Patrick Chomczyk

Associate Editor

Loyola University Chicago School of Law, JD 2023

On February 9, a group of senators led by Tammy Baldwin of Wisconsin and Bill Cassidy of Louisiana introduced a new bill, the Health Data Use and Privacy Commission Act (the “Act”),  in attempt to revitalize current legislation regarding the protection and use of health data. The bill also has the support of a number of representatives from within the healthcare industry, including Epic, IBM, and Teladoc Health, as well as a number of professional associations like the American College of Cardiology, the Association for Behavioral Health and Wellness, and the Association of Clinical Research Organizations.

Why does health privacy law need revitalization?

The largest and most comprehensive regulation in the United States that guides privacy of health data is the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996. Apart from HIPAA there is no overarching guidance in the United States regarding the required security in using health data and states each apply their own regulations, ranging from none at all to standards comparable to the European Union’s stringent standards, as seen in California. Since the implementation of HIPAA, technology has grown by leaps and bounds with the introduction of wearable health devices and smartphone apps, all the while leaving questions and concerns unforeseen and unaddressed by current legislation. In an attempt to triage the current lack of guidance regarding how to treat health data by this new technology, the Federal Trade Commission issued a statement in September of 2021 informing companies operating these technologies that they must inform users of any data breach within days, or face heavy fines.

HIPAA largely took aim at patient-doctor interactions and does little to protect information on many of these new platforms that the public routinely uses to record their health data. In addition to looking to update the protections in place for the many platforms carrying sensitive health data, the Act also calls for the establishment of a commission that would carry out and review the current protections of health information at both the state and federal level, and then ultimately provide recommendations to both Congress and the President regarding what changes should be made to current health data privacy legislation.

What issues are addressed by this new legislation?

The Act looks to begin an analysis of the current status of health data regulation in the United States before ultimately providing any guidance or direction as to what new legislation should look like. Part of the responsibilities passed along to the commission involves inquiries into a number of questions such as: what the potential threats are to individual privacy; the effectiveness of existing health privacy statutes; and a cost analysis of legislative or regulatory changes. In taking the first step to gather an understanding of health privacy law collectively in the United States, healthcare providers and those gathering health data for limited purposes both stand to receive a clearer standard to abide by. Particularly in the area of scholarship, where massive amounts of health data are often required to obtain the sample size needed for reliable results, uncertainty has arisen regarding how data can be used when using machine learning to try and analyze data and establish models.

These relevant issues have recently been addressed elsewhere in the world, as seen with the European Union’s passing of the EU General Data Protection Regulation (GDPR) in 2018. This effort by legislators will provide the first step in the United States to adapt their standards to keep pace with the ever-changing technological landscape. As the Department of Health and Human Services has begun to bring often multi-million-dollar fines against those organizations that violate HIPAA, the new rules are likely to not only provided a clearer picture of how to handle costumer data but open the door to more widespread sharing of health data as needed for any number of purposes.

What comes next?

The bill has only been introduced and will face many obstacles and revisions before facing any chance of passing. At this point, the act has been referred to the U.S. Senate Committee on Health, Education, Labor and Pensions for further evaluation. While there is no doubt uncertainty as to whether the bill will be passed or whether it will look anything like its current implementation should that day come, the cogs have started to turn in an effort to modernize health data privacy and protect consumers.