Expansion Proposed of HIPAA To Encompass Fitness and Health Apps And Services

The bill is looking to fill a gap that has developed in the U.S. regulation of health privacy. 

Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) have reintroduced a bill, the “Protecting Personal Health Data Act” (S.24), that addresses the rise of wearable fitness trackers and similar technology that are currently outside the United States (U.S.) regulations governing the privacy and security of certain classes of health information. The bill would expand the “Health Insurance Portability and Accountability Act of 1996” (P.L. 104–191), and the follow on “Health Information Technology for Economic and Clinical Health Act” (HITECH Act) (P.L. 111-5), to cover much of this universe of services and products.

Klobuchar and Murkowski are proposing a targeted alteration to existing federal privacy law, one that could prove acceptable to stakeholders given the rise of fitness apps and technology, which is apparently unregulated. However, on the other hand, even narrow bills to fill gaps in existing privacy bills may be blocked as stakeholders in Congress grapple with federal privacy legislation.

In the bill’s findings section, Klobuchar and Murkowski referenced a 2016 report “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA” the Office of the National Coordinator for Health Information Technology (ONC) issued. This report found that “[t]he HIPAA Privacy Rule does not protect all health information wherever it is found…[and] the protections do not extend to data about the health of individuals held by “non-covered entities” such as FitBit or similar platforms or services. The ONC concluded:

[There are] large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies. This Report identifies the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by NCEs.

S.24 adds a new term to federal privacy laws: “personal health data.” This is defined as:

any information, including genetic information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

This definition is leveraged, in part, on the definition in the HIPAA/HITECH regulations of “Individually Identifiable Health Information.”

In terms of which entities would be covered, the bill does not define eligibility by entity but rather by function. And so, one finds a definition for “consumer devices, services, applications, and software”

(i) that are primarily designed for or marketed to consumers; and

(ii) a substantial purpose or use of which is to collect or use personal health data.”

S.24 further refines this definition by stating what it includes and what it does not include. Consequently, “consumer devices, services, applications, and software” includes, “but is not limited to,”

  • direct-to-consumer genetic testing services;
  • cloud-based or mobile technologies that are designed to collect individuals’ personal health data directly or indirectly with individuals’ consent, which could enable sharing of such information, such as wearable fitness trackers; and
  • internet-based social media sites which are primarily designed for, or marketed to, consumers to collect or use personal health data, including sites that share health conditions and experiences.

It appears services like 23andMe and competitors would be considered “direct-to-consumer genetic testing service[s]” and subject to regulation under the “Protecting Personal Health Data Act.” The reason being is that the definition sweeps fairly wide:

means a service, which may include a test that analyzes various aspects of an individual’s genetic material, that enables a consumer to have access to their genetic information, or to information derived therefrom, without the need to have a health care provider or health insurance issuer participate in the process of gaining access.

Note that engaging in any of the three activities causes an entity to be a direct-to-consumer genetic testing service and hence a regulated entity under the bill.

And yet, there are definite exclusions from what will be “consumer devices, services, applications, and software.” Notably, the excluded are:

  • products on which personal health data is derived solely from other information that is not personal health data, such as Global Positioning System data; or
  • products primarily designed for, or marketed to, covered entities and business associates

It would appear medical devices would be excluded from the bill, for those are predominantly marketed to medical professionals and not the public at large. Also, any product offered by a company that uses different data to derive personal health data. For example, one can easily imagine an iPhone or Android being used to create a profile of one’s health as determined by the restaurants and bars they visit or do not. Any such processing would also seem to fall outside S.24.

Moreover, operators are those entities that either run or provide consumer devices, services, applications, and software and also collect or maintain “personal health data from or about the users of such consumer devices, services, applications, and software.”

The Department of Health and Human Services (HHS) “shall promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.” This gives HHS wide latitude in what the regulatory regime will look like. A fair argument could be made by HHS that merely extending the same security and privacy protections people currently enjoy visa vis entities and business associates covered by HIPAA/HITECH is sufficient. Nonetheless, HHS must also “ensure that the regulations…

  • account for differences in the nature and sensitivity of the data collected or stored on the consumer device, service, application, or software; and
  • include such definitions for relevant terms that are necessary to accomplish the goals of the regulations…

These additional requirements would seem to lend themselves to provisions specific to consumer devices, services, applications, and software. Moreover, HHS must consider the previously mentioned 2016 ONC report, especially “findings regarding individuals’ access rights, re-use of data by third parties, security standards applicable to data holders and users, confusion or ambiguity regarding terminology related to privacy and security protections, and the adequacy of collection, use, and disclosure limitations.” HHS must also “consider appropriate uniform standards for consent related to the handling of genetic data, biometric data, and personal health data…[and] exceptions to consent requirements…for purposes that may include law enforcement, academic research or research for the sole purpose of assessing health care utilization and outcomes, emergency medical treatment, or determining paternity.”

