Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health data or conditions, and direct-to-consumer genetic testing services, among other technologies. Specifically, the legislation would direct the HHS Secretary to issue regulations relating to the privacy and security of health-related consumer devices, services, applications, and software. These new regulations will also cover a new category of personal health data that is otherwise not protected health information under HIPAA.
The Protecting Personal Data Health Act is particularly notable for three reasons. First, this bill would incorporate consumer rights concepts from the EU General Data Protection Regulation (“GDPR”), such as an individual’s right to delete and amend her health data, as well as a right to access a copy of personal health data, at the U.S. federal level. Second, the bill does not contemplate situations where entities are required to retain personal health data under other regulations (though the bill includes an exception for entities covered under the Health Insurance Portability and Accountability Act). Third, the bill requires that HHS establish a national health task force to provide reports to Congress, and at the same time, this bill specifies that any other federal agency guidance or published resources to help protect personal health data must be consistent with HHS Secretary’s rules under this bill, to the degree practicable, which may reflect an expansion of HHS’s authority to set rules and standards for health data previously regulated by other federal agencies (such as the Federal Trade Commission (“FTC”)).
The bill would require HHS, in consultation with the FTC and other relevant stakeholders, to promulgate regulations that “strengthen privacy and security protections for consumers’ personal health data” collected, processed, analyzed, or used by health-related consumer devices, services, applications, and software.
The HHS regulations must address:
- differences in the nature and sensitivity of data collected or stored by different devices, applications, services, and software;
- the “appropriate uniform standards for consent” for handling of genetic, biometric, and personal health data as well as appropriate exceptions;
- minimum security standards;
- the appropriate standard for de-identification of personal health data, and
- limits on collection, use, and disclosure of data to those “directly relevant and necessary to accomplish a specific purpose.”
In addition, the bill would require the new HHS regulations to provide individuals with the right to delete and amend their personal health data, to the extent practicable. It also directs HHS to consider developing standards for obtaining user consent to data sharing.
In addition, the Act would create a National Task Force on Health Data Protection to study health data. The Task Force would be required to:
- evaluate the long-term effectiveness of de-identification techniques for genetic and biometric data;
- evaluate the development of security standards, including encryption standards and transfer protocols;
- offer input for cybersecurity and privacy risks of devices;
- provide advice for the dissemination of resources to educate consumers about genetics and direct-to-consumer genetic testing, and
- submit a report to Congress no later than one year after the bill’s enactment.
A companion bill has not yet been introduced in the House of Representatives. California is also considering a bill that would expand California’s health privacy law to include any information in possession of or derived from a digital health feedback system, which is broadly defined to include sensors, devices, and internet platforms connected to those sensors or devices that receive information about an individual.