New bill, proposed by Bill Cassidy (R-LA), Chair of the Senate Health, Education, Labor and Pensions Committee (HELP), purports to apply the privacy and security practices under the HITECH Act, to entities that process non protected health information (PHI) and their service providers in the same manner that they apply to covered entities and business associates.
Per Cassidy, “traditional provider-patient interactions are governed by the Health Insurance Portability and Accountability Act (HIPAA). However, HIPAA is failing to keep up with consumer health products that connect individuals to health tools outside of the doctor’s office.”
The bill would require a plain language disclosure to the individual when an entity not subject to HIPAA accesses their data, telling them that their PHI will no longer be subject to the protection under HIPAA, how the information may be disclosed and get their consent before selling the data.
For entities that offer digital technologies that generate wellness data, the bill will require a similar notice regarding loss of HIPAA protection and a right to opt out of such use of the data.
If passed, the bill will impose additional compliance on health and wellness apps, even if they are not subject to HIPAA and even if they are too small to fall in scope of the US state privacy laws.
What does this mean for you?
It might mean that you will now need to get written authorization from the individual for sharing their information. This will make sharing information in the court of marketing, and specifically online marketing, e.g. via cookies, much less feasible. Companies are grappling with similar difficulties under the Washington My Health My Data law, and other new state laws that address health information.
It might mean that your breach notification duties will greatly expand, and you would need to report a data breach with respect to data the breach of which would normally not require notification.
It might also mean that you would need to update the maturity of your information security protections, as the HIPAA security rule is much more prescriptive than the “reasonable security” standard in many of the state laws. This include things like documentation, retention, training logging etc.
Depending on how you address privacy notices you may need to add some notices for specific processing.
Text of bill: https://www.help.senate.gov/imo/media/doc/health_information_privacy_reform_act.pdf