By VINCE KURAITIS and DEVEN McGRAW
Two years ago we wouldn’t have believed it — the U.S. Congress is considering broad privacy and data protection legislation in 2019. There is some bipartisan support and a strong possibility that legislation will be passed. Two recent articles in The Washington Post and AP News will help you get up to speed.
Federal privacy legislation would have a huge impact on all healthcare stakeholders, including patients. Here’s an overview of the ground we’ll cover in this post:
- Why Now?
- Six Key Issues for Healthcare
- What’s Next?
We are aware of at least 5 proposed Congressional bills and 16 Privacy Frameworks/Principles. These are listed in the Appendix below; please feel free to update these lists in your comments. In this post we’ll focus on providing background and describing issues. In a future post we will compare and contrast specific legislative proposals.
A number of factors have contributed to bringing the privacy issue to the near boiling point:
Techlash and Surveillance Capitalism. Facebook scandals, Cambridge Analytica, Russian election interference, tech addiction, data breaches — all have contributed to the techlash against Silicon Valley giants and have raised growing calls for regulation.
A central theme is the growing public understanding of how personal data has been harvested. In a recent Blis survey, 63% of consumers responded that they were “more aware” of how personal data is used by companies versus a year ago.
The crescendo of criticisms is only getting louder. Harvard Law professor Shoshana Zuboff’s recently published book The Age of Surveillance Capitalism takes techlash to new levels. She writes: “Surveillance capitalists soon discovered that they could use these data not only to know our behavior but also to shape it.”
European Regulations. Europe now has the world’s strongest privacy and data protection regulation. The EU General Data Protection Regulation (GDPR) came into force in May 2018.
State Regulation. The California Consumer Privacy Act (CCPA), which goes into effect in January 2020 and is modeled after GDPR, has broad reach and has large companies that collect health (or health-related) information scrambling for federal relief. The State of Washington and others appear to be following suit.
Tech companies are realizing that the status quo is not an option. The United States does not have a comprehensive federal data protection law. Instead, the U.S. legislative framework for privacy and information security consists of multiple laws that regulate the private sector primarily on a sector-by-sector basis, with multiple regulatory authorities dedicated to oversight.
Six Key Issues for Healthcare
What provisions are likely to be included in a new federal privacy law? The Information Technology and Innovation Foundation (ITIF) recently released a report that lists 30 possible components of privacy laws (see the callout box).
The ITIF report provides explanations of each of these components. We’ll reference many of them in our list of six issues that we think will be particularly important for patients and other healthcare stakeholders:
- Is There Federal Preemption of State Legislation?
- Is All or Part of HIPAA Rescinded?
- How Are Interests ACROSS Stakeholder Groups Addressed?
- How Are Interests WITHIN Stakeholders Groups Addressed?
- How are Next Generation Technologies Addressed?
- How Will New Privacy Legislation be Enforced?
Let’s look at these individually.
1) Is There Federal Preemption of State Legislation?
This promises to be a contentious issue. A simple way to look at this — is federal law a floor or a ceiling for consumer rights?
Tech companies are fearful of unharmonized legislation passed in U.S. states and countries across the world. They would prefer to see one federal law that prohibits states from passing their own laws. Global companies would prefer to see one federal law that is in harmony with GDPR.
Fearful of weak federal legislation, consumer advocates at least initially will prefer to see federal legislation that continues to allow states to pass stronger laws. 16 privacy groups submitted a letter to Congress supporting strong state privacy laws and opposing federal preemption.
This opposition to federal preemption could soften when considering federal legislation that would provide strong consumer protections.
2) Is All or Part of HIPAA Rescinded?
HIPAA (the Health Insurance Portability and Accountability Act privacy, security and breach notification regulations) does not protect all health related data — it only covers health information in the hands of HIPAA-covered entities (primarily care providers, health plans, and healthcare clearinghouses) and their business associates (contractors who collect health information to perform services on a covered entity’s behalf). It does NOT protect health information in the hands of entities not specifically covered by HIPAA. For example, HIPAA does not cover health information in consumer-facing apps. HIPAA also does not apply to data that has been de-identified (rendered very low risk of re-identification).
How might federal privacy legislation affect HIPAA? That’s something of a wildcard for now. It’s possible that privacy legislation could expand HIPAA-like protections to non-HIPAA data, or it’s possible that federal legislation could perpetuate loopholes in not providing specific protections for health-related data.
Some are calling for a GDPR-like law that covers all personal data and eliminating all sector specific privacy laws. In the interests of achieving a uniform, national privacy scheme, the ITIF Report specifically recommends rescinding HIPAA:
…federal privacy legislation should create a common set of federal protections for all types of data. This will mean removing duplicative or conflicting rules. To accomplish this, federal privacy legislation should sunset other sector-specific privacy laws, such as GLBA, HIPAA, and the Family Educational Rights and Privacy Act (FERPA), and bring the industries covered by those rules under a single federal data privacy law.
3) How Are Interests ACROSS Stakeholder Groups Addressed?
In the broadest sense, privacy legislation will be about meeting interests of consumers/patients vs. those of technology companies. Many tech companies increasingly are recognizing the need to reestablish and maintain consumer trust — and that this requires clearly delineated, transparent, and auditable practices. But companies and consumers/patients are likely to disagree on exactly how to build and maintain that trust.
