Currently, health data that is collected from new technologies such as wearable and smart devices, and health and wellness apps is not protected under the Health Insurance Portability and Accountability Act.
Although the September 28th deadline has passed to submit feedback to the Senate Health, Education, Labor, and Pensions (HELP) Committee’s Ranking Member’s request, both the “ask” and the stakeholder feedback are worth considering. The “ask” by Sen. Cassidy, M.D. was for information “on ways to improve the privacy protections of health data to safeguard sensitive information while balancing the need to support medical research. Currently, health data that is collected from new technologies such as wearable and smart devices, and health and wellness apps is not protected under the Health Insurance Portability and Accountability Act (HIPAA).” What follows are different categories ranging from “[w]hat is health data” to data collection to artificial intelligence, among other relevant items.
The first question, “[w]hat is health data” is interesting, as well as the follow-up, do other laws other than HIPAA apply? Upon reading these questions, the following thoughts popped into my head:
My perspective on the first two items is that a uniform definition of “health data” needs to be adopted. Health data is covered by HIPAA when it relates to patients and the electronic transmission between a covered entity and a business associate. Health data is also covered by the Federal Trade Commission Act when it relates to consumers. All patients are consumers but not all consumers may be patients. Hence why the FTC enforcement actions expressly relate consumer’s health data and utilizing the data without the individual’s knowledge or consent for downstream remunerative purposes. I respectfully disagree with some stakeholders that IP addresses do not fall under HIPAA or the Federal Trade Commission Act. To the contrary, CFR §164.514(a) identifies the 18 individually identifying factors. Biometrics and IP addresses are expressly stated. Depending on the type of information that is being extracted from websites via pixels, it can put the pieces of the puzzle together and fit into the definition of PHI. And, the FTC’s enforcement actions against GoodRx and BetterHelp, Inc. (and other entities) expressly related to IP addresses and the flow of health data to third parties utilizing pixels. Hence, there are two prongs that are prudent: (1) a Business Associate Agreement or other similar agreement which includes both the FTC and HIPAA requirements between the business entities; and (2) obtaining patient and/or consumer consent, which is a separate obligation.
Additionally, what was overlooked was the marketing and sale of PHI which is set forth in the HIPAA Omnibus Rule (78 Fed. Reg. 5566 (Jan. 25, 2013)). "With limited exceptions, the Rule requires an individual's written authorization before a use or disclosure of his or her protected health information can be made for marketing." The Authorization for a Sale must specifically state that the Sale will result in remuneration.
Adhering to these requirements is crucial, as the sale of PHI may serve as the basis of a False Claims Act (FCA) case. In United States v. America at Home Healthcare and Nursing Services, Ltd., 2018 U.S. Dist. LEXIS 2592 (N.D. Ill. Jan. 8, 2018) (hereinafter "America at Home"), the Honorable Robert John Blakely analogized violations of 42 U.S.C. § 1302d-6(a) to violations under the Anti-Kickback Statute in relation to the submission of false claims.
The Centers for Disease Control (CDC) discusses how “data” comes to public health but there is not definition of “health data.” In fact the HIPAA Privacy Rule exception for “[u]ses and disclosures for public health activities” (45 CFR §164.512(b)) uses the term “protected health information” when describing situations where a “public health authority” such as the CDC, may collect or receive information on, among items, communicable diseases.
I do think there is plenty of room for joint enforcement jurisdiction between HHS-OCR and the FTC. This requires a change in the Electronic Data Interchange (EDI) because it has been argued that only entities submitting electronic claims to a government program or a private insurance company are required to comply with HIPAA. If it is a cash transaction, the position is HIPAA does not apply. As stated on the CMS website,
The information in this section is intended for the use of health care providers, clearinghouses and billing services that submit transactions to or receive transactions from Medicare fee-for-service contractors. EDI is the automated transfer of data in a specific format following specific data content rules between a health care provider and Medicare, or between Medicare and another health care plan. In some cases, that transfer may take place with the assistance of a clearinghouse or billing service that represents a provider of health care or another payer. EDI transactions are transferred via computer either to or from Medicare. Through use of EDI, both Medicare and health care providers can process transactions faster and at a lower cost.
State laws, including Texas H.B. 300, which has a broader reach over the persons that are covered, would absolutely need to be considered. A solution would be to change the scope and the definition of EHI, which references ePHI and PHI, to cast a broader net for HHS-OCR enforcement and joint enforcement with the FTC.
In sum, my “two cents” is that HIPAA should not be completely overhauled to accommodate new technologies and state law privacy considerations because the framework is in place. I agree with some stakeholders about a complete overall being burdensome on hospitals, as well as other covered entities and business associates. I also contend that HIPAA’s scope could be broader and that coordination between a multitude of government agencies is required.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.