Hogan Lovells 2024 Election Impact and Congressional Outlook Report
A new report from U.S. Senator Bill Cassidy calls on Congress to update the Health Insurance Portability and Accountability Act (HIPAA) and develop new, comprehensive privacy legislation to further regulate consumer health and wellness data. The report highlights concerns about protecting health data collected outside of traditional health care settings.
In September, Senator Cassidy issued a request to help identify solutions to modernize HIPAA and ensure all U.S. health data is properly safeguarded. On February 21, his office released a report “outlining ways to improve privacy protections for Americans’ crucial health data” based on feedback from trade associations, hospitals, electronic health record vendors, health technology companies, and think tanks. The report puts forth several proposals to:
Recognizing that the U.S. does not have a comprehensive data privacy law and states are developing disparate and disjointed legislation, the report requests the Senate Committee on Health, Education, Labor, and Pensions (HELP Committee) be at the forefront of developing federal data privacy legislation since “the health care sector will need to play a distinct role with distinct considerations.” The report takes aim at information gathered through wearable devices, personal health and wellness applications, and direct-to-consumer (DTC) genetic testing--proposing increased regulation of health/wellness data, biological samples, genetic data, research, and other types of information that are in a “gray area” such as financial, geolocation, and biometric data.
The report includes concrete recommendations to improve protections suitable to our more technically advanced and digital health care system. Specifically, it suggests Congress address:
The report takes the position that discrete updates and clarifications to the existing framework would enable HIPAA to function better, noting that a major rewrite of HIPAA would upset decades of case law and established precedent, leading to disruption in patient care. However, the report also encourages re-evaluation and potential changes to fundamental components such as exemptions for de-identified data and research activities.
A common theme throughout the report is concern that treating certain health data under disparate legal regimes creates uncertainty and confusion, and could lead to inappropriate withholding and disclosure of health information. This is particularly an issue for data that falls within the “gray areas” of health information not explicitly covered by HIPAA but that can still have “significant privacy and health implications for patients.” These areas include:
The report calls on Congress to provide clarity for companies and patients to address these “gray areas” including that Congress:
The report also suggests additional requirements for non-traditional entities, like big technology companies, operating in the health sector. For example, the report suggests that non-traditional entities operating in the health sector:
Some of these recommendations are either already required by HIPAA, state consumer privacy laws, and state health privacy laws or may inadvertently create greater confusion and less clarity for individuals and entities.
The report urges Congress to act and implement comprehensive data privacy reform, including recognizing HHS OCR as the primary enforcement body over health data. Acknowledging that many regulators and states are releasing their own proposals and initiating enforcement actions, the report notes that such an approach is unworkable and risks creating a tiered system of protecting certain types of health data more than others. It calls on Congress to consider how to best balance the existing enforcement, warning that the Federal Trade Commission (FTC) has sought to become more involved and tried to expand the scope of its authority through the Health Breach Notification Rule. It also expresses particular concern about data outside of HIPAA, such as geolocation information, financial data, internet searches, and biometric data, that may be subject to many sets of rules as each sector seeks to roll out their own rules.
While encouraging efforts towards increased interoperability, the report states that Congress needs to create guardrails around how health data not covered by HIPAA is shared to help protect patient privacy and create a more sustainable framework for future information sharing. It urges Congress to consider legislation similar to what has been implemented in several states and create a federal floor for health data in the gray areas and outside of HIPAA to provide more regulatory certainty yet allow states to continue to supplement requirements to meet individual state needs.
This report highlights several areas in need of attention and serves as a bellwether for where Congress and federal agencies are likely to focus efforts as they consider updating HIPAA and further regulating health information. It’s important for those operating in the health and wellness sector to closely monitor these developments and engage with policy makers as appropriate on these issues.