On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era,” which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.
The white paper describes the importance of health information, including the potential for such data to be used “to increase access to care, support research for new diagnostics and treatments, improve care quality and outcomes, and lower care costs.” At the same time, Senator Cassidy notes that health data faces higher risk of misuse than other types of data, which he believes necessitates changes to existing health privacy protections.
In short, Senator Cassidy calls on Congress to consider specific updates to the HIPAA framework, including with respect to the use of de-identified data for research, and to examine specific areas where he believes that the Department of Health and Human Services (“HHS”) Office for Civil Rights’ (“OCR”) guidance interpreting HIPAA has been insufficient. He also calls on Congress to pass a comprehensive data privacy law, noting that 13 states and 137 countries have passed data privacy frameworks, and consider federal minimum standards for health data that is not regulated by HIPAA. Further, Senator Cassidy calls for Congress to take steps to bring existing health privacy frameworks more in line with consumer expectations, including as it relates to the use of genetic data for research, focusing largely on direct-to-consumer companies.
Senator Cassidy’s white paper organizes the proposals into the following categories: (1) Updates to the Current HIPAA Framework, (2) Health Data in the HIPAA “Gray Area,” and (3) Data Outside of HIPAA. This is the first of a two-part series on Senator Cassidy’s white paper. Below, we discuss the proposed updates to the existing HIPAA framework proposed in Senator Cassidy’s white paper. The other two categories will be discussed in a forthcoming Part 2.
Updates to HIPAA Framework
Senator Cassidy’s white paper suggests that he believes major revisions to HIPAA could cause disruption in the broader health care industry, including upsetting decades of case law and disrupting patient care. Specifically, Senator Cassidy states that HIPAA has functioned as a “robust privacy framework for over 30 years,” noting that covered entities have been able to strike a good balance between protecting patient privacy and sharing patient information in certain appropriate circumstances. The white paper instead recommends “discrete updates and clarifications,” particularly due to the advent of new health technology and AI not contemplated by the existing framework. These proposals include:
- Align Treatment of All Health Data. The white paper calls for a “full alignment of all health data within HIPAA.” For example, it discusses certain reforms made as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 that instruct HHS to increase harmonization between the regulations governing Part 2 records (related to substance use disorder medical history) with HIPAA to reduce the regulatory burden for entities that must comply with both frameworks. Senator Cassidy encourages Congress to continue in these alignment efforts. The white paper cautions against treating certain health data differently, pointing to the proposed updates to the HIPAA Privacy Rule to specifically limit certain sharing of reproductive health information for law enforcement purposes. The white paper states that treating certain health data differently could lead to “uncertainty and confusion” as well as “inappropriate withholding” of health information from providers that need it.
- Patient Ownership of Health Data. The white paper calls on Congress to clarify “how patient information can and cannot be used for research.” While Senator Cassidy notes that data de-identified in accordance with HIPAA has been used for research purposes for over 20 years, which has helped create AI tools that can improve care and reduce disparities, the white paper specifically discusses the risk of re-identification stemming from AI tools and concerns over patient ownership and autonomy over the use of their health data. Senator Cassidy encourages Congress to “examine whether existing exemptions permitting de-identified data to be used for research should consider a patient’s ability to opt-in or opt-out of participation” and further calls for the examination of the risk of re-identification “to ensure that patient information for research can never be personally identified without express consent.” Senator Cassidy also calls for Congress to consider whether patients should have the right to be compensated for sharing their identifiable data, similar to how patients may be compensated for participation in clinical trials.
- Other Proposals. The white paper also calls on Congress to direct HHS OCR to clarify how the “minimum necessary” standard within HIPAA aligns with other regulatory requirements (e.g., The21st Century Cures Act). Additionally, the white paper calls on Congress to define certain aspects of HIPAA’s right of access more clearly, especially certain aspects of the third-party directive as it relates to fees that are charged in response to these requests.