Natali_Mis/istock via Getty Imag

What the American Data Privacy and Protection Act Could Mean For Health Data Privacy

If passed, the American Data Privacy and Protection Act (ADPPA) could have significant implications for health data privacy outside of HIPAA.

After years of fruitless attempts to enact nationwide data privacy legislation, the American Data Privacy and Protection Act (ADPPA) has instilled a new sense of optimism into many privacy professionals who have been championing this type of sweeping legislation for many years.

In July, the House Committee on Energy and Commerce advanced the ADPPA to the full House of Representatives with a 53-2 vote. While not without its flaws and challenges, the ADPPA as it stands now is the closest legislators have gotten to reaching a compromise on key privacy issues.

If passed, the ADPPA could have significant implications for the breadth of health data that exists outside of HIPAA’s purview.

“HIPAA was never intended to be a privacy rule that covered all health data,” Deven McGraw, lead of data stewardship and sharing at Invitae, told HealthITSecurity.

McGraw, who previously served as the deputy director for health information privacy at the HHS Office for Civil Rights (OCR), said she has long supported the idea of nationwide privacy legislation.

“The fact that we have this quite comprehensive piece of federal legislation that would cover personal data and extend additional protection to sensitive data is quite exciting,” McGraw continued. “Even if it doesn't pass this year, it sets a watermark for where we need to be with legislation.”

ADPPA Basics

Taking notes from the EU’s General Data Protection Regulation (GDPR), the ADPPA would establish a national framework to protect consumer data privacy.

“I think people are growing tired of seeing headline after headline about the way that their data is used in ways that they didn't ask for, that they don't recall consenting to, that they don't support, and it feels very intrusive into their daily lives,” McGraw noted.

If passed, the bill’s provisions would ideally alleviate some of these concerns by giving consumers protections against the discriminatory use of their data, requiring entities to disclose the types of data they collect and how they use it, and requiring entities to adopt reasonable data security practices to safeguard data.

Additionally, the ADPPA contains third-party collecting entity considerations, additional protections for individuals under age 17, and would mandate that companies minimize the amount of data they need to collect to deliver products and services.

The ADPPA would also create a delayed private right of action, to go into effect two years after the law’s enactment, which would allow consumers to sue entities that commit privacy violations.

In addition, the bill would preempt many state-level privacy laws, such as the extremely comprehensive California Consumer Privacy Act (CCPA).

California Governor Gavin Newsom has publicly noted his concerns surrounding the preemption provision. In a letter to the House Committee on Energy and Commerce chairman Frank Pallone, Newsom reasoned that, unless amended, “the ADPPA would undermine California’s comprehensive consumer privacy protections.”

Speaker of the House Nancy Pelosi also voiced concerns to the Energy and Commerce Committee surrounding the preemption of the CCPA. Pelosi said that she “will continue to work with Chairman Pallone to address California’s concerns.”

From McGraw’s point of view, the CCPA is not necessarily always stronger than the ADPPA, and consumers may still be left with questions if there are inconsistencies in how data is handled across the country.

“It’s a matter of whether taking a large step forward for the data of the entire country is better than the patchwork that we currently have,” McGraw suggested.

“I happen to think the answer is yes, but I know there are others who disagree.”

Implications For Health Data

The ADPPA covers a variety of sensitive data types, including geolocation data, log-in credentials, private communications, and, for the purposes of health data, “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.”

However, it is important to note that the ADPPA would not apply to health data already covered by section 264(c) of HIPAA, nor would it apply to data already covered by the Health Information Technology for Economic and Clinical Health Act (HITECH).

While the ADPPA would not pertain to health data held by HIPAA-covered entities, it would apply to health data in the hands of non-HIPAA-covered entities — a list that grows larger every day as more tech companies and app developers break into the healthcare space.

Consumers and lawmakers have taken note of the growing body of health data that exists in this regulatory gray area.

A recent research letter published in JAMA Internal Medicine discovered third-party tracking tools on 99 percent of abortion clinic websites. Additionally, three-quarters of patients surveyed by the American Medical Association (AMA) expressed significant health data privacy concerns and confusion about how their health information is handled.

More than 90 percent of surveyed patients reported believing that privacy is a right and that their health data should not be available for purchase. But only 20 percent of patients indicated that they understood which individuals and companies had access to their health data, and how they were using that data.

The ADPPA could provide significant safeguards for data in this space, ideally clearing up confusion and establishing standards for health data privacy outside of HIPAA.

Additionally, the ADPPA would be enforced by the Federal Trade Commission (FTC), which has already expressed significant interest in cracking down on companies that use health data improperly.

What to Watch For as a HIPAA-Covered Entity

It is also crucial to note that HIPAA-covered entities would only be considered compliant with the ADPPA in respect to data regulated by HIPAA, just as financial entities compliant with the Gramm-Leach-Bliley Act would only be compliant with the ADPPA in relation to Gramm-Leach-Bliley Act-covered data.

HIPAA-covered entities would still be required to comply with the ADPPA when it comes to protecting other types of data.

In addition, there are some concerns surrounding de-identified data and how HIPAA’s deidentification standards may conflict with the ADPPA’s standards. This could create barriers for medical research, which relies heavily on health data that has been deidentified by HIPAA’s standards, McGraw said.

A similar dilemma arose with the CCPA, leading lawmakers to amend the law. The amended law stated that if HIPAA-covered entities followed HIPAA’s strict de-identification standards, the data would be exempt from the CCPA’s scope. As of now, the ADPPA does not contain similar exemptions for de-identified data under HIPAA.

Regardless of whether a federal bill gets signed into law, the increased attention toward data privacy and could lead to widespread changes in how all consumer data is safeguarded, including health data.

Covered entities should continue to hold themselves to high security and privacy standards, and companies that maintain sensitive health data outside of HIPAA should begin to evaluate their privacy practices against the ADPPA’s proposed requirements.

“If you had asked me six months ago whether Congress would pass privacy legislation this year, I would have said no,” McGraw reasoned.

Although passage is still uncertain, McGraw said that she remains optimistic for the future.

Next Steps

Dig Deeper on HIPAA compliance and regulation