Senators Propose Commission on Health Data Use and Privacy Protection to Study Modernizing HIPAA

March 18, 2022

On Feb. 9, 2022, U.S. Senators Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) introduced S. 3620, the Health Data Use and Privacy Commission Act.

The bill proposes to create a Commission on Health Data Use and Privacy Protection to study the collection, storage and use of personal health information (PHI). The commission would be tasked with (1) reviewing existing protections of PHI across industries and (2) making recommendations to update the Health Insurance Portability and Accountability Act (HIPAA) to better reflect the use of new digital health and telemedicine technologies.

In introducing the legislation, Senators Cassidy and Baldwin stated that HIPAA is in need of modernization to give Americans peace of mind that their PHI is safe, while ensuring that the nation’s healthcare system has the tools needed to advance high-quality care.

Introduction of the bill follows a recent trend of increased attention to data privacy at the federal level, both for HIPAA-covered entities and for non-covered entities. For example, the U.S. Department of Health and Human Services (HHS) is currently accepting comments on proposed modifications to regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Meanwhile, the Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, and two additional resources (Health Breach Notification Rule: The Basics for Business and Complying with FTC’s Health Breach Notification Rule in January 2022) reminding developers of health apps and other non-covered entities of their obligations under the Health Breach Notification Rule. After issuing the policy statement, the FTC launched a health privacy webpage, featuring several guidance documents to help businesses comply with the Health Breach Notification Rule.

As currently proposed, the commission would focus its evaluation on a variety of data privacy and use issues:

  1. Collection of PHI by Governments — the monitoring, collection and distribution of PHI by federal, state and local governments, such as the collection of information to combat the spread of diseases such as COVID-19 and the threat of substance use disorders involving opioids.
  2. Current Laws — current federal and state laws designed to protect PHI, including HIPAA, the Common Rule, the Federal Trade Commission Act, the Privacy Act of 1974 and the 21st Century Cures Act.
  3. Private-Sector Activities — privacy protection efforts undertaken by the private sector, including self-regulatory efforts initiated to respond to and mitigate privacy issues and liabilities.
  4. Enforcement — current enforcement of privacy laws and rules, by federal and state governments and private rights of action, and the potential for consolidation of enforcement.
  5. Comparability of Rules — the differences and similarities among federal, state and international rules for protecting PHI and the degree to which such similarities or differences create or address problems related to data privacy.
  6. Sale of PHI — the degree to which PHI is sold with or without consent, and the uses of such information.
  7. Consent — challenges and potential solutions to consent requirements and processes in medical research.
  8. De-identification — the need for consistency in de-identification standards for health data to avoid conflicting requirements that impede advancements in healthcare, such as through clinical trials or technology development.
  9. Technology Advancements — advancements in technologies currently used for treatment, payment and healthcare operations, compared to the technologies used when the HIPAA privacy regulations were issued in 2000.
  10. Non-covered Entities — gaps in privacy protections under HIPAA resulting from data collection and use by non-covered entities.
  11. Employee Health Data — employer practices with respect to the health information of employees.
  12. Data Use Notices — varying notices of privacy practices and whether such practices are effective in informing consumers of their rights and responsibilities.

The legislation was referred to the Senate Health, Education, Labor and Pensions Committee for further action. There is no companion legislation in the House of Representatives.