Adding to the growing trend of policymakers interested in regulating health and wellness data, last week U.S. Senator Bill Cassidy requested stakeholder feedback to help identify solutions to modernize HIPAA and ensure all health data is properly safeguarded. The deadline to submit feedback is September 28, 2023.
Senator Cassidy is the ranking member of the Senate’s Health, Education, Labor, and Pensions Committee (“HELP”). HELP has broad jurisdiction over the U.S. Department of Health and Human Services (“HHS”) and oversight over legislation related to HIPAA.
The request, issued broadly to “Interested Parties”, notes that “[s]afeguarding patient privacy is an essential element to building trust in our health care system” and asks for feedback on specific questions covering:
-
General privacy considerations (What is health data? What entities should be accountable for handling health data?)
-
Health information under HIPAA (Should Congress update or expand HIPAA?)
-
Collection and sharing of health data (When should consent be required? What deletion obligations should apply?)
-
Biometric data (Should biometric data be considered health information even if not used for health care purposes?)
-
Genetic information (How should genetic information collected by commercial services be safeguarded?)
-
Location data (What types of location data should be considered health data?)
-
Financial information (How should financial information for health care services not covered by HIPAA be protected?)
-
Artificial intelligence (Should patients be able to opt-out of datasets used to inform algorithmic development?) – Notably HELP also currently has a separate request for information regarding AI frameworks and the use of AI in the health care system, classroom, and workplace with comments due by September 22, 2023.
-
State and international privacy frameworks (What have been the greatest challenges of existing frameworks governing health data and what should be improved?)
-
Enforcement (What role should the Federal Trade Commission (“FTC”) play in safeguarding health data? What duplication or conflict is there in existing enforcement among agencies?)
Recognizing that HIPAA was passed nearly 30 years ago, the request highlights that the creation and collection of health data has significantly increased and may not be adequately protected where HIPAA does not apply. This request is the latest in a series of efforts to increase protection for consumer health data, following the clarification and expansion of entities covered by the FTC’s proposed revisions to the Health Breach Notification Rule, numerous recent FTC enforcement actions aimed at protecting health data, and guidance statements signaling the agency’s shift in enforcement priorities. Combined with recent activities by state legislatures, these actions demonstrate increasing awareness and concern about the collection, use, and disclosure of health and wellness data.
Stakeholders can consider providing feedback to help support a robust and thoughtful discussion on these complex issues.
[View source.]
