Senate Protecting Personal Health Data Act Would Expand Health Privacy Regulation

DNA testing kits and health tracking apps have found themselves at the center of data privacy controversies over the past year as these companies hold sensitive health information shared by consumers. The Protecting Personal Health Data Act, introduced into the US Senate this month by Senator Amy Klobuchar (D-MN) and Senator Lisa Murkowski (R-AK), aims to regulate their collection, use and sharing of this data.

The Protecting Personal Health Data Act would require the Department of Health and Human Services to create standards for consumer devices, services, applications and software that handle personal health data. The standards would require companies to protect sensitive genetic data, biometric data, and other health data. HHS would also be tasked with setting appropriate standards for consumer consent taking into account differences in the sensitivity of the data.

The law would further give consumers certain data subject access rights with respect to the data, providing the ability to access, correct and delete their personal health data when it is in the possession of third-parties.

If enacted, it would also create a National Task Force on Health Data Protection. The Task Force would evaluate privacy and cybersecurity concerns involving consumer health products. The Task Force would study the effectiveness of deidentification as well as educate consumers about their sharing of health data.

The federal government introduced the Health Insurance Portability and Accountability Act (HIPAA) into law to protect sensitive health information more than two decades ago. However, the development of modern technologies such as apps to track weight loss, smoking, depression, pregnancy monitoring and other health issues was not even being contemplated at that time. The bipartisan bill is aimed at closing these gaps in health information privacy.

Once information is shared with a health app at the direction of the consumer, it is no longer covered by HIPAA as long as the app developer is not a business associate of a covered entity. Earlier this year in a Senate HELP Committee hearing on the 21st Century Cures Act, Congress criticized HHS for not doing enough to protect consumer privacy in such situations.

Congress has been drafting a comprehensive federal privacy bill to regulate data privacy practices similar to the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act. The new health privacy bill takes a different approach – targeting a specific area not addressed by the existing health information privacy law. This approach is similar to the expansion of COPPA that was proposed last year and reintroduced this year. If a comprehensive privacy law gains support, these single issue bills may get folded into it. If not, they may garner enough support to pass as standalone laws while leaving Congress to continue trying to reach consensus on a broader privacy bill.