In September, Senator Cassidy issued a request to help identify solutions to modernize HIPAA and ensure all U.S. health data is properly safeguarded. On February 21, his office released a report “outlining ways to improve privacy protections for Americans’ crucial health data” based on feedback from trade associations, hospitals, electronic health record vendors, health technology companies, and think tanks. The report puts forth several proposals to:

• modernize the HIPAA framework;
• safeguard health data in the HIPAA gray area not covered by HIPAA; and
• regulate data outside of HIPAA.

Recognizing that the U.S. does not have a comprehensive data privacy law and states are developing disparate and disjointed legislation, the report requests the Senate Committee on Health, Education, Labor, and Pensions (HELP Committee) be at the forefront of developing federal data privacy legislation since “the health care sector will need to play a distinct role with distinct considerations.” The report takes aim at information gathered through wearable devices, personal health and wellness applications, and direct-to-consumer (DTC) genetic testing--proposing increased regulation of health/wellness data, biological samples, genetic data, research, and other types of information that are in a “gray area” such as financial, geolocation, and biometric data.

Improve HIPAA to account for technical advances and digital care

The report includes concrete recommendations to improve protections suitable to our more technically advanced and digital health care system. Specifically, it suggests Congress address:

• Minimum Necessary Requirements – Congress should direct the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to provide clear guidance on how the minimum necessary standard aligns with other regulatory requirements, including health data system interoperability requirements mandated by the 21^st Century Cures Act.
• Access/Third Party Directive Requests – Congress should more clearly define what requests should be eligible for the patient rate to ensure only true requests on behalf of patients receive that benefit.
• Align Treatment of All Health Data – Congress should continue efforts from the Coronavirus Aid, Relief, and Economic Security (CARES) Act of removing “antiquated and complicated barriers” for sharing Part 2 data (including substance use disorder information), ensure complete alignment of all health data within HIPAA, and ensure HIPAA remains the federal floor for protecting medical records.
• Patient Ownership of Health Data – Congress should clarify how patient health information can and cannot be used for research to give patients “confidence in their autonomy over their health information,” citing concerns that allowing health information (even de-identified data) to be used in future datasets to build artificial intelligence (AI) tools may undermine patient ownership and autonomy over the use of their health data.

The report takes the position that discrete updates and clarifications to the existing framework would enable HIPAA to function better, noting that a major rewrite of HIPAA would upset decades of case law and established precedent, leading to disruption in patient care. However, the report also encourages re-evaluation and potential changes to fundamental components such as exemptions for de-identified data and research activities.

Fill gaps for health data in the HIPAA “Gray Area”

A common theme throughout the report is concern that treating certain health data under disparate legal regimes creates uncertainty and confusion, and could lead to inappropriate withholding and disclosure of health information. This is particularly an issue for data that falls within the “gray areas” of health information not explicitly covered by HIPAA but that can still have “significant privacy and health implications for patients.” These areas include:

• intake services (such as online intake forms to identify potential providers);
• health data removed from HIPAA (such as records shared pursuant to access requests or directed disclosures);
• patient generated wellness data;
• sensor generated data; and
• genetic data from DTC testing.

The report calls on Congress to provide clarity for companies and patients to address these “gray areas” including that Congress:

• require developers of consumer wellness applications and devices make clear to consumers that any information generated from using a wellness app is not covered by HIPAA;
• prevent discrimination of consumers based on collection of identifiable wellness data from sensors on wearable technologies (including menstruation trackers, step counters, and smart watches with accelerometers and sensors for sudden falls);
• legislate appropriate notice and consent requirements and safeguards to protect consumers and meet their expectations, drawing from existing state laws and industry principles;
• consider how to expand additional protections to genetic data collected by DTC genetic testing entities, including requiring DTC companies disclose that genetic data they collect is not subject to HIPAA and implementing certain human subject research protections; and
• examine specific areas where OCR’s guidance has been insufficient and needs updating – to help address concerns that OCR’s interpretations of HIPAA have not kept up with a more digitized health care system.

The report also suggests additional requirements for non-traditional entities, like big technology companies, operating in the health sector. For example, the report suggests that non-traditional entities operating in the health sector:

• be subject to “HIPAA-like” protections and increased transparency requirements;
• provide notifications to users when transferring health information generated under the HIPAA framework from HIPAA-covered entities to environments outside of HIPAA;
• provide plain language descriptions in advance about how an individual’s data would be collected and shared
• provide clear information about their practices and allow consumers to decide whether they are comfortable using a particular wellness app; and
• obtain express patient consent before selling or disclosing their data to third parties.

Some of these recommendations are either already required by HIPAA, state consumer privacy laws, and state health privacy laws or may inadvertently create greater confusion and less clarity for individuals and entities.

Streamline requirements for data outside of HIPAA

The report urges Congress to act and implement comprehensive data privacy reform, including recognizing HHS OCR as the primary enforcement body over health data. Acknowledging that many regulators and states are releasing their own proposals and initiating enforcement actions, the report notes that such an approach is unworkable and risks creating a tiered system of protecting certain types of health data more than others. It calls on Congress to consider how to best balance the existing enforcement, warning that the Federal Trade Commission (FTC) has sought to become more involved and tried to expand the scope of its authority through the Health Breach Notification Rule. It also expresses particular concern about data outside of HIPAA, such as geolocation information, financial data, internet searches, and biometric data, that may be subject to many sets of rules as each sector seeks to roll out their own rules.

While encouraging efforts towards increased interoperability, the report states that Congress needs to create guardrails around how health data not covered by HIPAA is shared to help protect patient privacy and create a more sustainable framework for future information sharing. It urges Congress to consider legislation similar to what has been implemented in several states and create a federal floor for health data in the gray areas and outside of HIPAA to provide more regulatory certainty yet allow states to continue to supplement requirements to meet individual state needs.

This report highlights several areas in need of attention and serves as a bellwether for where Congress and federal agencies are likely to focus efforts as they consider updating HIPAA and further regulating health information. It’s important for those operating in the health and wellness sector to closely monitor these developments and engage with policy makers as appropriate on these issues.