In today’s digital age, the protection of sensitive health information has become a priority for Congress. The Health Insurance Portability and Accountability Act (HIPAA), a federal law enacted in 1996, has long been the cornerstone of health data privacy in the United States. HIPAA sets the national standards for health data privacy and security, ensuring your health information is kept confidential and secure. It’s like your personal gatekeeper for medical records. However, as online data collection has grown, cyberattacks are increasing. Lawmakers and officials at the Department of Health and Human Services (HHS) have recognized the need for more comprehensive safeguards to protect health data privacy.
HHS & FTC Enforcement
HHS Office for Civil Rights (OCR) plays a crucial role in enforcing HIPAA; this office ensures that covered entities, such as health plans, health care providers, and health care clearinghouses, comply with HIPAA Privacy and Security Rules.
Additionally, the Federal Trade Commission (FTC) enforces the FTC Act and the Health Breach Notification Rule. The Health Breach Notification Rule applies to vendors of personal health records (PHR), PHR-related entities, and third-party service providers. This rule covers businesses not covered by HIPAA. The FTC Act prohibits deceptive or unfair acts or practices in commerce, including misleading consumers about health information handling. It enforces the idea that companies must ensure their health data practices do not cause more harm than good.
Gaps
However, despite regulatory efforts, gaps remain in HIPAA that can only be addressed by Congress. The law does not cover data collected by wearable devices, smart devices, health and wellness apps, and other digital health technologies that fall outside traditional healthcare settings. Companies may use this information for marketing purposes or share and sell your information to profit, depending on state law. In a House Energy and Commerce hearing in December of last year, witnesses discussed how Artificial Intelligence (AI) presents new challenges since AI models do not have HIPAA protection for the data they use, making it simple for an AI model to identify an individual patient
Congress is (kind of) Looking to Act
Congress has shown a growing interest in addressing health data privacy, particularly in the context of AI. President Biden issued an executive order on safe, secure, and trustworthy AI, emphasizing the need to protect Americans’ privacy, including from the risks posed by AI, and calling on Congress to pass bipartisan data privacy legislation. Yet, the urgency to tackle health data privacy has taken a backseat because of other congressional priorities and partisan disagreements on numerous matters.
Nevertheless, some Members of Congress, such as Senator Bill Cassidy (R-LA), are actively considering potential updates to HIPAA as evidenced by his request for input into potential updates to the legislation. As indicated by Sen. Cassidy’s persistence, ongoing consideration, and discussion regarding the expansion of health data privacy laws to encompass AI and other emerging technologies continues in earnest.
Advertisers’ Perspective
At least one group is happy Congress has not done anything to expand HIPAA – advertisers. The National Advertising Initiative (NAI) is an industry trade group that develops self-regulatory standards for online advertising for its members such as Google. The NAI states that Congress shouldn’t extend the federal health privacy law and that data-driven health advertising benefits consumers and health care professionals. They believe data-driven advertising serves to help consumers find the products they need, and it helps health care professionals optimize their products based on public needs.
Looking Ahead
As we have seen this year, Congress is struggling to pass anything right now. We will see if this year will be different, or if this becomes an issue for the next Congress to handle. Whatever happens, you can be sure we will be watching and providing in-depth analysis for our clients.
If you or your organization would like to receive this analysis, contact us!