HIPAA (The Health Insurance Portability and Accountability Act) has been the standard for healthcare data privacy for over two decades. Despite being amended several times since it’s signing in 1996 (Privacy Rule and Security Rule, 2003; HITECH Act, 2009; HIPAA Omnibus Final Rule, 2013) the law struggles to keep up with today’s fast moving technological and societal landscape.

HIPAA regulates “covered entities”, which are defined as health plans, healthcare clearinghouses, and healthcare providers. It protects patient data when it is collected or used by those organizations.

The strict definitions of covered entities leave HIPPA open to interpretation when healthcare datasets are created or managed by parties that fall outside the definition; namely by the patient or other business entities that were not included when the law was written.

Two such examples are personalized wearable tech and direct to consumer genetic testing companies. Neither fall neatly into the scope or definition of HIPPA’s covered entities, and as a result the applicability (and enforcement) of the law can be up for interpretation.

Given the accelerating rate that we are seeing new ways to capture, aggregate, and utilize personalized health data, we are reaching a tipping point that will likely require significant updates to healthcare data privacy through new legislation.

What’s Happened Recently in Data Privacy

Recent legislation has given hope to privacy advocates but has often fallen short of comprehensive data privacy reform.

Outside healthcare there have been more significant advances. Standards for data privacy have begun to shift from regulating who holds the data to protecting the data itself. Two of the most significant recent updates to personal data protection, the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) follow this blueprint.

In June 2019, the Protecting Personal Health Data Act, a bi-partisan bill was introduced in the Senate. The basis of the act was an attempt to address gaps in HIPPA created technology and ideas that did not exist when the law was first introduced.

Yet the act doesn’t fully address one significant concern in healthcare data privacy – companies are collecting and monetizing personal health information (PHI) through commercial activities like targeted advertising without consumer’s consent.

More recently, the COVID-19 Consumer Data Protection Act was introduced in the Senate in response to contact tracing and data collection practices implemented by companies in response to the global pandemic. The bill requires companies to allow consumers to opt in or out of having their data collected to trace the spread of coronavirus.

Like GDPR, it gives consumers the right to consent to how their data will be used and with whom it could be shared. Each of the regulations mentioned above share the goal of returning control of personal data back to the consumer and protecting the most sensitive personal information, but we haven’t quite reached that aspiration in healthcare.

How to Prepare for the Next Wave of Legislation

While technology continues to change and public pressures mounts, how can companies create a point-in-time approach to data privacy that has sticking power? The best companies take a principles-based approach to ensure they design their data policy to adhere to the most likely legislative outcomes in the future.

For example, it’s highly likely that the next major piece of healthcare data privacy legislation will include a major expansion of covered entities. Companies will no longer be explicitly defined by a role they play in the healthcare system, instead regulation will likely focus on protecting sensitive data regardless of who holds it or how it was collected (similar to GDPR and CCPA).

Companies that gather personal health information, including companies that aren’t typically defined as healthcare companies, like Google and Facebook, will be responsible to demonstrate that adequate data protection measures are in place to prevent the misuse of stored data.

In addition, it is likely that a bill of rights will be established for consumers that increase transparency and prioritize informed consent. The key rights for might include:

• Consent – Consumers must actively consent to have their data collected, stored, or distributed and can object to how their data is used
• Documentation – Companies must be able provide detailed information around what data they collect, how they collected it, how it’s stored, and its purpose
• Transparency – Consumers can request companies to provide access to and visibility of the data that has been collected about them over time
• Data Management – Consumers have the right to request that their personal data is corrected or deleted

Given the significance of these changes compared to the status quo, it’s likely that many companies will struggle to become complaint. The price of noncompliance to new privacy laws can be great, as seen with GDPR’s fine framework where companies can be charged up to 20 million euros or 4% of total global revenue, whichever is higher.

So, what can companies do today to prepare for the next wave of healthcare data privacy legislation?

1. Conduct an organization-wide audit to understand where exactly where PHI datasets live in your organization;
2. Organize findings into first-party, second-party, and third-party datasets, identifying the sources of each dataset and what constituted consent for collection of that data;
3. Identify responsible parties for collection of the data and management of it at the various stages of its lifecycle within the organization;
4. Design a holistic process that can support identification and deletion of data for requesting individuals across systems;
5. Consider utilizing third-party audits or accreditation to conduct review on policies, procedures, controls, and business practices as it relates to data privacy.

Contributions by Kevin Merchak and Alex Schneider.