New legislation – the Health Information Privacy Reform Act – has been introduced to improve privacy protections for health information that is not currently covered by the Health Insurance Portability and Accountability Act (HIPAA).

Under HIPAA, there are strict limits on uses and disclosures of personally identifiable health information, and safeguards must be implemented to prevent unauthorized access to physical and electronic protected health information.  The problem for consumers is that the scope of HIPAA is quite narrow. HIPAA only applies to health information that is created, collected, maintained, stored, or transmitted by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or a business associate of a HIPAA-covered entity.

Health apps, such as ovulation and fertility tracking apps, can collect large amounts of personally identifiable health information. While the health data would be classed as protected health information (PHI) and be subject to HIPAA protections if it were collected by a healthcare provider, the health information collected by health apps, smartwatches, and other wearable devices is rarely protected by HIPAA or the HITECH Act of 2009, which applies to certified health information technologies.

When HIPAA was enacted more than two decades ago, health information was generally only collected and stored by healthcare providers, health plans, healthcare clearinghouses, and vendors of those entities; however, today, technologies that collect health data are widely used outside of a hospital or doctor’s office.

While there are federal laws that apply to non-HIPAA-protected health data, such as Section 5 of the FTC Act and the FTC’s Health Breach Notification Rule, they are not as stringent as HIPAA. Some states, such as California, have introduced legislation to improve privacy protections for non-HIPAA health data, but state laws are patchy. Privacy protections can differ considerably from state to state.

U.S. Senator Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is looking to change that with the Health Information Privacy Reform Act. The Health Information Privacy Reform Act seeks to expand health privacy protections to account for new technologies such as health apps, smartwatches, and other wearable devices.

“Smartwatches and health apps change the way people manage their health. They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room,” said Sen. Cassidy. “Let’s make sure that Americans’ data is secured and only collected and used with their consent.”

The Health Information Privacy Reform Act will apply to health technologies not covered by HIPAA or the HITECH Act and seeks to expand protections to include non-HIPAA-regulated entities, such as healthcare providers that only accept out-of-pocket payments.

The bill requires the Secretary of the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to promulgate privacy, security, and breach notification standards to cover all health information not covered by HIPAA or the HITECH Act. Those standards must “provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with, the protections provided through the privacy, security, and breach notification rules promulgated under [HIPAA and the HITECH Act].”

Covered entities will be required to disclose to consumers how their private health information will be used and disclosed. The bill requires the HHS to formulate permitted uses and disclosures for when individual authorization is not required, set authorization requirements, and establish a set of prohibited uses and disclosures.

As with HIPAA, there will be minimum necessary requirements to ensure that uses and disclosures are limited to the minimum necessary information to achieve the purpose for which health information is used or disclosed. The bill will give individuals rights over their health information, such as the right to receive a privacy notice, access their health data, request an amendment/deletion of data, and requires covered health information to be portable.

Physical, technical, and administrative safeguards must be implemented, including safeguards for electronic health information based on established national frameworks such as the NIST Cybersecurity Framework or the HHS health sector cybersecurity performance goals. In the event of a breach of covered health information, notifications are required, in line with those of the HIPAA Breach Notification Rule.

Within one year of the bill being passed, the Secretary of the HHS is required to establish unified national standards for rendering health information de-identified, similar to the de-identification requirements of HIPAA, and publish guidance on the application of the minimum necessary standard to data used for artificial intelligence and other machine learning applications.

The bill also requires the HHS to contract with the National Academies of Sciences, Engineering, and Medicine to conduct a study to identify the risks and benefits of paying compensation to patients for sharing their personal health data for research purposes.

The Health Information Privacy Reform Act has similar preemptions as HIPAA, inasmuch as states will be permitted to strengthen privacy requirements should they so wish, although that could lead to a complex patchwork of privacy protections.

The HHS, in consultation with the FTC, will be authorized to enforce all provisions of the Health Information Privacy Reform Act, and may impose civil monetary penalties for noncompliance, in line with existing penalty structures.

Similar privacy laws have been proposed in the past to address the lack of privacy protections for non-HIPAA-covered health data, as well as numerous attempts to pass a national data privacy law, all without success. It remains to be seen whether the Health Information Privacy Reform Act can gain sufficient support to get it over the line.

The post HELP Committee Chair Introduces Health Information Privacy Reform Act to Protect Americans’ Health Data appeared first on The HIPAA Journal.