Cross Posted from Health Affairs Blog
Health care lawyers justifiably ignored the 2012 Obama administration consumer privacy framework because it expressly and broadly exempted entities subject to HIPAA, stating “To avoid creating duplicative regulatory burdens, the Administration supports exempting companies from consumer data privacy legislation to the extent that their activities are subject to existing Federal data privacy laws.”
In contrast, the administration’s 2015 draft bill, the Consumer Privacy Bill of Rights Act, though based on that framework, substantially affects health care entities, including those subject to HIPAA, and so demands more attention in the health law community.
The “HIPAA clause” in the draft bill is subtly different (and noticeably narrower than its preemption of state law clause): “If a covered entity is subject to a provision of this Act and a comparable provision of a Federal privacy or security law [the list includes HIPAA] such provision of this Act shall not apply to such person to the extent that such provision of Federal privacy or security law applies to such person.”
The “provision” wording is key; most of the key substantive provisions in the draft bill—those going to consent, withdrawal of consent, context, and data minimization—do not crosswalk to any comparable provisions in HIPAA. For HIPAA mavens this has the potential of “more stringent than” all over again, but at a higher stakes table. (For nonmavens, this refers to questions raised by HIPAA’s language leaving intact state laws “more stringent than” HIPAA’s privacy protections.)
What Changed Between 2012 And Now?
As I have discussed elsewhere, in 2012 and then again in 2014, the White House and the Federal Trade Commission (FTC) published reports recommending enhanced consumer privacy. The earlier reports focused on general consumer privacy (particularly online) while the later ones were more specific, addressing the regulation of big data brokers. A conceptual shift also seemed to take place during that two-year gap.
The conventional wisdom implicit in the 2012 reports was that health information was adequately protected by the domain-specific HIPAA Privacy and Security Rules, hence the HIPAA-entity exemption in the framework and a similar provision in the FTC’s 2012 offering. Two years later reality had intruded. Big data brokers were constructing health data proxies in the HIPAA-free zone and it was becoming apparent that an increasing amount of health data was being generated and shared by consumers through smartphone platforms or wearables. That the draft bill seems to extend into the health care domain should not be a surprise (nor is it bad policy).
The framework described the duties and responsibilities of “data companies,” eschewing more mainstream “data custodian” language. Bizarrely, the draft bill uses the HIPAA term “covered entity,” but intends to include a far broader swathe of custodians. So (and I can’t believe I’m typing this sentence), does “covered entity” include a HIPAA “covered entity”?
The answer is maybe. The draft bill excludes “small” custodians that process data of fewer than 10,000 individuals or many small businesses (five or fewer employees), suggesting that most medical practices should be able to breathe easy. However, an excruciatingly poorly drafted clause then seems to pull those small actors back into the regulated zone to the extent they knowingly collect “information that is linked with personal data and includes, or relates directly to, that individual’s medical history.”
The definition of data custodians aside, medical data clearly fall within the bill’s purview. The definition of personal data is quite broad (albeit likely not broad enough for many privacy advocates), includes non-exclusive examples such as a “health care account number,” and “any data that are collected, created, processed, used, disclosed, stored, or otherwise maintained and linked, or as a practical matter linkable by the covered entity” to that numerical identifier. De-identified data are expressly excluded, subject to a requirement that the data custodian not perform or permit re-identification.
What’s In The Bill?
What about the draft bill’s substantive provisions? Recall that the HIPAA “privacy” rule essentially is a confidentiality code. It does not regulate the collection of data by health providers, only their disclosure. In contrast, a good part of the draft bill seeks to regulate data collection. It does so by dipping into the Fair Information Practice Principles (FIPPS) playbook, conditioning data collection on transparency/consent, respect for context, and forms of data minimization. In so doing the draft bill enters the realm of mainstream privacy codes. While it is unlikely to cause pangs of jealousy in the drafters of the European Data Regulation, it is a move in the right direction.
