Executive Summary: Evolution of Health Data Regulation

The news today is full of discussions about data privacy and data protection legislation, with diverse views from policymakers, advocacy groups, and industry. For healthcare leaders, it can be challenging to keep track of what applies to your data, what changes are worth following, and how the final legislation could impact you and your company.

Here’s what you need to know.

How health information is regulated in the United States today

The sensitivity of health information makes it one of the few categories of information that is already federally protected by law. These are the three laws to know.

Health Insurance Portability & Accountability Act (HIPAA)

Enacted in 1996, HIPAA is the primary healthcare law in the U.S. It was amended in 1999 to cover the protection of individual health information (or PHI). These rules remain the industry’s “north star” for the collection, use, exchange, and protection of patient information.

Although HIPAA covers only a small portion of the healthcare industry, it has become the standard for both the right of patients to access their information and the business obligation to protect sensitive health data. Though the laws do place restrictions on the use of PHI, they were written to support the exchange of patient information, outlining how data can be legally and securely exchanged.

HIPAA is a floor, not a ceiling. It does not preempt laws that create stricter requirements for PHI, and other laws can augment its requirements.

Health Information Technology for Economic and Clinical Health (HITECH)

In 2009, Congress enacted the HITECH Act, which widened the scope of HIPAA’s data protection requirements, increased the legal liability for non-compliance, and strengthened the enforcement rights of the Office of Civil Rights (OCR, a division of HHS). The primary goal of HITECH was to accelerate the adoption of electronic health records (EHRs) and other health technologies, which were expected to improve individual patient care and public health outcomes. Broadening the data protection requirements in HIPAA was a way to mitigate the risks of EHRs and other technologies, which brought significant amounts of new medical information online.

Genetic Information Nondiscrimination Act (GINA)

GINA was enacted in 2008, as inexpensive clinical and direct-to-consumer genetic tests were entering the market. GINA prohibits employers from requiring or financially incentivizing employees to disclose their genetic information, their individual health information, or their family medical histories; it prohibits employers from disclosing employee health information or discriminating against an individual for employment or health insurance based on his or her genetic information or medical history. It also prohibits health insurance plans from using or disclosing genetic information for underwriting purposes.

Federal agencies oversee the healthcare industry’s generation, collection, use, and sharing of health information. The Department of Health & Human Services and the Federal Trade Commission are two primary enforcement agencies for the health industry.

The Department of Health & Human Services (HHS)

HHS has enforcement authority for HIPAA and HITECH. The agency sets the regulatory agenda for the healthcare industry and — among many other things — funds initiatives to improve industry standards, technology, and accountability for the management of patient health information. HHS’s responsibility for patient information was reinforced in 2016 with the passage of the 21st Century Cures Act. Among other things, the Act called on HHS to better define interoperability and prohibit “information blocking”; it also modified the requirements around informed consent for certain types of clinical research and modified the FDA’s drug approval process to permit the use of “real world evidence” in FDA submissions under certain conditions. With respect to health information, the two parts of HHS for health companies to be aware of are:

• The Office of Civil Rights (OCR), an office within HHS, enforces HIPAA/HITECH; keeps track of breaches of protected health information; and manages investigations and resolutions of complaints or violations of HIPAA’s Privacy & Security Rules.
• The Food & Drug Administration (FDA) oversees clinical research and trials for drugs, biologics, and medical devices. It also enforces industry standards, including the Common Rule (an ethics standard for the protection of human subjects in government-funded research that has become the de facto standard regardless of funding) and Good Clinical, Laboratory, and Manufacturing Practices (together, GxP), which are internationally recognized standards for drug development activities that require proper management of data, including the ethical collection, use, and disclosure of information from human subjects.

