Senate White Paper on Privacy
Senator Bill Cassidy (R-LA), the Ranking Member of the HELP Committee, released a white paper based on a previous RFI regarding privacy and HIPAA. A summary of the recommendations is below.
This white paper is based on ideas submitted, as well as the Senator’s own thoughts. While interoperability is not specifically mentioned in any of the recommendations, it is included as an important goal, and foundation, to these efforts.
The paper considers data in three buckets.
HIPAA Protected Data
Recommendation: OCR clarifies the minimum necessary standards for data sharing. When records were shared via paper, unnecessary information could be redacted easily; this is not the case with electronic information. This can lead to over-sharing, or, because of the fear of over-sharing, under-sharing of important health information.
Recommendation: Congress defines which third party requests are eligible for the patient rate. The patient right of access to medical records requires that patients are charged a reasonable rate based on the cost of labor, supplies and postage. Patients may also request a third party, such as another provider, get their medical records; in those cases, the patient rate applies. However, there are some bad actors who use the patient rate to receive records that are not directly for the patient – “scammers and law firm[s] and insurance company phishing expeditions.” These actors should not be charged the patient rate.
Recommendation: Congress aligns the treatment of all health data. Of particular concern is enhanced privacy protections for reproductive health data. The paper lauds the efforts to reduce barriers in sharing OUD information (Part 2 data), and suggests that all data, including reproductive health information, be treated the same. The white paper also points out that HIPAA is the floor, not the ceiling, and preempts less stringent state laws.
Recommendation: Congress clarifies how patient health information can and cannot be used for research. Under the paradigm of patient ownership of data, the white paper considers the use of de-identified information. The use of deidentified data is important in open AI; however the risk of re-identifying the patient is of concern. Further, the use of identifiable information is valuable; the white paper considers the potential for patients to be compensated for the use of their identifiable information.
Data in a “gray area” regarding HIPAA protection
Recommendation: Congress ensures that data on intake forms is covered under HIPAA protections. This is based on the problem seen in an FTC settlement with BetterHelp, where the company shared information about the patient’s enrollment in the program and other sensitive information with advertisers.
Recommendation: Patient notification of removal of HIPAA protections. (The white paper does not provide a pathway for this action.) As patients use connected devices to share health data across platforms, they often have to authorize software to access these data. Doing so removes these data from HIPAA protections.
Recommendation: Congress requires developers of wellness products to make clear to consumers that any information generated from using a wellness app is not covered by the HIPAA framework.
Recommendation: Congress requires the collection of informed consent from consumers before their sensor data is sold to data brokers. This is included in The Stop Marketing And Revealing The Wearables and Trackers Consumer Health (SMARTWATCH) Data Act.
Recommendation: Congress prevents discrimination of consumers based on collection of identifiable wellness data. Data from sensor tools, “including menstruation trackers, step counters, and smart watches with accelerometers and sensors for sudden falls”... “can be purchased and used by employers to make inappropriate and discriminatory determinations for hiring, firing, and employee location tracking, based on this data. For example, a smartwatch with a built-in accelerometer that senses trips and falls might be used by an employer to speculate that an employee has an early onset medical condition and deny them certain benefits.”
Recommendation: Congress protects DTC genetic test data. DTC genetic testing companies are not HIPAA covered entities. These companies should be required to notify potential customers that the data is not covered by HIPAA. “Congress should legislate appropriate notice and consent requirements and safeguards to protect consumers and meet their expectations”. This can be largely based on the 10 states that already have legislation on this issue. Congress should also consider how to expand research protections to genetic data collected by DTC genetic testing entities. This could include implementing certain human subject protections, similar to those in place for research conducted through the Common Rule.
Recommendation: Congress ensures that HIPAA is a floor for patient data protections.
Recommendation: OCR should maintain primary enforcement of HIPAA.
Data outside HIPAA
Recommendation: Congress needs to enact comprehensive data privacy reform. Data outside of HIPAA can include geolocation data, financial data, internet search history or biometric data. For these, and other emerging data, Congress needs to enact comprehensive data privacy reform.