The requirement of “Transparency” suggests data custodians would be required to furnish a privacy policy that would go considerably further than the HIPAA-mandated Privacy Notice. Likewise “Individual Control” goes far beyond HIPAA access provisions. It presupposes some consent mechanism (removed from HIPAA in 2002) and provides for withdrawal of consent and, in some situations, erasure.
“Respect for Context” requires that data are processed in light of context. This may be one of the draft bill’s more interesting provisions as it avoids bright line rules in favor of context-based inquiries that take into account factors such as the “extent and frequency of direct interactions between individuals and the covered entity,” “the range of goods or services that the covered entity offers,” and “the types of personal data foreseeably processed.”
Given the longitudinal context of a provider-patient relationship and patient expectations, it is arguable that this provision will have limited applicability in the traditional health context. However, it should be of major importance in controlling data abuse in emerging and increasingly important health data contexts, from big data to social media and mobile apps. For example, if a retailer collected medically-inflected data during a sale it would not be respectful of context for that data to be sold on to big data brokers.
Closely linked to the idea of “Respect for Context” is the requirement for “Focused Collection and Responsible Use,” the specific wording of which is worth noting: “Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context. A covered entity shall consider ways to minimize privacy risk when determining its personal data collection, retention, and use practices.” Focused collection seems to capture the concept of “data minimization” that the FTC has been emphasizing of late and which in large part underlies that agency’s Internet of Things report.
Applying data minimization to health care, while overdue, will be challenging. It is a concept fundamentally at odds with current practices that maximize collection. Potentially, it may also clash with the ONC strategy of dramatically increasing data liquidity in order to promote interoperability. Data minimization could require HIPAA entities to double down on limiting accessibility of data to health care teams or even resuscitate proposed models for data segregation. Of course, as with “context,” a data minimization requirement will have the greatest impact on custodians operating outside of HIPAA-regulated space, such as big data brokers and app developers. For example, data collected by a fitness app should be limited to those necessary for the app’s purposes.
The draft bill contains additional requirements for Security, Access and Accuracy, and Accountabilitythat, overall, would not shock a HIPAA Privacy Officer. However, health care providers may have to get used to a new regulator because the Department of Health and Human Services (HHS) Office of Civil Rights is not involved with enforcement; rather, such powers are vested in the FTC and state attorneys general. As with HIPAA, no private right of action is provided although, as we have seen in that context, there are state cause of action workarounds.
Privacy Concerns
The data industry that insists self-regulation is the only sensible way to deal with these issues should welcome one further provision; broad safe harbors provided in exchange for enforceable industry codes of conduct. However, the White House is already drawing fire from privacy advocates for placing too much of the risk assessment in the hands of industry, the breadth of the self-regulatory loophole, and the failure to provide the FTC with adequate resources to effectively police the new standards and codes. If the draft bill progresses, privacy advocates likely will look to replace some of this with more directive regulation.
Health privacy advocates will have additional concerns. First, the requirement of “transparency” does not seem as strong as the FTC’s recommendation in its 2014 Data Brokers report that Congress should protect health information with legislation requiring “that consumer-facing sources obtain consumers’ affirmative express consent before collecting and sharing such information with data brokers.” Second, the draft bill expressly preempts state privacy laws. At a time when we can use all the health privacy and security we can get, this seems like a mistake. In particular, states like California that already extend their health privacy laws outside of conventional health care to mobile health apps should feel aggrieved.
What Comes Next?
There is no doubt that the health including aspects of the draft bill primarily are designed to reform the protection of health data that reside outside of the HIPAA zone. That is as welcome as it is overdue. The fascinating question is whether any legislation will graft a true, collection-centric privacy code onto the existing HIPAA confidentially model. Health lawyers definitely should pay attention.
Copyright ©2015 Health Affairs by Project HOPE – The People-to-People Health Foundation, Inc.
Nicolas Terry is @nicolasterry on twitter