Federal Trade Commission (FTC)

The FTC regulates the collection and use of consumer data in the private sector. While the FTC does not have enforcement authority over data regulated by HIPAA, it does cover the collection and use of consumer data by healthcare companies. The agency also regulates many companies that consumers would consider “health related” but that fall outside the scope of HHS oversight (e.g., health tracking apps, wearable fitness devices, direct-to-consumer genetic testing companies).

FTC’s authority to protect health information comes primarily from two sources:

• Section 5 of the FTC Act, which gives the FTC the authority to protect consumers from corporate acts and practices that are unfair or deceptive. The agency has developed enforceable guidance around what constitutes “fair” data management practices and “reasonable” security safeguards for consumer information. The rules FTC has promulgated apply to health companies insofar as the types of consumer data they handle or the activities for which they employ it are not already covered by HIPAA.
• The Fair Credit Reporting Act (FCRA) regulates the use of consumer information in credit, employment, and insurance eligibility decisions. Its requirements, which the FTC enforces, are intended to promote information accuracy and accessibility for consumers and to ensure that companies only use consumer data in fair and transparent ways. Health information is subject to the same rules as all other information collected and disclosed in a consumer’s report.

States have passed their own laws protecting health information, contributing to the “patchwork” of data protection laws in the United States.

As previously noted, HIPAA sets a regulatory floor, and only applies to a subset of personal health information. States have stepped in to fill the gaps and, in some cases, establish stricter standards. The relevant state laws fall into three categories:

Sector-specific state healthcare laws

Every U.S. state and D.C. has enacted laws specific to the health industry. With varying degrees of specificity and severity, they contain safeguards for the privacy and confidentiality of health information by regulating the collection, use, and disclosure of patient health and biometric information.

Data Breach Notification & Identity Protection Laws

All 50 states and D.C. have enacted security breach notification laws. Of those, 16 explicitly include health data or medical history (D.C. might pass an update that would bring the number to 17), and an additional 7 include biometric data or health insurance information. Regardless, every state includes name and social security number (or other government-issued ID number) as personal information subject to data breach notification requirements, which means all medical and insurance records are effectively covered by these laws. In fact, the majority of reported breaches, settlements, and fines at the state level are the result of unauthorized disclosures of healthcare provider records and health insurance information.

Unfair or Deceptive Practices Statutes

Every state and D.C. have enacted statutes to protect consumers against unfair or deceptive corporate practices. These laws are similar to the FTC’s Section 5 authority in that they apply to the privacy, security, and confidentiality of personal information, including health information not covered by HIPAA or a state health law. State consumer protection statutes usually grant enforcement authority to the state’s Attorney General, though in some instances consumers have a private right of action.

Health companies self-regulate to varying degrees, creating and voluntarily adhering to standards and codes of conduct regarding the collection, use, and exchange of health information.

There are numerous industry groups developing standards that apply to health data, and a variety of codes of conduct have been developed for the management and protection of health data. Some, like the National Institute of Standards & Technology (NIST) de-identification guidelines and its privacy framework (currently under development), are cross-industry best practices. HITRUST is a private organization that conducts corporate audits to certify that organizations are employing appropriate technical, administrative, and physical safeguards to protect health data in compliance with HIPAA. Meanwhile, groups like the CARIN Alliance and the Future of Privacy Forum develop codes of conduct with member support that codify best practices for specific activities to standardize behavior across the industry.

Here’s what’s coming

The idea of federal privacy regulation for the protection of personal information is hardly new, but the number of proposals currently on the docket in Congress is unprecedented.

To date, 8 federal privacy bills have been introduced in Congress. Each proposal addresses similar legal concepts, but the degree of variation suggests consensus is lacking. This is especially true with respect to higher-stakes questions like preemption.

