A new bill introduced in the Senate Health, Education, Labor, and Pensions (HELP) Committee would impose federal regulatory obligations on health technology businesses that collect sensitive health information from their service users and customers.
The Protecting Personal Health Data Act, S.1842, introduced by Senators Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska), seeks to close a growing divide between data covered by the Health Insurance Portability and Accountability Act (HIPAA) and non-covered, sensitive personal health data.
More specifically, the bill would regulate consumer devices, services, applications, and software marketed to consumers that collect or use personal health data. This would include genetic testing services, fitness trackers, and social media sites where consumers share health conditions and experiences. Often, these technologies and services are run independent from traditional, HIPAA healthcare operations involving hospitals, healthcare providers, and insurance companies.
The bill directs the U.S. Department of Health and Human Services (HHS) to promulgate rules that would strengthen the privacy and security of such personal health data. The bill contemplates that the new rule would:
- Set appropriate uniform standards for consent related to handling of genetic data, biometric data, and personal health data;
- Include exceptions for law enforcement, research, determining paternity, or emergency medical treatment;
- Set minimum security standards appropriate to the sensitivity of personal health data;
- Set limits on the use of the personal health data;
- Provide consumers with greater control over use of personal health data for marketing purposes; and
- Create rights to data portability, access, deletion, and opt-outs.
Inevitably, the success or failure of the legislation will be tied to federal baseline privacy legislation already pending in Congress. Those efforts are ongoing, but have lost momentum in recent months as focus turns to California’s new privacy law taking effect on January 1, 2020.