Ranking Member Cassidy Seeks Information from Stakeholders on Improving Americans’ Health Data Privacy

WASHINGTON – Today, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, requested information from stakeholders on ways to improve the privacy protections of health data to safeguard sensitive information while balancing the need to support medical research. Currently, health data that is collected from new technologies such as wearable and smart devices, and health and wellness apps is not protected under the Health Insurance Portability and Accountability Act (HIPAA).  

Cassidy hopes to use stakeholder feedback to identify solutions to modernize HIPAA and ensure all health data is properly safeguarded. The deadline to submit feedback is September 28^th.  

Read the full request here or below.  

To Interested Parties:

Safeguarding patient privacy is an essential element in building trust in our health care system. Since the Health Insurance Portability and Accountability Act (HIPAA) was passed nearly 30 years ago, patients could rely on their health information being protected, while enabling their providers to exchange their information for treatment, payment, and health care operations. However, new technologies such as wearable devices, smart devices, and health and wellness apps have expanded the creation and collection of health data. While these technologies have enabled better care and greater patient access to health information, much of this data is not protected by the HIPAA framework.

As we examine steps to leverage technology to improve patient care, while safeguarding the privacy of this data, we request feedback on the questions below. Please submit any responses to healthprivacy@help.senate.gov by September 28, 2023.  

General Privacy Questions

1. What is health data? Is health data only data governed by HIPAA, or are there other types of health data not governed by HIPAA? Should different types of health data be treated differently? If so, which? How? If not, why not?

• Which entities outside of HIPAA Covered Entities should be accountable for the handling of health data (not necessarily HIPAA-covered data)? Should different types of entities have different obligations and privileges? Please explain using examples.

3. Should any or all of these entities have a duty of loyalty to consumers/patients?

1. How could a duty of loyalty be imposed in a way that maximizes the safeguarding of consumer/patient data without creating burdensome implementation challenges? Should requirements of such a duty be based on the sensitivity of collected data? Please explain.

Health Information Under HIPAA

4. How well is the HIPAA framework working? What could be improved?

5. Should Congress update HIPAA?

6. Should Congress expand the scope of HIPAA? What specific information should be included in the HIPAA framework?

7. What challenges would legislative reforms to HIPAA create?

8. Are existing safeguards on the disclosure of health care data to law enforcement officials sufficient?

9. How should the sharing of health data across state lines be structured to account for different legal frameworks?

Collection of Health Data

10. How should consumer/patient consent to an entity to collect information be structured to minimize unnecessary data gathering? When should consent be required and where should it be implied?

11. How should information about data collection practices be conveyed to patients (i.e. plain language notice prior to consent, etc.)?

12. The European Union (EU) General Data Protection Regulation (GDPR) requires entities that collect personal data to delete it under certain circumstances if a consumer makes such a request.^[1] Should non-HIPAA covered entities be required to delete certain data at a consumer/patient’s request? 

13. How should consumer online searches about health conditions (i.e., diabetes, in-vitro fertilization) be considered when part of health data?

Biometric Data

14. To what extent should biometric data be considered health care information when not used for health care purposes?

15. What obligations and allowances should entities have when collecting, maintaining, or disclosing biometric data?

Genetic Information

16. How should genetic information collected by commercial services be safeguarded?

17. To what extent should information collected via commercial services be considered human subject research governed by the Common Rule?

18. What obligations and allowances should entities have when collecting, maintaining, or disclosing biometric data?

19. What obligations and allowances should entities have when collecting, maintaining, or disclosing genetic information collected collaterally with patient samples?

20. How can and should an individual’s genetic information be protected from revealing a relative’s genetic information and corresponding health conditions when using commercial genetic testing services?

Location Data

21. How should location data that is being collected at a health care facility or website or other digital presence maintained by a health care entity be treated? For example, location data could potentially disclose a patient’s health condition or treatment plan. Should this data be treated differently from the same data collected by non-health care entities?

22. What types of location data should or should not be considered health data?

Financial Information

23. How should financial information for health care services not covered by HIPAA (i.e., claims data, billing) be treated?

24. Should this data be treated differently from the same data collected by non-health care entities?

25. What types of financial data should or should not be considered health data?

Sharing of Health Data

26. Should there be an opt-in method of data collection for health data outside of the HIPAA framework versus an opt-out method? Please explain.

27. HIPAA permits the sharing of protected health information (PHI) under limited circumstances, provided the information is deidentified.^[2] Should this permissive framework be extended to the sharing of non-HIPAA covered data and what guardrails should be imposed? 

28. Which, if any, obligations imposed on HIPAA Covered Entities should also be imposed on non-HIPAA Covered Entities handling health data? Please explain.

29. What, if any, framework should be imposed on third parties who use third-party data sources to supplement HIPAA data to uncover an individual’s health condition(s).

Artificial Intelligence

30. What privacy challenges and benefits does the use of artificial intelligence pose for entities that collect, maintain, or disclose health care data, whether within the HIPAA framework or without?

31. How should artificial intelligence-enabled software and applications implement privacy by design? What can be done to mitigate privacy vulnerabilities when developing algorithms for health care purposes?

32. To what extent should patients be able to opt-out of datasets used to inform algorithmic development? How could an opt-out mechanism be structured?

State and International Privacy Frameworks

33. Currently 137 countries have a data or privacy framework in place. What have been the greatest challenges in complying with these frameworks for the governance of health data? Are there any policies that have been effective in safeguarding health data? What should be improved? How should the United States proceed, considering the existing international patchwork?

34. Nine states have passed data or privacy laws since 2018.^[3] What have been the greatest challenges in complying with these frameworks for the governance of health data? Have there been any lessons learned as states have implemented these laws on best practices to safeguard health data? How should the federal government proceed, considering the existing state patchwork? 

Enforcement

35. What regulatory authorities does the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) have to safeguard health information that have not been exercised?

36. OCR has primary authority over enforcement of HIPAA. However, other federal agencies such as the Federal Trade Commission (FTC) have oversight of certain health data that can implicate HIPAA. To what extent should these agencies have a role in the safeguarding of health data? What duplication or conflict currently exists between how different agencies enforce violations of health laws?

37. Please share challenges with compliance and enforcement of existing health data privacy and general data privacy laws. How should these challenges be overcome?

###

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.