Governance & Risk Management
,
HIPAA/HITECH
,
Privacy
How Proposed Data Privacy Law Could Affect the Handling of Health Information
The proposed bipartisan, bicameral American Privacy Rights Act poses a variety of potential implications to the healthcare sector and other groups that handle health-related data – if the legislation gains traction in Congress and actually gets signed into law, legal experts say.
See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI
The legislation seeks to eliminate the existing patchwork of state comprehensive data privacy laws and establish “robust enforcement mechanisms to hold violators accountable,” say the bill’s drafters – Sen. Maria Cantwell, D-Wa., and Rep. Cathy McMorris Rodgers, R-Wa., the chairs the Senate and House Commerce committees, respectively.
APRA is uniform legislation that attempts to set a national standard for the privacy and security of covered data for providers and service firms that fall under by the act, said attorney Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society.
“In some ways, it is similar to EU General Data Protection Regulation, except it uses the terminology of ‘covered entity’ and ‘service provider,'” she said. “It also gives individuals the right to affirmatively consent to the processing of their data, unless another exception applies, and there are provisions for explicit, clear and simple opt-out mechanisms for those that do not wish to have their data processed,” she said. “Individuals have the right to access, correct, delete and ensure the portability of their covered data.”
Among its many other provisions, bill would empower the Federal Trade Commission and state attorneys general to enforce APRA. Unlike HIPAA, it also gives consumers a private right to bring civil lawsuits against violators of the act.
“If successful, such individuals could be awarded actual damages and attorneys’ fees, among other remedies, from the defendant organization,” said attorney Allison Dressel of the law firm Polsinelli.
HIPAA-regulated organizations that comply with HIPAA rules would be deemed compliant with similar provisions of APRA. Still, if a healthcare organization is covered by the APRA, it also would need to comply with APRA’s data security provisions.
“The bill includes a broad exemption for covered entities and business associates that are regulated by and comply with HIPAA with respect to their protected health information, except that such entities would still be subject to the APRA’s data security requirements, including limits on retention of data,” said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“In contrast, the APRA would be a much bigger game changer for entities that fall outside of HIPAA, placing them under a set of national, comprehensive privacy requirements,” he said.
Healthcare sector firms not regulated by HIPAA should note that APRA does not exempt healthcare data subject to state healthcare information privacy laws, Dressel said.
“The act merely states that it does not preempt such laws. Such entities may have to comply with both the act and applicable state law,” she said. “As a result, healthcare sector entities should keep an eye on the preemption provisions in this bill,” she said.
More Confusing?
Some of APRA’s proposals potentially could make things more complex for groups handling health data, some experts said.
“The bill will continue a disturbing trend of making law for health information more confusing rather than less confusing, since it both exempts HIPAA entities in most situations and also exempts laws involving health information from the preemption provisions,” said privacy attorney Kirk Nahra of the law firm WilmerHale .
“I continue to be worried that this confusion does not help protect privacy and makes beneficial uses of health information harder and the operation of the healthcare system more complicated.”
The bill also proposes to set standards for data minimization that would allow companies to collect and use data only for necessary and limited purposes. It would prohibit the transfer of sensitive covered data to third parties without the consumer’s affirmative express consent (see: U.S. Bipartisan Privacy Bill Contains Cybersecurity Mandates).
“Timing is everything,” said regulatory attorney Rachel Rose. The bill comes at a time when consumer data privacy issues, such as the use of online tracking tools – including on health-related websites – that share sensitive information with data brokers and other third parties have been increasingly controversial and scrutinized by regulatory agencies, such as the FTC (see: Breach Roundup: Sisense Supply Chain Attack).
In fact, the FTC on Friday finalized an order prohibiting data broker X-Mode and its successor Outlogic from sharing or selling any sensitive location data. The action settle allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics and places of worship.
“First, the increased emphasis on consumer rights and enforcement actions by the FTC are contributing factors to raising awareness of illicit use of data tracking and selling,” she said. “Second, in light of the increased number of state laws, having a federal law like HIPAA, that creates a floor for legal requirements but still gives states latitude to go above that floor makes sense,” she said.
While previous attempts at federal data privacy legislation have faltered, this bill may stand a better chance with bipartisan support. For instance, a private right of action is often a dividing issue among party lines. But the APRA draft legislation introduced this week appears to have a better shot at potentially becoming law, some experts predict. Still, the problem might be its timing.
“The APRA has high-level, bipartisan sponsors from both chambers, giving it a very strong starting point,” Greene said. “It has a better chance of passage than many past attempts at federal privacy legislation, but resolving issues of state preemption and a private right of action – in an election year no less – will still be a steep uphill climb.”
Nahra agrees that APRA will potentially face an uphill battle, but he says the renewed effort for national data privacy legislation offers glimmers of hope. “At least we are now engaged in the struggle rather than sitting the issue out. There’s really been no good reason why Congress hasn’t been able to get their act together on this issue,” he said.
“The expanding state framework – where the pace is accelerating – is playing some important part of it – and also leads to the broader preemption in the bill,” he said.
“APRA is a bit of a hodgepodge – it touches on most of the relevant topics in generally appropriate ways but also pays lip service to certain other areas,” he said.
“I would expect some of these areas to be fleshed out as the bill moves forward,” he said. “The compromises on preemption and a private right of action have gotten most of the attention as they have throughout this process. I hope that there is also attention paid to the rest of the critical substance of the bill to ensure that these other areas also are addressed in a thoughtful way.”