully concerned about the security of their personal information, especially individual health care data, and it is time to give Americans better protection over these records,” said Senator Baldwin. “I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”