Here are the key trends:

• Legislation is moving toward broadly scoping its coverage to capture more data types, including health data
• Proposals use a combination of a consumer rights model (promote consumer control) and a consumer protection model (enforce corporate behavior)
• Rulemaking and enforcement authority is granted to the FTC
• Proposals are encouraging data minimization

The federal privacy legislation debate has drawn industry and advocacy groups, businesses, and individuals, some of whom have taken the opportunity to draft federal proposals of their own. Intel, for example, released its proposal in January 2019, the “Innovative & Ethical Data Use Act”, with tremendous support from its industry peers; the Center for Democracy & Technology published its proposal in December 2018, “Federal Baseline Privacy Legislation”, which has received much attention for its clarity and comprehensiveness.

Numerous federal agencies have stepped into the data privacy debate, but the actions of HHS and FTC will have the greatest impact on the health industry.

Department of Health & Human Services

HHS has released rules and requested comments about revisions to HIPAA, improvements in coordinating healthcare for patients, and incentivizing interoperability through refreshed guidelines. Two recent examples:

1. In December 2018, the Office of Civil Rights requested information on how HIPAA (and the Privacy Rule, in particular) could be modified to promote information sharing for coordinated and value-based care in a privacy-sensitive manner.
2. In February 2019, the Center for Medicare/Medicaid Services and the Office of the National Coordinator for Health Information Technology released proposed rules that would promote patient access to and control over their information.

• The CMS proposal requires healthcare companies to implement technology that would support the seamless transition of health records as patients move between providers and plans; it also proposed to publicly report healthcare providers that engaged in “information blocking”.
• ONC’s proposal promotes secure, free, and real-time access to health records through the adoption of standardized APIs, which would give patients the ability to see their information on apps and mobile devices. It also attempts to define activities that do not constitute “information blocking”.

The Federal Trade Commission

The FTC has received numerous complaints about the disclosure of health and health-related information for advertising and risk scoring. In a complaint against Facebook, for example, a consumer advocacy association argued that the social media company misled consumers into sharing personal health information because its information use and disclosure policies were unclear.

Recently, there has been significant media attention on the lack of transparency around the collection of information from wellness and fitness tracking apps; as well as the use of health information in algorithm-based decision-making. All of these activities fall within the FTC’s scope to investigate, should it choose to do so.

States have been more aggressive on privacy legislation than the federal government.

A slew of states have already passed or are preparing to pass data protection laws, many of which will impact the health sector. This growing body of legislation creates inconsistencies across jurisdictions in terms of requirements and scope.

Broadly speaking, there are three categories of state laws:

California Consumer Rights Model

California passed the California Consumer Privacy Act (CCPA) in mid-2018. The law takes effect on January 1, 2020, and is the first consumer privacy law in the country. It establishes consumer rights over the data collected and used about them, and prescribes responsibilities and mechanisms for companies to honor those rights. Though it exempts consumer information protected by HIPAA and the state’s Confidentiality of Medical Information Act (CMIA), it covers other consumer data generated, used, and exchanged by the healthcare industry (e.g., online behavioral and interest data, social determinants of health, and direct-to-consumer health app, testing, and device data). A detailed analysis of the CCPA and its impact on the health industry can be found here.

California has started a trend. Hawaii, New York, New Mexico, North Dakota, Maryland, Massachusetts, and Rhode Island have introduced similar consumer privacy legislation, despite the CCPA’s many ambiguities and conflicts, which have to be resolved before the law goes into effect.

European Data Protection Model

Washington is poised to pass data privacy legislation modeled after Europe’s General Data Protection Regulation (GDPR). The law would provide more comprehensive data rights to consumers than the CCPA and would enforce those rights through the regulation of corporate behavior.

The bill requires that companies provide consumers with notice about these rights and mechanisms to exercise them (the consumer rights model). But it also requires that companies be transparent about their data collection and use practices; that they conduct risk assessments of their data processing; that they monitor and pass on their compliance and contractual obligations, including with respect to de-identified data; and it places limits on the use of facial recognition technology (the corporate behavior model).

While the bill defines personal information broadly (“any information that is linked or linkable to an identified or identifiable natural person”), it exempts information that is already protected by some federal laws, including HIPAA.

