Getty Images/Tetra images RF
How New Federal, State Laws Impact Healthcare Data Privacy
HIPAA-covered entities must navigate HIPAA compliance along with recently introduced federal and state data privacy standards, creating significant challenges and complexity.
Along with HIPAA’s requirements for safeguarding protected health information (PHI), HIPAA-covered entities also must pay close attention to the patchwork of federal and state data privacy laws that dictate how different types of consumer data are treated.
In most cases, HIPAA preempts certain elements of state-level consumer data privacy laws—particularly if HIPAA’s standards are more stringent than those of the law in question.
However, these exemptions do not mean that the laws never apply to health data, especially health data held by non-HIPAA-covered entities. Healthcare companies, HIPAA-covered entities, and business associates must all navigate the complex and often confusing patchwork of standards used to protect consumer data in order to maintain compliance on federal and state levels.
In the following sections, HealthITSecurity will highlight some recently introduced data privacy legislation, explore how it could impact HIPAA-covered entities and health data protection on a larger scale, and provide advice for healthcare organizations on navigating the influx of new and anticipated data privacy standards.
Patchwork of Data Privacy Standards Poses Challenges For Healthcare
Data privacy laws in the US vary widely by state and industry. The Fair Credit Reporting Act (FCRA) protects information found in credit reports. The Gramm-Leach-Bliley Act (CLBA) requires consumer financial products (such as loan servicers) to explain how they share consumer data, and the Family Educational Rights and Privacy Act (FERPA) dictates who can request student education records, the New York Times explained in its analysis of consumer data privacy laws.
HIPAA serves to safeguard protected health information held by covered entities and their business associates.
Organizations that fall under HIPAA’s purview have the advantage of being held to data privacy and security standards that are already higher than many other industries. In some cases, compliance with HIPAA equates to compliance with other, more general data privacy standards.
“Unlike many other types of organizations, healthcare organizations have a foundation of complying with HIPAA. They are experienced in entering into business associate agreements with their vendors, implementing HIPAA compliance training for their workforce, and responding to patient requests to transfer medical records,” Ryan Blaney, head of Proskauer Rose’s global privacy and cybersecurity group, explained in an interview with HealthITSecurity.
“However, healthcare organizations still need to closely follow the various state privacy laws and ensure that they are able to supplement their policies, procedures, and practices.”
It would be a mistake to view HIPAA compliance as a green light to overlook other data privacy laws, even if it preempts many of them. The current data privacy landscape requires organizations to view compliance through the lens of multiple federal and state regulations, determine what data is covered by what law, and maintain compliance with all that apply.
The American Data Privacy and Protection Act
Legislators have been trying to enact a comprehensive national privacy standard for decades, arguing that the current assortment of laws leads to unnecessary confusion and complexity. These efforts have all fallen flat at some point in the legislative process, despite widespread public support for a federal bill.
But in early June, Congressional leaders released a bipartisan draft bill called the “American Data Privacy and Protection Act” (ADPPA).
If passed, the ADPPA would establish a national framework to protect consumer data privacy, give consumers protections against the discriminatory use of their data, and mandate that companies minimize the amount of data they need to collect to deliver products and services. The ADPPA would largely preempt state privacy laws and take notes from the EU’s General Data Protection Regulation (GDPR).
Consumers would be allowed to opt out of targeted advertisements, and the act would provide additional data privacy protections for minors. The ADPPA would also require data brokers to register with the FTC and would require ADPPA-covered entities to establish administrative, technical, and physical security safeguards, much like the HIPAA Security Rule.
The law would be enforced by the FTC and state attorneys general and applies to entities that fall under one of the following three categories: entities subject to the Federal Trade Commission Act (FTC Act), common carrier subjects to title II of the Communications Act of 1934, and nonprofits. Currently, most state-level comprehensive data privacy laws do not apply to nonprofits and some small businesses.
The ADPPA covers a variety of sensitive data types, including “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.”