The aforementioned uniform consent standards contemplate an opt-in model under which people must be provided information about the proposed usage of personal health information and who may have access to the information. ONC would develop standards by which operators must abide suggesting the possibility of different standards. How consent is obtained must “use[] clear, concise, and well-organized language that is easily accessible, of reasonable length, at an appropriate level of readability, and clearly distinguishable from other matters.”

In drafting regulations, HHS must also consider

  • a process to limit the transfer of personal health data to third parties and provide consumers with greater control over how their personal health data is used for marketing purposes;
  • secondary uses outside of the primary purpose of the service as initially indicated when consent was first obtained;

It is unclear whether the process to limit transfers of personal health data would leave this up to each person or would be set more generally upon operators. Likewise, all that HHS must do is “consider” secondary uses and not necessarily bar or limit the reuse of these data.

HHS must also

  • consider appropriate minimum standards of security that may differ according to the nature and sensitivity of the data collected or stored on, or processed or transferred by, the consumer device, service, application, or software;
  • consider appropriate standards for the de-identification of personal health data;
  • consider appropriate limitations on the collection, use, or disclosure of personal health data to that which is directly relevant and necessary to accomplish a specified purpose;

Operators must provide copies of personal health data and correct or delete information.

The bill also provides for the creation of a National Task Force on Health Data Protection with following remit:

(1) study the long-term effectiveness of de-identification methodologies for genetic data and biometric data;

(2) evaluate and provide input on the development of security standards, including encryption standards and transfer protocols, for consumer devices, services, applications, and software;

(3) evaluate and provide input with respect to addressing cybersecurity risks and security concerns related to consumer devices, services, applications, and software;

(4) evaluate and provide input with respect to the privacy concerns and protection standards related to consumer and employee health data;

(5) review and advise on the need, if any, to update the report issued by the Department of Health and Human Services to Congress entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA”; and

(6) provide advice and consultation in the establishment and dissemination of resources to educate and advise consumers about the basics of genetics and direct-to-consumer genetic testing, and the risks, benefits, and limitations of such testing.

This task force would exist for five years and would need to submit its recommendations to committees of jurisdiction in Congress, HHS, the Federal Trade Commission (FTC,) and the Food and Drug Administration (FDA).

If enacted, S.24 would have the likely effect of exempting the fitness and health data, applications, and software from broader federal privacy legislation, for many bills carve out HIPAA-compliant or regulated entities. For example, now Senate Commerce, Science, and Technology Committee Chair Maria Cantwell’s bill, the “Consumer Online Privacy Rights Act“ (COPRA) (S.2968), from the last Congress, would exempt those covered entities subject to other federal privacy and data security statutes such as the “Financial Services Modernization Act of 1999” (aka Gramm-Leach-Bliley) and HIPAA to a certain degree. There are provisions making clear that entities in compliance with the named federal regimes shall be deemed to be in compliance with the privacy and data security requirements of COPRA “with respect to data subject to the requirements of such regulations, part, title, or Act.” This would suggest that for data that falls outside those regimes (e.g. biometric data and geolocation data are not subject to Gramm-Leach-Bliley), any covered entities would need to meet the privacy and data security requirements of COPRA in addition to their existing responsibilities. But, S.24 would sweep more data and information into HIPAA, thus putting it beyond the scope of many privacy bills. However, it is always possible that the privacy bills that gain traction in this Congress do away with such exemptions and regulate equally across the U.S. economy.

Finally, it bears note there are two active rulemakings that pertain to the subject matter of S.24. First, HHS Office of Civil Rights (OCR) has proposed a major rewrite of the regulations governing medical privacy in the U.S. Nevertheless, it is almost certain the Biden Administration will pause this rulemaking and quite possibly withdraw it should it prove crosswise with the new White House’s policy goals. HHS issued a notice of proposed rulemaking “to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).” HHS explained:

Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management –or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.

Nevertheless, it is almost certain the Biden Administration will pause this rulemaking and quite possibly withdraw it should it prove crosswise with the new White House’s policy goals.

Secondly, the FTC has asked for input on possibly revising its Health Breach Notification Rule (HBN Rule) that promulgated in 2010 per direction in the “American Recovery and Reinvestment Act” (ARRA) (P.L. 111-5). As explained in the current regulation, the HBN Rule “applies to foreign and domestic vendors of personal health records (PHR), PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents.” This rule, however, “does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” To date, the FTC has not proposed regulations and may or may not depending on how the new FTC leadership wants to proceed.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Adam Birkett on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s