Sector-specific Model

As previously noted, the U.S. has historically passed data privacy laws for specific sectors or data types, including the health industry and health data. Some states are continuing this model.

• Florida and New York are the most recent states to propose Biometric Information Privacy Acts (BIPAs), which are designed to protect data about a consumer’s biology, physiology, genetic, and olfactory information. Specific examples include DNA, fingerprints, facial imagery, and retina scans. BIPAs have come under pressure from companies developing or implementing facial-recognition software, voice and fingerprint identification technology, and other biometric-based services, but Florida and New York are following in the footsteps of Illinois (2008), Texas (2009), and Washington (2017). Meanwhile, BIPA proposals in Montana, New Hampshire, Alaska, and Delaware have been in committee for a year or more.
• Oregon’s state legislature is considering the passage of the Health Information Property Act, which proposes that patient’s PHI should be the legal property of the patient. It would require that patients provide affirmative authorization before healthcare providers de-identify and sell their PHI; that consumers should have the option to receive payment in exchange for the authorization to sell their de-identified information; and that healthcare providers cannot discriminate against consumers who do not authorize the sale of their de-identified information. The group behind this bill is currently lobbying for similar laws in other states, including Arizona, California, Georgia, Hawaii, Maryland, Massachusetts, Montana, New Jersey, Pennsylvania, and Washington.

Here’s how all of it is likely to shake out

States will pass legislation quickly over the next year, which will impact companies in the health industry.

Inconsistency in state requirements will lead to heavy operational costs, lower rates of compliance, and/or negative economic impacts as companies either retreat from some states or pass on costs to consumers. An important distinction for the health industry to watch is whether state laws include exemptions for health data covered by HIPAA or other state legislation. Hawaii’s data privacy bill, for example, has been introduced without an exemption for health data covered by other laws. State bills that do not have an exemption could create conflicts with existing state or federal laws.

As the private sector struggles to comply with various state privacy laws, pressure will mount for Congress to pass federal privacy legislation that includes explicit preemption of other privacy laws.

HHS and the FTC will establish new guidelines with respect to the use of health data over the next two years.

Before Congress manages to pass federal legislation, HHS and FTC will step in to increase protections for health data. HHS will promulgate rules to accelerate interoperability and portability initiatives, as well as data transparency rules to improve patient care and awareness. HHS will also push for revisions to the HIPAA privacy rule that will continue to protect patients while promoting more efficient data sharing.

Meanwhile, the FTC will increase enforcement of privacy violations through its Section 5 authority. The agency has already expressed concern over biases and discrimination in the use of data for algorithm-based decision-making, which is a new frontier in healthcare and application for health/health-related data and will likely introduce guidelines for the use of data in automated decisions and the permissible use of automated decisions in healthcare settings.

On the back of state legislation, and HHS and FTC action, we will see federal data protection legislation in the next two years, which will set baseline requirements for all data types across all industries.

Federal data protection legislation will take some time and will continue to be a high-visibility issue for the next two years. In whatever form it passes, the final legislation is likely to accomplish four things:

• It will be broader in scope than the traditional sector-specific approach to privacy, covering online data, financial data, social and demographic data, as well as health data.
• The requirements for protected data under the new legislation will likely be equivalent, if not stricter, than the protections for PHI, which would lead to regulatory parity between PHI and other data types.
• It will preempt state law and will provide similar protections to those offered by the strictest state laws.
• The FTC’s enforcement rights will be strengthened.

Bottom line: data protection requirements are changing quickly, but clear trends are emerging. While the health industry will be subject to the new requirements, the industry’s familiarity with data regulations gives it a head start to designing and implementing the data management operations necessary for compliance.

This piece is intended as a high-level overview. Subsequent pieces will cover pending federal and state legislation in additional detail. Thank you to Travis May and Bob Borek for their thoughts and edits on this piece.