Senator Bill Cassidy, R-LA, unveiled a new health data privacy framework that sets out clear rules for how wearables and wellness apps handle sensitive health data.
The U.S. does not have a comprehensive national data privacy framework. While Cassidy says the country needs a comprehensive privacy framework for all sectors of the U.S. economy, he says that healthcare requires special considerations.
Lawmakers like Cassidy have expressed concern that Americans aren’t aware of how companies use their personal information when they purchase a wearable or use health-tracking apps. Moreover, lawmakers worry that sensitive health data that may reveal a person’s chronic conditions or reproductive health information will be maliciously leveraged by bad actors.
“Smartwatches and health apps change the way people manage their health. They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room,” Cassidy said in a press release. “Let’s make sure that Americans’ data is secured and only collected and used with their consent.”
Cassidy introduced the Health Information Privacy Reform Act (HIPRA) (PDF) on Nov. 4. The proposed legislation follows many of the same tenets as the Health Information Portability and Accountability Act (HIPAA), which has regulated the privacy and security of patient health data since 1996.
Whereas HIPAA only covers healthcare providers, payers and clearinghouses and their business associates that electronically transmit data, Cassidy’s HIPRA would address the growing number of consumer apps, wellness platforms and wearables that collect consumer health data such as weight, blood pressure readings, sexual health information or other sensitive health information.
HIPRA could redefine how businesses handle health data, even those that have been regulated by HIPAA for decades.
Under the proposed law, consumers can access, modify or delete their personal health information associated with a consumer app or wearable. The privacy provisions list the permitted uses and disclosures of health information, including when written authorization is required, authorization standards and individual rights.
The health data protected by the law is defined as information that identifies an individual and relates to the individual’s past, present, or future physical or mental health or condition, including the provision of healthcare or payment for healthcare. The law would also include Part 2 data, which identifies the individual as having a substance use disorder.
Notably, HIPRA includes a right to the deletion of health data, which HIPAA does not include.
“As technology proliferates and health data interoperability increases, we have greater opportunity to improve care and patients’ access to their health information,” Cassidy wrote in his health data privacy white paper last year. “Yet, increased access can lead to increased vulnerability for inappropriate data disclosures and a greater pool of data for hostile actors to exploit for nefarious purposes.”
The proposed law would include security provisions similar to HIPAA, such as physical, technical and administrative safeguards based on frameworks from the National Institute of Science and Technology or the Department of Health and Human Services.
The breach notification provision would operate similarly to the HIPAA Health Breach Notification Rule and require entities to notify individuals, the government and the media when data was accessed without authorization, such as a cyberattack.
The proposed legislation also addresses the use of de-identified patient data for training health AI algorithms. The law clarifies that AI companies must comply with the “minimum necessary” standard set out by HIPAA, which requires sharing only the minimum amount of information necessary.
“Some stakeholders have raised concerns that allowing health information to be used, even though de-identified, in future datasets to build AI tools may undermine patient ownership and autonomy over the use of their health data,” Cassidy wrote in the white paper. “Studies have highlighted the potential risk that AI applications may be able to re-identify health information.”
HIPRA calls on HHS to publish guidance on how HIPAA’s minimum necessary standard applies to AI.
The legislation makes some changes to HIPAA, including how health information is de-identified, which would affect the entire healthcare sector, not just consumer apps. It also requires providers and apps to inform consumers when HIPPA no longer protects their data and lays out a path for “directed disclosure” of health data by patients to other entities.
The proposed legislation calls for the National Academies of Sciences, Engineering, and Medicine to study patient compensation for sharing identified data. It asks HHS to study the risks to data privacy, ethical considerations and feasibility of compensating consumers for their data.
Publisher: Source link
