Bipartisan legislation introduced to ban selling health and location data

The HIPAA Privacy Rule, which had the U.S. Department of Health and Human Services (HHS) modify certain standards on August 14 2002, established parameters for certain types of marketing and the sale of protected health information (PHI). Found at 45 CFR §§ 164.501, 164.508(a)(3), the HIPAA Privacy Rules provides individuals with certain privacy rights and important controls over how their PHI is used and disclosed. As HHS iterates on its website, “[w]ith limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care.” There are different applications of “marketing” and the one that constitutes the disclosure of PHI “in exchange for direct or indirect remuneration, for the other entity or its affiliate” requires the express written consent of the individual patient, which must be prominently placed on the HIPAA Authorization Form and give the patient (or the patient’s legal representative) the option of “opting out” of the sale at any time. And, depending on the nature of the relationship between the covered entity, business associate, and/or subcontractor, a business associate agreement (BAA).

In 2018, HHS Office for Civil Rights (OCR) announced a $100,000 settlement with Filefax, Inc. – a company that once provided storage and disposal services for medical records – for allowing an unauthorized person to remove PHI, leave it unsecured outside the facility, and attempting to sell the PHI without the patient’s express written authorization. The take-away – its not legal.

Fast forward to June 2022, in light of Roe v. Wade being overturned, privacy rights which have been protected under the 14th Amendment of the U.S. Constitution under an individual’s “zone of privacy” are at risk. A bipartisan group of Senators introduced the Health and Location Data Protection Act, which, if passed, may mitigate the effects of Roe v. Wade being overturned and would fill a significant gap in U.S. privacy law. The data broker industry is a $200 billion dollar a year industry. Three of the key features of the bill are as follows:

Ban data brokers from selling or transferring location data and health data. The bill forbids data brokers from selling or transferring location data and health data and requires the Federal Trade Commission to promulgate rules to implement the law within 180 days, while making exceptions for HIPAA-compliant activities, protected First Amendment speech, and validly authorized disclosures.

Ensure robust enforcement of the bill’s protections. The bill empowers the Federal Trade Commission, state attorneys general, and injured persons to sue to enforce the provisions of the law, allowing for remedies such as damages and injunctions to stop any illegal practices.

Provide funding to the Federal Trade Commission to act. The bill provides $1 billion to the Federal Trade Commission over the next decade to carry out its work, including the enforcement of this law.

In the meantime, HIPAA’s Privacy Rule coupled with the 14th Amendment’s “zone of privacy” may be a solution. Individual states have also begun to follow California’s lead and pass legislation similar to the California Privacy Protection Act (CCPA). Regardless of an individual’s stance on abortion, all Americans should take issue with companies, whether medical device companies, big tech companies, or data brokers (among others), selling or disclosing information without the express written consent of the person in a manner that does not constitute a contract of adhesion. Rare situations, such as a grand jury subpoena, exist for the government to directly request such information without violating a person’s individual Constitutional rights, which is why both substantive and procedural due process exist. It is critical that patients are aware of their rights and that companies are aware of what’s legal and have adequate compliance programs in place.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.