A patient complained to their doctor that shortly after an annual checkup they started receiving ads on internet searches that seemed to target them for their specific health issue. After the doctor visit, the patient had also visited a physical therapist and a pharmacy.
The doctor was perplexed. She had not disclosed any information about the patient. She didn’t have a social media marketing partnership with Facebook, which can lead to disclosures of protected health information (PHI). The doctor, as a covered entity, followed HIPAA by the book. What had happened?
Most people don’t realize that health and location data is collected by their cell phones constantly. This data is extremely valuable and can be retrieved by data brokers and sold to anyone. Marketing agencies, and large retailers are typical customers that buy the data, because it provides a shortcut to reaching people who may have an interest in their products or services. The data brokers may not even be cyber criminals because they might have obtained the data by lawful means.
Health and Location Data Protection Act
A new proposed law will make this much more difficult for data brokers, and should provide more privacy protection to consumers, including patients in the healthcare system. The Health and Location Data Protection Act was introduced in the U.S. Senate by Sen. Elizabeth Warren. The legislation is cosponsored by Senators Ron Wyden (D-Ore.), Chair of the Senate Finance Committee; Patty Murray (D-Wash.), Chair of the Senate Health, Education, Labor and Pensions Committee; Sheldon Whitehouse (D-R.I.); and Bernie Sanders (I-Vt.), Chair of the Senate Budget Committee.
The proposed law would ban data brokers from selling Americans’ health and location information. The proposal would require the U.S. Federal Trade Commission (FTC) to create rules implementing the law within 180 days and “ensure robust enforcement of the bill’s provisions.” The FTC would receive $1 billion in funding over the next 10 years to support its efforts.
Privacy laws in the United States are a patchwork of varied levels of protection, often specifically aimed at a particular type of industry at the state and federal level. By contrast, in Europe the General Data Protection Regulation (GDPR) is one of the strongest laws on privacy protection in the world. It became effective in May, 2018 and actually applies to organizations located anywhere, if they target or collect data related to people in the EU. Today, most organizations worldwide with an internet presence are aware of and comply with GDPR, since visitors to their websites may originate in Europe.
American Data Privacy and Protection Act
Another proposed federal law closer to passage is the American Data Privacy and Protection Act (ADPPA). This law has bipartisan support in both the Senate and the House and has been under discussion for several years. Some believe it finally now has a chance of passing.
In part modeled after the GDPR, the law would provide some uniformity across the country by preempting state privacy laws, although as currently written, there are numerous exceptions to the preemption provision. In general the proposed law provides greater protections to consumers including, potentially, a private right of action – that is, giving individuals the ability to sue an organization that violates the law causing them harm. By contrast, HIPAA does not include a private right of action, leaving enforcement to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
There’s no guarantee the law will finally pass in its current form, as discussions continue. Lawmakers have not completely agreed on the preemption provision or the private right of action.
The two proposed privacy bills are a long way from becoming law. Even if the laws are passed by Congress, the enforcing agency – in this case, the FTC – will require time to write regulations detailing the how the laws will be enforced.
For healthcare the primary governing privacy law will continue to be HIPAA even if a new federal privacy law like the ADPPA is passed. There will likely be changes to HIPAA later this year or in 2023, so it’s important to stay aware of those changes. Even when amendments to the HIPAA Privacy Rule become effective, it is likely that OCR will give covered entities and business associates time to adjust.
If you have The HIPAA E-Tool® you never need to worry about modifying your policies to stay compliant with changes in the law, because we do it for you. Our team monitors the law, OCR interpretations and enforcement trends and updates your policies as soon as changes occur.