Components of privacy legislation that will be of most interest to consumers/patients relate to personal control over data:
- Data portability
- Rights to correct/rectify errors
- Rights to delete certain types of data
- Consents to data sharing and use
- Requirements that data is used only for specified purposes
- Limitations on secondary uses of data
- Time limits to data retention
- Requirements to gather/use/share as little data as possible
- Data security
- De-identification of data
- A private right of action for violations
Components of privacy legislation that will be of most interest to tech companies and many healthcare incumbents include:
- Harmonization of requirements across states and across countries (see the discussion on preemption above)
- Minimizing compliance costs
- Freedom to innovate
- Few limitations on data gathering/use/sharing
- Limiting penalties and private rights of action
4) How Are Interests WITHIN Stakeholders Groups Addressed?
Within major stakeholders in the HIPAA ecosystem there are dividing points of view. We’ll share a few examples.
Even those who advocate for a stronger federal law differ in their preferences:
Privacy maximalists will prefer the most stringent protection of consumer data. They will prefer to give individual patients as much control as possible in how their data is shared and used. “We’d like to see laws that require data to be gathered only for specific purposes, that these specific purposes be spelled out to patients, that patients must specifically consent to gathering and sharing of data, that data not be used beyond purposes specified, and that certain types of data be deleted after a specified time period.”
Privacy balancers will point out tradeoffs among components of privacy and will weigh costs and benefits. “We recognize that health data has significant potential to advance medicine and science; thus researchers and conductors of clinical trials need reasonable access to large sets of patient data.” (See the discussion in the next section)
Healthcare providers also are unlikely to have uniform views of privacy legislation. Some likely will welcome strengthened privacy protections. “We’re truly working to make our health system more ‘patient centric’. Specifying patient rights to data will help us to protect our patients and to carry out their wishes about how their data is shared and used.”
Other providers who might view data in medical records as “theirs” might prefer the status quo. “The ambiguities about ownership of medical information work to our advantage. We treat medical data as if it’s ‘ours’ and we see that it’s to our competitive advantage to do so.”
Health plans may be more likely to have consistent positions, supporting provisions that impose privacy rules on entities currently outside the HIPAA coverage bubble but preferring to continue to be governed by HIPAA versus being covered by new, less familiar rules. “HIPAA works just fine to protect information collected by health plans, but there should be a level playing field for all companies collecting health information.”
In the tech world, some companies have embraced surprisingly strong views favoring consumer protections:
Apple CEO Tim Cook: “We all deserve control over our digital lives. That’s why we must rein in the data brokers….Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.”
Microsoft CEO Satya Nadella: I am hopeful that in the United States we will have something that’s along the same lines [as European GDPR regulations]. In fact, I hope that the world over we all converge on a common standard.”
Salesforce CEO Marc Benioff:
— Marietje Schaake (@MarietjeSchaake) January 24, 2019
These are just a few examples. However, it is unclear whether these strong commitments translate into support for a strong federal privacy law.
5) How are Next Generation Technologies Addressed?
Next generation technologies such as artificial intelligence, machine learning and analytics offer alluring promises of advancements in medicine and healthcare. Law professors Price and Cohen describe some of the potential:
Big data enables more powerful evaluations of health care quality and efficiency, which then can be used to promote care improvement. Currently, much care remains relatively untracked and underanalyzed; amid persistent evidence of ineffective treatment, substantial waste, and medical error, understanding what works and what doesn’t is crucial to systemic improvement.
Regulations often lag the capabilities of new technologies. As we mentioned in the introductory section, there are also significant concerns relating to techlash and surveillance capitalism. But these next generation technologies raise issues of discrimination and fairness which are related to but go beyond privacy concerns – for example, use of big data to make health care resource allocation decisions that exacerbate racial and ethnic disparities in care.
Some of the issues we see relating to potential privacy legislation include:
- Will data that are de-identified or anonymized (and how those terms are defined) remain more widely available for big data uses?
- Will the legislation address discrimination, or will we be left with merely the protections of GINA, the Americans with Disabilities Act, and the Affordable Care Act, all of which have loopholes?
- Does the legislation deal with the potential for bias in next generation technologies, such as by requiring fairness and/or transparency in the algorithms used to make decisions about individuals and/or populations?
6) How Will New Privacy Legislation be Enforced?
Here are some key questions to consider:
What agency or agencies will have authority to enforce health related aspects of new privacy legislation? Likely candidates include the Federal Trade Commission (FTC), the Office of Civil Rights (OCR) within Health and Human Services (HHS), or perhaps a newly created agency.
What amount and types of resources will be available to enforce new legislation?
Will the enforcing agency have ongoing rulemaking authority to address gaps in legislation and/or new technologies or industry practices?
Will patients be given a private right of action, i.e., the right to take companies to court?
Will state attorneys general and agencies be permitted to investigate and enforce violations of federal rules?
Privacy legislation debates likely will become highly visible in 2019. A recent Harris/Finn poll found that “privacy of data” was the #1 issue that American companies should address, with 65% of respondents indicating it was “very important”.
The list of 30 components of privacy legislation speaks to the complexity of issued involved, and it also highlights many opportunities for compromise.
The ITIF Report described Congress’ key task as being “to balance competing goals such as consumer privacy, free speech, productivity, U.S. economic competitiveness, and innovation.”
This won’t be an easy task and we expect that it will take a while to play out. It might take longer than one year to develop Federal privacy legislation. It’s also possible that privacy legislation could become an important issue in the 2020 election.
We encourage you to pay attention, and to keep this important issue on your radar!
Proposed and Pending Bills