HIPAA Commission Formed
From Bill Cassidy website
WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) today introduced the Health Data Use and Privacy Commission Act to begin the process of modernizing our outdated health privacy laws and regulations. The presence of technology companies is increasing in health care, and health information is expanding beyond the reach of The Health Insurance Portability and Accountability Act (HIPAA). HIPAA is an over 25-year-old law that protects all interactions between patients and their doctors, but does not protect health data recorded on emerging technologies (cell phones, smart watches, etc.) which puts this data at significant potential risk.
This legislation forms a health and privacy commission to research and give official recommendation to Congress on how to modernize the use of health data and privacy laws to ensure patient privacy and trust while balancing the need of doctors to have information at their fingertips to provide care.
“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”
“Folks across Wisconsin and the country are rightfully concerned about the security of their personal information, especially individual health care data, and it is time to give Americans better protection over these records,” said Senator Baldwin. “I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”
This legislation is supported by American College of Cardiology, Association for Behavioral Health and Wellness, Association of Clinical Research Organizations, athenahealth, Inc, Epic Systems Corporation, Executives for Health Innovation, Federation of American Hospitals, Heath Innovation Alliance, IBM, National Multiple Sclerosis Society, Teladoc Health and United Spinal Association.
The Health Data Use and Privacy Commission Act would establish a commission to –
- Conduct a coordinated and comprehensive review and comparison of existing protections of personal health information at the state and federal level, as well as current practices for health data use by the health care, insurance, financial services, consumer electronics, advertising, and other industries;
- Provide recommendations to Congress on whether federal legislation is needed to modernize health data privacy, and if so, how to do it; and
- Be charged with submitting a report to Congress and the President six months after all members are appointed, and include 17 members to be appointed by the Comptroller General.
Specifically, the Commission is charged with drafting recommendations and conclusions on the following:
- The potential threats posed to individual health privacy and legitimate business and policy interests.
- The purposes for which sharing health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent.
- The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy.
- Recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy, including reforms or additions to existing law related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices.
- Analysis of whether additional regulations may impose costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, health care cost containment, improved patient outcomes, public health or critical infrastructure protection, and whether such costs or burdens are justified by the additional regulations or benefits to privacy, including whether such benefits may be achieved through less onerous means.
- The cost analysis of legislative or regulatory changes proposed in the report.
- Recommendations on non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies.
- Review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements.
February 9, 2022
Senator Bill Cassidy
520 Hart Senate Office Building
Washington, DC 20510
Senator Tammy Baldwin
709 Hart Senate Office Building
Washington, D.C. 20510
Dear Senators Cassidy and Baldwin,
We write to thank you for your leadership in introducing the Health Data Use and Privacyv Commission Act. The Commission established by this bill will make recommendations to Congress to help modernize health data use and privacy policies to ensure clear, consistent, and reliable patient protections while simultaneously ensuring health data gets where it needs to go to improve care and outcomes.
As the nation continues to adopt new and evolving technologies that surround everyday life and digitize nearly every interaction we have, personal privacy has never been a more important issue for policymakers. Congress is considering comprehensive privacy reform – and we support
these efforts – but most of these conversations are focused on consumer technology and data.
Health data is either carved out of these proposals or included in a new category of “consumer health data” which could lead to many entities being subject to duplicative requirements. The Health Insurance Portability and Accountability Act (HIPAA) law that led to today’s HIPAA Privacy Rule was passed over 25 years ago, and while HIPAA is still functioning well, it does not address the growing concerns regarding third-party applications or other technologies accessing health data that fall outside of HIPAA’s reach. Providers, health plans, and other covered entities and their business associates covered by the Privacy Rule as well as the patients they serve need clarity and consistency in health data privacy and use rules.
Given the advancements Congress has made in improving the interoperability of health care information and systems, your efforts to ensure robust consideration of health care data and privacy through the Health Data Use and Privacy Commission will provide useful perspective to the ongoing privacy debate. Secure and private health information should not be the enemy of medical innovation, clinical process improvement, or public health response. Careful consideration of these issues by the commission will inform policy makers to achieve the necessary balance of data liquidity and confidentiality necessary for a highly functional and trusted health system.
According to the International Association of Privacy Professionals (IAPP), “state-level momentum for comprehensive privacy bills is at an all-time high.”1 The patchwork of proposals across all 50 states could lead to further complexity and compliance burdens. According to the Information Technology and Innovation Foundation, should all 50 states pass privacy legislation in the absence of a federal law, compliance costs “could exceed $1 trillion over 10 years, with at least $200 billion hitting small businesses.”2 All of this stresses the need for a federal law governing data privacy, and there are at least 24 proposals related to data privacy before the 117th Congress according to the IAPP.3
As Congress considers privacy reform, your privacy commission will add much needed recommendations specific to the future of health information privacy and use. This issue is far too important to the functioning of our health care system and the trust of patients to get wrong,
and we appreciate your thoughtful legislation to help get these policies right. We look forward to working with you on passing the Health Data Use and Privacy Commission Act into law.
American College of Cardiology
Association for Behavioral Health and Wellness
Association of Clinical Research Organizations
Epic Systems Corporation
Executives for Health Innovation
Federation of American Hospitals
Heath Innovation Alliance
National Multiple Sclerosis Society
United Spinal Association