US Senator Seeks Input on Ways to Protect Patient PrivacyInquiry is Latest Move by a Lawmaker Hinting of New Data Protection Legislation
The drumbeat for potential federal legislation to better protect sensitive health information - or at least new regulations - appears to be growing louder in Congress.
Sen. Bill Cassidy, R-La., ranking member of the Senate committee on health, education, labor and pension, is seeking input from healthcare industry stakeholders on ways to improve the privacy and security of health data while balancing the need to support medical research.
Cassidy, one of 19 physicians currently serving in Congress and one of four in the Senate, issued the request for information last week, with a deadline of Sept. 28, seeking responses on a wide scope of health data privacy and security issues.
The request for information ranges from whether Congress should update HIPAA, to how biometric, genetic and health-related location data should be safeguarded, to privacy concerns involving the use of AI in healthcare.
"Safeguarding patient privacy is an essential element in building trust in our healthcare system," Cassidy wrote in a letter that is publicly addressed to "interested parties."
Some regulatory expectations of how protected health information should be handled for treatment, payment and healthcare operations date back nearly 30 years with the passage of HIPAA. And times have changed since then, he said.
"New technologies such as wearable devices, smart devices, and health and wellness apps have expanded the creation and collection of health data," he said. "While these technologies have enabled better care and greater patient access to health information, much of this data is not protected by the HIPAA framework," he said.
Cassidy's office in a statement to Information Security Media Group said the purpose of the senator's letter "is to hear input on these questions." His office did not immediately respond to ISMG's inquiry about whether the senator plans to use the comments in hammering out any potential legislation pertaining to health data security and privacy matters. In addition to seeking public input, Cassidy's letter was also sent to a specific group of unnamed stakeholders, the statement said.*
In a statement accompanying the public request for information, Cassidy's office said the senator "hopes to use stakeholder feedback to identify solutions to modernize HIPAA and ensure all health data is properly safeguarded."
Other Congressional Efforts
Meanwhile, another lawmaker, Sen. Mark Warner, D-Va., earlier this year floated the possibility of introducing new bipartisan legislation aimed at bolstering cybersecurity in healthcare sector, such as by mandating participant organizations of Medicare and Medicaid programs to apply minimum security practices as a standard operating procedure (see: Push for New Healthcare Sector Cybersecurity Legislation).
Warner in a statement to ISMG on Thursday said he is still pursuing introducing new healthcare cybersecurity legislation.
"The healthcare sector is unique in that it deals with the intimately personal data of millions of Americans. That makes it particularly vulnerable to cyberattacks - whether it be ransomware or denial-of-service attacks," he said.
"For years, I've been focused on exploring ways to strengthen cybersecurity in the healthcare sector, and I'm currently working on standard-setting legislation to ensure that patients are adequately protected," he said.
"In the meantime, I welcome efforts from my colleagues on either side of the aisle that bolster cybersecurity in the healthcare space and help bring relevant legislation to the Senate floor."
Among the three dozen questions Cassidy posed in his inquiry to stakeholders is whether non-HIPAA covered entities should be required - upon consumer request - to delete personal data they collect, similar to requirements under the European Union's General Data Protection Regulation.
Cassidy in his inquiry also asks how consumers' online searches might be better protected when they relate to health conditions - such as diabetes and in-vitro fertilization.
The lawmaker is also seeking input about the use of AI technology by HIPAA and non-HIPAA covered entities and potential privacy challenges of using AI to collect, maintain or disclose healthcare data.
"How should AI-enabled software and applications implement privacy by design? What can be done to mitigate privacy vulnerabilities when developing algorithms for healthcare purposes?," he asks.
Cassidy's request for information also comes as scrutiny grows among regulators and the public over how certain health-related data is being collected, shared and safeguarded by HIPAA covered entities, such as hospitals - as well as non-HIPAA covered entities, such as makers of consumer wearable health devices, online telehealth providers, and app developers.
Those concerns include the use of tracking technologies, such as Meta Pixel and Google Analytics, in health-related apps and patient portals, that share sensitive health information with third parties, including social media firms and marketers.
The Department of Health and Human Services and Federal Trade Commission are also currently ramping up enforcement efforts related to potential HIPAA and FTC regulation violations related to unlawful collection and disclosure of sensitive health information involving web trackers (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
Separately, HHS is also in the midst of finalizing proposed HIPAA privacy rule changes to enhance protections over reproductive healthcare information (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).
While the privacy and security of sensitive health information definitely appears to be a growing bipartisan concern in some corners of Congress, the likelihood of new legislation gaining traction anytime soon is more iffy, some experts said.
"I think concerns about health data privacy and security are fairly bipartisan. Both parties likely want to see limits on how technology companies can use health data in ways that the consumer may not expect," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine. Instead, the bigger challenge is the parties reaching agreement on how to address complex issues involving health data privacy, he said.
"I don't think the usual partisanship is a problem because this may be a rare area of agreement," he said. "Rather, I am skeptical of Congress passing comprehensive health data privacy legislation because it is a complicated area and I do not have faith that Congress can get into the weeds to create a robust framework or, alternatively, agree on delegating such details to an administrative agency such as HHS or FTC."
In the meantime, other privacy experts said they are curious to see what kind of response Cassidy receives to his inquiries.
"I would expect that he'll receive both information and requests for guidance related to research and development, including with regard to recent website tracking guidance from HHS, and other types of big data projects hampered by current approaches to data sharing by HHS," said privacy attorney Iliana Peters of the law firm Polsinelli.
"In other words, many regulated entities would likely engage in more research and development in the healthcare system, if they had fewer concerns about litigation and enforcement risk pursuant to HIPAA and similar state laws."
*Update: Statement from Sen. Cassidy's office added Sept. 14, UTC 21:08.