Last week, two bills were proposed in Congress aimed at improving consumer privacy protection. These proposals focus on specific areas of privacy law – health data that falls outside of HIPAA and do-not-track signals. Both issues have been areas of priority at the state level. The California Privacy Rights Act, Virginia’s Consumer Data Protection Act, and the Colorado Privacy Act all regulate health data that is not exempted by HIPAA as “sensitive” information that is subject to special protections. Meanwhile, the California Consumer Privacy Act already requires businesses to treat user-enabled global privacy controls as requests to opt-out of sale. The Colorado Privacy Act requires the Colorado Attorney General to develop regulations as to how businesses should respond to universal requests to opt-out by July 1, 2024. (Notably, the DELETE Act (discussed below), which aims to regulate do-not-track signals at the federal level, only applies to data brokers; both the California and Colorado laws are broader in this respect).
Congress has flirted with a number of privacy proposals in recent years, including comprehensive privacy laws that are similar to the ones that have been passed at the state level. These bills have not gained serious traction. It is unclear as to whether Congress will have more success attempting to legislate on privacy issues through a piecemeal approach.
1. Health Data Use and Privacy Commission.
On February 9. 2022, U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced S.3620, a bill to establish a commission for the Comprehensive Study of Health Data Use and Privacy Protection (“Commission”), bringing the healthcare industry and health data to the forefront of the national privacy legislative debate.
Through this bill, the newly established Commission will be tasked with analyzing and recommending how to modernize health privacy laws and regulations. The Health Data Use and Privacy Commission Act tasks the Commission with two main initiatives:
- Analyze existing protections of personal health information across practices including health care providers, financial industries, wearables, advertising and more.
- Recommend if and how health data privacy should be modernized within the federal privacy landscape. The recommendations are expected to cover (1) potential threats to health care privacy (2) which legitimate interests warrant sharing of health information ; (3) the effectiveness of existing regulations, statutes, self-regulation and technologies in protecting health privacy; (4) whether federal legislation is warranted and/or potential additions to existing law related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices; (5) a cost-benefit analysis and impact to other policy areas such as security, law enforcement and medical search; (6) non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies; and (7) review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements.
The Commission is expected to provide such six months after the seventeen (17) Commission members are appointed.
The Bill, set for review for the Committee on Health, Education, Labor, and Pensions is supported by a broad range of industry representatives across varying healthcare and technology sectors.
The core healthcare industry – primarily healthcare providers and health insurers – has been reasonably comfortable with the HIPAA Privacy and Security rules, as reasonable provisions to provide appropriate patient protections while still permitting the health care system to work effectively and efficiently. At the same time, the explosion of “non-HIPAA health data” – from a wide variety of activities including mobile apps and wearable – has created meaningful gaps in privacy protection for health care information. With the expansion of state privacy laws, discussion of federal privacy laws and technological progressions, and now the potential establishment of this Commission, it will be interesting to follow if and how healthcare privacy law and health information generally will be addressed in broader federal privacy laws. At a minimum, we can expect that any new national privacy law will have to address “non-HIPAA health care data” and entities.
For a broader discussion of how healthcare privacy can be addressed in national privacy legislation, please review Healthcare in the National Privacy Debate and How Emerging Privacy Laws Are Impacting the Healthcare Industry.
2. DELETE Act.
On February 11, 2022, Senators Cassidy and Jon Ossoff (D-GA) and Representative Lori Trahan (D-MA-3) introduced S.3627, the Data Elimination and Limiting Extensive Tracking and Exchange Act (the “DELETE Act”). It has been referred to the Senate Committee on Commerce, Science, and Transportation.
What Would It Cover? Similar in concept to a do-not-call list, the DELETE Act sets to establish a centralized system that would allow individuals to request the simultaneous deletion or “Do Not Track” of their personal information across all data broker entities.
Who Would Be Subject to the Act? Data brokers amass personal and sensitive information from a variety of sources, with or without consent, at times selling them. The DELETE Act, if enacted, would require all data brokers to delete and stop collecting and selling data of individuals who join a Do Not Track list. The bill defines data brokers as entities that knowingly collect or obtain the personal information of an individual and use, sell, disclose or otherwise profit from the information. Further, only entities that do not have a “direct relationship” with the individual are subject to this law. A direct relationship under the Act means that the individual is a current customer, a past (as of 18 months) customer, or is an individual who has inquired about a service from the entity within the prior 90 days.
How Would It Work? The DELETE Act requires data brokers to register with an FTC securely-managed centralized system on an annual basis. Registration is associated with a yearly fee with proceeds going to the FTC. Such registered data brokers will be publicly disclosed. An individual will be able to request through a single submission that all data brokers registered delete such individual’s information. Each registered data broker will be required to query the site in a secure manner, at least once every 31 days for deletion requests via a "hashed" exchange of data that would blur names and contact details. If found on the list, the data broker will have 31 days to remove and delete that individual’s records.
Who Would Enforce the Act? The Act gives the FTC enforcement powers under 18(a)(1)(B) of the 16 Federal Trade Commission Act (15 U.S.C. 17 57a(a)(1)(B)). Under the Act, data brokers will be required to undergo a third-party audit every three years. Audits will be filed with the FTC, which could punish violations under its existing authority to police unfair or deceptive trade practices.