Protecting Health Data Outside of HIPAA: Will the Protecting Personal Health Data Act Tame the Wild West ?

Vince Kuraitis
Deven McGraw


This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”


In our previous post, we described the “Wild West of Unprotected Health Data.” Will the cavalry arrive to protect the vast quantities of your personal health data that are broadly unprotected from sharing and use by third parties?

Congress is seriously considering legislation to better protect the privacy of consumers’ personal data, given the patchwork of existing privacy protections. For the most part, the bills, while they may cover some health data, are not focused just on health data – with one exception: the “Protecting Personal Health Data Act” (S.1842), introduced by Senators Klobuchar and Murkowski. 

In this series, we committed to looking across all of the various privacy bills pending in Congress and identifying trends, commonalities, and differences in their approaches. But we think this bill, because of its exclusive health focus, deserves its own post. Concerns about health privacy outside of HIPAA are receiving increased attention in light of the push for interoperability, which makes this bill both timely and potentially worth of your attention.

HHS and ONC recently issued a Notice of Proposed Rulemaking (NPRM) to Improve the Interoperability of Health Information. This proposed rule has received over 2,000 comments, many of which raised significant issues about how the rule potentially conflicts with patient and provider needs for data privacy and security.

For example, greater interoperability with patients means that even more medical and claims data will flow outside of HIPAA to the “Wild West.” The American Medical Association noted:

“If patients access their health data—some of which could contain family history and could be sensitive—through a smartphone, they must have a clear understanding of the potential uses of that data by app developers. Most patients will not be aware of who has access to their medical information, how and why they received it, and how it is being used (for example, an app may collect or use information for its own purposes, such as an insurer using health information to limit/exclude coverage for certain services, or may sell information to clients such as to an employer or a landlord). The downstream consequences of data being used in this way may ultimately erode a patient’s privacy and willingness to disclose information to his or her physician.”

Former ONC Coordinators submitted a letter of support for the provisions of the NPRM advancing interoperability but also expressed concerns about privacy and called for adoption of a comprehensive privacy framework to protect consumers.

Given Congress’ strong bipartisan support for interoperability, this may provide greater motivation for Congress to act to address the gaps in protections for health information – and it may be easier for Congress to pass a more focused privacy bill. It is also possible that this bipartisan bill could get incorporated into broader privacy legislation.

Who is covered?  Who is not covered?

The bill begins with extensive references to the 2016 Department of Health and Human Services (HHS) report, Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA (the “2016 HHS Report”). That report described the limited scope of HIPAA, identified a broad scope of entities holding health information outside of HIPAA’s coverage, and recommended that Congress close the gaps in protections. To the best of our knowledge, this is the first bipartisan bill introduced to specifically respond to this HHS report. 

The bill does not cover all health data outside of HIPAA. Instead, the bill targets “operators” of “consumer devices, services, applications, and software” that are primarily designed for or marketed to consumers and “a substantial purpose of use of which is to collect or use personal health data.” (For purposes of this post, we’ll refer to them as Personal Health Data Tools.)  Personal Health Data Tools expressly include direct to consumer genetic testing services, mobile technologies, and social media sites. Personal health data is defined in a way similar to protected health information under HIPAA: information that relates to the past, present, or future physical or mental health of an individual and that “identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

The bill seems to target the types of entities most likely to be collecting data from electronic medical records on behalf of, or with the consent of, patients, potentially addressing the very concerns expressed about interoperability initiatives.

But even within this narrow focus, there are limits to its coverage. 

The bill expressly does not cover products where “personal health data is derived solely from other information that is not personal health data” (for example, GPS data).  This language seems to exempt entities that collect social determinants data (such as age, income, education level, zip code) and use it for health purposes.

It also could be confusing when a product or service has a “substantial” purpose of use of collecting or using personal health data, particularly when collection of data that could ultimately be used for health purposes is not counted as personal health data. There also could be products where the data collection is not a “substantial purpose” of the business but rather a byproduct of delivering another service.  For example, an implantable device like a pacemaker generates data but the primary (arguably “substantial”) purpose of the device is to maintain healthy heart rhythms.

Also not covered are products or services “designed for, or marketed to” HIPAA covered entities and business associates, likely because those products and services would be covered by HIPAA.

What new requirements will apply to Personal Health Data Tools? New regulations.

The bill does not just extend HIPAA to operators covered by the bill. Instead, the bill sets out a process, on a fairly quick timeframe (although potentially not quick enough – see below) for developing privacy and security regulations that will apply to Personal Health Data Tools. 

