Sen. Cassidy Published White Paper Calling for Federal Privacy Law and Updates to HIPAA
In September 2023, U.S. Senator Bill Cassidy sought feedback from healthcare stakeholders on potential legislative changes and other measures for improving health data privacy, including potential updates to the Health Insurance Portability and Accountability Act (HIPAA). Sen. Cassidy has recently released a white paper based on the feedback received from his request for information (RFI) that outlines some of the ways that privacy protections could be improved for all Americans, including the privacy of Protected Health Information but also health information that is not currently regulated by HIPAA.
In the white paper โ Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era – Sen. Cassidy calls on Congress to make further updates to HIPAA and develop comprehensive privacy legislation covering all forms of health data. Many countries have implemented data privacy laws to protect consumer data, but all attempts to introduce similar legislation in the United States have failed. ย One of the latest attempts to introduce a federal data privacy law โ The American Data Privacy and Protection Act (ADPPA) – progressed further than any previous attempt, but despite having strong bipartisan support, the legislation stalled.
Sen. Cassidy, ranking member of the Senate Committee on Health, Education, Labor, and Pensions (HELP) Committee, believes the HELP Committee should be involved in the development of a federal privacy law, as there are specific requirements for protecting health data and the HELP Committee is in the best position to advise Congress on the matter.
Recommendations for Updates to HIPAA
Updates to the HIPAA Privacy Rule are now in the final stages of implementation, with the HHSโ Office for Civil Rights due to issue a final notice of proposed rulemaking this year, and the HHS has also stated that it intends to propose updates to the HIPAA Security Rule this Spring. In the white paper, Sen. Cassidy has proposed further updates to HIPAA to improve protections for health data due to the rapid advances in technology to ensure that HIPAA will continue to be effective.
One of the issues raised by healthcare providers is the antiquated and complicated rules covering the sharing of health data covered by the Part 2 regulations, which include substance use disorder information. While the HHS has made updates to align the Part 2 regulations more closely with HIPAA, there are still problems for entities that are required to comply with both regulations. Sen. Cassidy has called for Congress to instruct the HHS to completely align the Part 2 regulations with HIPAA.
There is currently confusion about the minimum necessary standard of HIPAA, which requires uses and disclosures of protected health information to be limited to the minimum necessary information to achieve the purpose for the use or disclosure. Sen. Cassidy has called for Congress to direct the HHS to issue guidance on this standard about how it applies to other regulatory requirements, such as the interoperability requirements of the 21st Century Cures Act.
Congress has also been requested to define when the patient rate should be applied to third-party requests for copies of PHI, as currently companies that handle these requests for HIPAA-covered entities are losing millions of dollars by charging the patient rate when the recipient of the data is not the patient, and the recipients are not acting in the best interests of patients.
Sen. Cassidy has also called for Congress to clarify how patient health information can and cannot be used for research. There are fears that health data used in datasets to build AI algorithms may undermine patient ownership and autonomy of their health data.
Sen. Cassidy and the healthcare stakeholders that responded to his RFI believe that the best approach is to make discreet updates to HIPAA to help the legislation function better as this will minimize the burden on healthcare organizations. Sweeping changes to HIPAA are likely to lead to disruption to patient care.
Addressing Gaps in the HIPAA Gray Area
There is a HIPAA gray area where certain types of information are not explicitly protected under HIPAA but can still have significant privacy and health implications for patients, such as health data collected by intake services, patient-generated wellness data, sensor-generated health data, and genetic testing information collected by direct-to-consumer (DTC) companies. If nothing is done by Congress to address these gaps, it could lead to inappropriate withholding and disclosure of health information.
Sen. Cassidy has asked Congress to require developers of consumer wellness applications to make it clear to consumers that the data collected is not covered by HIPAA, prevent discrimination based on the collection of wellness data from sensors and applications, introduce legislation requiring notice and consent, and expand protections to cover genetic data collected by DTC companies.
Tech companies operating in the health sector that are not bound by HIPAA should have HIPAA-like protections for the data collected, stored, and processed, and they must be required to operate with transparency. They should be required to notify consumers when HIPAA-protected data is transferred to environments where HIPAA does not apply, privacy practices should be clearly communicated to allow consumers to make an informed decision about whether to use a particular app, and tech companies must be required to obtain express patient consent before personal data is sold or disclosed to third parties.
Expanding Privacy Protections for Health Data Not Covered by HIPAA
Large volumes of health data are collected, processed, and used that are not protected under HIPAA. It has been suggested that the amount of health data collected by entities not protected by HIPAA now exceeds the amount of data collected and used by HIPAA-regulated entities.
That has led several states to introduce their own privacy legislation and currently privacy protections could be vastly different for individuals living just a few miles apart. Federal agencies are also attempting to regulate certain types of data, such as the Federal Trade Commission regarding geolocation data. There is concern that the U.S. is at risk of developing a tiered system of protections for certain types of data.
Sen. Cassidy stresses that such a system is unworkable. He has called for a comprehensive federal data privacy law and requests that Congress implement guardrails around how health data not covered by HIPAA can be used and disclosed. Currently, these types of data face a legal wild west treatment in the United States.