ACCESS Act Points the Way to a Post-HIPAA World


The Oct. 22 announcement starts with: “U.S. Sens. Mark R. Warner (D-VA), Josh Hawley (R-MO) and Richard Blumenthal (D-CT) will introduce the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, bipartisan legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.”

Although the scope of this bill is limited to the largest of the data brokers (messaging, multimedia sharing, and social networking) that currently mediate between us as individuals, it contains groundbreaking provisions for delegation by users that is a road map to privacy regulations in general for the 21st Century.

The bill’s Section 5: Delegation describes a new right for us as data subjects at the mercy of the institutions we are effectively forced to use. This is the right to choose and delegate authority to a third-party agent that can manage interactions with the institutions on our behalf. The third-party agent can be anyone we choose subject to their registration with the Federal Trade Commission. This right to digital representation by an entity of our choice with access to the full range of our direct control capabilities is unprecedented, as far as I know.

The problem with HIPAA, and with Europe’s General Data Protection Regulation (GDPR) is a lack of agency for the individual data subject. These regulatory approaches presume that all of the technology is controlled by our service providers and none of the technology is controlled by the us as data subjects. There are major limitations to this approach. 

First, it depends on regulation and bureaucracy around data uses (“notice and consent”) which typically lag the torrid pace of tech and business innovation. The alternative of mandating the technical ability to delegate, per this bill, reduces the scope of necessary regulation while still allowing the service providers to innovate.

Second, a right to delegate control gives the data subject a lot more market power in highly concentrated markets like communications or hospital networks where effective and differentiated competition is scarce. A patient, for example, will have a choice among hundreds of digital representatives even when that patient is in a market served by only one or two hospital networks. These digital representatives will compete on a national scale even as our provider choices are limited by geography or employment.

Third, the advent of patient-controlled technology enabled by mandated delegation means that machine learning, artificial intelligence, and expertise in general, can now move closer to patient. For example, patient groups that share a serious disease can organize as a cooperative to make the best use of their health records and hire expert physicians and engineers to design and operate the delegate.

Fourth, the right to specify a delegate means that, for the first time, our service providers will have to come to us. Under the current practice, patients are forced to navigate different user interfaces, portal designs, privacy statements, and associated dark patterns designed to manipulate us in different ways by each of our service providers. We are forced to figure out the idiosyncrasies of every service provider afresh. A right to delegation means that patients will have a consistent user interface and a more consistent user experience across our service providers even if the delegate is relatively dumb in the expert systems sense. 

Anyone who has sought the services of an attorney or a direct primary care physician understands the value of an expert fiduciary that is more-or-less substitutable if they fail to satisfy. These learned intermediaries are understood as essential when we face asymmetries of power relative to a court or hospital. The ACCESS Bill is a breakthrough because it extends our right to choose a delegate to the digital institutions that are now deeply embedded in our lives.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. This post first appeared in Bill of Health here.

Categories: Uncategorized

Tagged as: , ,