The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

Health Data Outside HIPAA: The Wild West of Unprotected Personal Data

Aug 12, 2019• 2

By VINCE KURAITIS and DEVEN McGRAW

This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

“…the average patient will, in his or her lifetime, generate about 2,750 times more data related to social and environmental influences than to clinical factors”
–McKinsey analysis

The McKinsey “2,750 times” statistic is a pretty good proxy for the amount of your personal health data that is NOT protected by HIPAA and currently is broadly unprotected from sharing and use by third parties.

However, there is bipartisan legislation in front of Congress that offers expanded privacy protection for your personal health data. Senators Klobuchar & Murkowski have introduced the “Protecting Personal Health Data Act” (S.1842). The Act would extend protection to much personal health data that is currently not already protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996).

In this essay, we will look in the rear-view mirror to see how HIPAA has provided substantial protections for personal clinical data — but with boundaries. We’ll also take a look out the windshield — the Wild West of unprotected health data.

Then in a separate post, we’ll describe and comment on the pending “Protect Personal Health Data Act”.

Pending Federal Privacy Legislation: A Status Update

Jul 23, 2019• 0

By DEVEN McGRAW and VINCE KURAITIS

This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

In our initial blog post of February 20^th, “For Your Radar – Huge Implications for Healthcare in Pending Privacy Legislation,” we broadly discussed six key issues for healthcare stakeholders in the potential federal privacy and data protection legislation. We committed to future posts comparing and contrasting specific legislative proposals.

What’s happened since then?

Additional bills have been introduced and hearings have been held in both the House and the Senate. The Federal Trade Commission (FTC) also hosted two days of hearings on the FTC’s Approach to Consumer Privacy.

The buzz around federal privacy legislation continues, but as of yet there appear to be no proposals or bills that have emerged as the lead bills.

In the meantime, the clock is ticking. As we mentioned in our February 20^th post, a significant catalyst for federal privacy legislation is the desire of companies covered by the California Consumer Privacy Act (CCPA) to have that broadly-applicable, stringent state law preempted by a more company-friendly federal law. The CCPA, which sets stringent consent and other requirements for large companies, or companies collecting or monetizing large amounts of consumer data from California residents, goes into effect January 1, 2020 – less than six months from today.

Is it possible for a legislative body to move quickly on such a controversial topic? Again, California’s experience may be instructive. The CCPA was passed into law and signed on June 28, 2018, about a week after it was introduced. Lawmakers were in a rush in order to keep a popular and even stricter consumer privacy ballot initiative from being put before the California voters. (The sponsors of the ballot initiative agreed to withdraw it if the CCPA were enacted by the June 28^th deadline.).

Tech companies held their noses and supported the legislation because changing legislation is easier than changing a ballot initiative adopted by the voters. However, this strategy is not fool-proof. Although the CCPA has been successfully modified once to address some company concerns and to clarify confusing language, more recent attempts to amend it have failed (modification bills are still pending). With the deadline fast approaching, and the prospect for further significant modifications to the CCPA looking less likely, the pressure on Congress is reaching a fever pitch.