The bill requires HHS, in consultation with the FTC and the HHS Office of the National Coordinator (ONC), to establish a task force of up to 15 members representing “a diverse set of stakeholder perspectives.” The Task Force, which will be governed by the Federal Advisory Committee Act (and therefore must conduct most of its meetings in public), has a year to develop a report to Congress, as well as to HHS, the FTC, and the Food and Drug Administration (FDA), with its findings.  The bill identifies the following as specific areas of focus for the Task Force:

  • Long-term effectiveness of de-identification methods for genetic and biometric data;
  • Security concerns (including cybersecurity risks) and standards to address them, for Personal Health Data Tools;
  • Privacy concerns and protection standards related to consumer and employee health data;
  • Reviewing the 2016 HHS Report and advising on whether it needs to be updated; and
  • Advising on resources to educate consumers about the basics of genetics and direct-to-consumer genetic testing.

After HHS receives the report of the Task Force, the bill requires HHS to publish privacy and security regulations to govern personal health data that is “collected, processed, analyzed or used by” Personal Health Data Tools within six months.  HHS is required to consult with the FTC, ONC, FDA, “relevant stakeholders,” and “heads of other Federal agencies as the Secretary considers appropriate” (possibly the Office for Civil Rights?), in developing these regulations. It is noteworthy that HHS is tasked with regulating this particular group of non-covered entities, as other bills pending in Congress would vest privacy authority with the FTC.  

The bill does not dictate particular privacy and security protections that HHS must apply to Personal Health Data Tools; however, the bill does require HHS to address a number of issues.  Specifically, the bill requires HHS to consider:

  • The findings of the 2016 HHS Report;
  • Regulations and guidance issued by the FTC, as well as the HIPAA regulations.
  • Uniform standards for consent related to genetic, biometric, and personal health data;
  • Exceptions to consent requirements, such as for law enforcement, academic research or research on health care utilization and outcomes, emergency medical treatment, or determining paternity;
  • Minimum standards of security that may differ according to the nature and sensitivity of the data collected by Personal Health Tools;
  • Appropriate standards for de-identification of personal health data; and
  • Appropriate limitations on the collection, use or disclosure of personal health data.

In developing regulations to address the areas identified above, HHS is also required to consider:

  • Developing standards for obtaining user consent that helps assure that consumers understand how their personal health data will be accessed, used, and shared;
  • How to limit the transfer of personal health data to third parties and provide consumers with greater control over marketing uses of their data;
  • Secondary uses beyond what the consumer initially consented to;
  • A process to permit withdrawal of user consent;
  • Providing a right of access for consumers to copies of personal health data; and
  • Providing a right to delete and amend personal health data, “to the extent practicable.”

Unresolved issues

Enforcement.  The bill gives HHS the authority to issue regulations but does not establish any penalty authority for violation of those regulations, leaving an open question as to whether there will be any way to hold entities accountable for complying with them. This is a pretty significant hole in the bill’s framework of protections.

Timing. If the bill is at least partially aimed at addressing concerns that could potentially derail or slow interoperability initiatives, Congress – and HHS – need to move quickly. If the timelines in the bill are kept, regulations could be proposed within 1.5 years of enactment. ONC is hoping to finalize the interoperability and information blocking regulations by the end of 2019, and the interoperability requirements would need to be installed by EHR vendors within two years after the rule is final.  So there are arguably some synergies to the timing of the new regulations and when interoperability initiatives will be fully implemented. But six months is a very short time for HHS to complete drafting regulations and get them through the federal clearance process, and getting to a final rule after rules have been proposed could add at least another year to that schedule. 

Which Rules Apply?  Although the bill tries to make clear that entities covered by HIPAA will not be subject to the new regulations, there likely still will be some confusion in coverage.  For example, there will be products who are both marketed to providers but also for consumer use (for example, some personal health record products that have both consumer-facing portals as well as provide data services to providers), which it more difficult to discern which sets of regulations apply (sorting that out is something HHS could tackle during the regulatory process). 

We’ll be keeping an eye on this bill, as we will with all of the privacy bills pending before Congress. Stay tuned for more. 

Deven McGraw , JD, MPH, LLM (@healthprivacy) is the Chief Regulatory Officer at Ciitizen (and former official at OCR and ONC). She blogs at https://medium.com/@ciitizen.

Vince Kuraitis, JD/MBA (@VinceKuraitis) is an independent healthcare strategy consultant with over 30 years’ experience across 150+ healthcare organizations .He blogs at e-CareManagement.com.