US Senators Tammy Baldwin (D-WI) and Bill Cassidy (R-LA) introduced the Health Data Use and Privacy Commission Act intending to modernize health data privacy laws to reflect the current tech landscape.
HIPAA transformed the healthcare sector when it was enacted 25 years ago. But the Senators contended that HIPAA often misses the mark when it comes to data privacy issues associated with today’s emerging technologies.
“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” Cassidy said in the press release.
“HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”
If passed, the act would establish a commission to review existing health data protections and assess current practices for health data use. The commission, whose members would be appointed by the Comptroller General, would also submit a report to Congress and the President six months after formation with recommendations on modernizing health data privacy.
The commission would be responsible for drafting recommendations regarding the effectiveness of current regulations and an analysis of whether additional regulations would result in costs, burdens, or other unintended consequences.
In addition, the commission would provide insight into “the purposes for which sharing health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent,” the release continued.
Members would also provide recommendations of non-legislative fixes to health privacy concerns, including updated industry best practices.
Industry leaders, including athenahealth, American College of Cardiology, IBM, Epic Systems, Federation of American Hospitals, Association of Clinical Research Organizations, and others, voiced their support for the legislation in a letter to Senators Cassidy and Baldwin.
“As the nation continues to adopt new and evolving technologies that surround everyday life and digitize nearly every interaction we have, personal privacy has never been a more important issue for policymakers,” the letter stated.
“Congress is considering comprehensive privacy reform – and we support these efforts – but most of these conversations are focused on consumer technology and data. Health data is either carved out of these proposals or included in a new category of ‘consumer health data’ which could lead to many entities being subject to duplicative requirements.”
The Federal Trade Commission’s (FTC) October policy statement hinted at HIPAA’s shortcomings regarding third-party applications.
The FTC released the statement to clarify that health apps and connected device companies must comply with the Health Breach Notification Rule. The statement was intended to cast a wider net over modern-day organizations that collect significant amounts of health data without being subject to HIPAA.
Still, healthcare organizations are rightfully looking for additional guidance and clarification from regulatory agencies concerning patient data privacy. Consistent regulations are needed to ensure that every entity that touches health data does so in a way that preserves patient privacy.
“Providers, health plans, and other covered entities and their business associates covered by the Privacy Rule as well as the patients they serve need clarity and consistency in health data privacy and use rules,” the letter emphasized.
“Secure and private health information should not be the enemy of medical innovation, clinical process improvement, or public health response. Careful consideration of these issues by the commission will inform policy makers to achieve the necessary balance of data liquidity and confidentiality necessary for a highly functional and trusted health system.”