However, the ADPPA would not apply to data covered by HIPAA, nor would it apply to data covered by the FCRA, FERPA, and certain employment-related data. Essentially, HIPAA-covered entities may be exempt from certain elements of the ADPPA, but health data itself is not.
For example, tech companies that collect real-time physical health data from mobile applications or wearable fitness trackers would be subject to the ADPPA, but HIPAA-covered entities holding similar data would not be covered.
It is also crucial to note that HIPAA-covered entities would only be considered compliant with the ADPPA in respect to data regulated by HIPAA, just as entities compliant with FERPA would only be compliant with the ADPPA in relation to FERPA-covered data.
State-Level Data Privacy Laws Add to the Confusion
“One of the main drivers of the American Data Privacy and Protect Act has been having five specific state-level privacy laws and the concern that other states are really close to adopting similar state-level privacy laws, and that's going to create complexity and confusion,” Blaney explained.
In fact, Connecticut recently became the fifth state to enact its own comprehensive data privacy law, behind California, Virginia, Utah, and Colorado. Numerous other states have data privacy standards in the works, the US Chamber of Commerce Technology Engagement Center’s website shows.
Connecticut’s law will go into effect in July 2023 and takes notes from similar state laws in Virginia and Colorado, with a few key differences (one being an increased focus on protections for children’s data). Connecticut exempted state and local governments, HIPAA-covered entities and business associates, higher education institutions, nonprofits, national securities associations, and entities subject to the GLBA from the law.
Data privacy laws can vary in scope and content depending on the state. For example, some states’ comprehensive data security bills include protections for genetic data and provisions regarding breach notification. Other bills mirror the California Consumer Privacy Act (CCPA) almost completely. Others, such as the Florida Privacy Protection Act, combine elements of Virginia’s privacy law with those of the CCPA, the US Chamber of Commerce explains. The result is a patchwork of laws that vary slightly state-by-state.
In addition, Blaney explained, most state laws go through many variations and compromises by the time they go into effect, making it difficult for organizations to keep up with the nuanced requirements of each law.
“For healthcare organizations, the challenge can be determining how a state defines certain health information and related personal information and analyzing whether the new law requires changes to the healthcare organization’s privacy and cybersecurity practices,” Blaney said.
A federal bill would ideally ease the state-by-state complexity that comes along with each state having slightly different standards surrounding consumer data privacy. In the meantime, HIPAA-covered entities and non-HIPAA-covered entities that maintain health data to any extent must pay close attention to the nuances of various state and federal laws.
Compliance Tips For Covered Entities
“The key advice is to think what you are doing with patient information—with partnerships with technology vendors—if you were scrutinized by a regulator, would you be comfortable with what you're doing?,” Blaney said.
“Would you be able to support everything you are doing with that patient information from a regulatory perspective? As you are complying with HIPAA, are you also complying with potential state-level and FTC-level regulations, guidance, and recent enforcement actions, and will your practice be able to hold up to scrutiny against those regulators?”
Covered entities should hold themselves to high privacy and security standards, just as HIPAA does. With HIPAA compliance locked down, covered entities can continue to improve their security posture and safeguard patient privacy in compliance with state and federal-level laws.
Additional challenges will arise for companies that fall into a gray area in which they are not covered entities, but they retain sensitive health data. For example, third-party health apps will have to strictly adhere to privacy laws under the FTC’s watch.
Regardless of whether a federal bill gets signed into law, the increased attention toward data privacy and health data privacy in particular could lead to widespread changes in how data is safeguarded.
As support for data privacy laws on state and federal levels grows, organizations can expect to see an increased focus on consumer privacy, much like how HIPAA highlighted patient privacy when it was enacted in 1996.
“It is applying a lot of the same principles that are in HIPAA. You can see a lot of the same themes of transparency, notice of consent, breach notifications, and enforcement mechanisms,” Blaney noted.
“The conversations have already been happening on the industry level, but now we are hearing more about it on the national level.”