Healthcare Information Security

Patient Privacy News

Congress Weighs National Data Privacy Law to Reduce Data Risk

During a House committee meeting on data privacy, advocates shared the risks to consumer data caused by companies that track and use data, often without explicit consent.

By Jessica Davis

- Lawmakers are considering a unified, national data privacy law to replace the patchwork of state laws and better protect consumers’ privacy rights. However, they couldn’t agree on just how to accomplish it during the first House Consumer Protection and Commerce Subcommittee meeting of 2019.

The committee chairwoman Rep. Jan Schakowsky, D-Illinois said her hope is to develop bipartisan, sensible legislation to protect consumers, while promoting competitive markets and restoring faith in government.

“Without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves and this has to end,” Schakowsky said.

The crux of the privacy issue lies in how consumer data is tracked and used, including health information. Brandi Collins-Dexter, Senior Campaign Director of the Color of Change, an online civil rights organization, testified that sensitive consumer data are tracked and sold to third-party data mining companies, including changes in their daily habits.

Using analytics’ partners, internet service providers can track when someone is online, the sites they visit, and where they’re located, Collins-Dexter told the committee.

READ MORE: Senator Taps FDA, HHS, CMS, NIST for Healthcare Cybersecurity Insights

“Visits to a doctor’s website or to a prescription refill page could allow the ISP, platform or a data broker partner to infer someone in the household has a specific medical condition,” said Collins-Dexter. “[That data] could be sold without consent to pharmaceutical and healthcare companies or even potential employers without the consent or authorization of the user.”

“If we fail in the mission to ensure our rights online are protected, we stand to render many of our offline rights meaningless,” she added.

Nuala O’Connor, Center for Democracy & Technology CEO and President, echoed those thoughts, charging that this “ubiquitous” data sharing practice has created its own secondary market for the sensitive data of consumers – including their health data and location.

As a result, those data brokers have built secretive and detailed profiles of consumers that can be used to exploit – or even worse – discriminate against consumers based on race, religion, age, and other categories, O’Connor explained.

Adding to the problem, is the regulatory environment that leaves consumer data relatively unprotected, including medical conditions based on a consumer’s purchase history, she added.

READ MORE: New York Governor to Investigate Facebook Health Data Practices

“Inferences are drawn [from that data]. We’re labeled a Democrat or Republican, white or Latino, gay or straight, a pregnant teen, a grieving parent, a cancer survivor, and much more. This is all done without our knowledge,” said Rep. Frank Pallone, D-New Jersey. “Then our personal information and related inferences are being shared and sold many times over.”

What’s more, Pallone suggested that health insurers could then charge consumers higher rates for policies based on their food purchases or data pulled from fitness trackers.

“These are simply unacceptable uses of people’s data. Yet, for the most part, in the US, no rules apply to how companies collect and use our information,” Pallone added. “Many companies draft privacy policies that provide few protections and are often unread.”

While the majority of those testifying agreed that something needs to be done about these issues, there wasn’t a unified ideology on just how to approach the issue. Although, many agreed that a national data privacy law would be ideal, rather than the current patchwork of state laws.

For Roslyn Layton, a visiting scholar from the American Enterprise Institute, the biggest concern is Congress will draft a law that mirrors EU’s General Data Protection Regulation.

READ MORE: Facebook Accused of Exposing User Health Data in Complaint to FTC

Small and medium European businesses are struggling due to GDPR, although the legislation has helped major companies like Facebook, Amazon, and Google to increase their market share, Layton explained. Instead, the US should “ultimately leapfrog Europe with a better framework based upon privacy enhancing technologies, a strong federal standard, and consumer education.”

“There are many policy areas where it makes sense for states to innovate. However, the internet does not stop at the state line and neither should innovative privacy and security solutions,” said Rep. Greg Walden, R-Oregon. “Your privacy and security should not change depending on where you live in the United States. One state should not set the standards for the rest of the country.”

It remains to be seen how or if Congress will be able to create a unified federal data privacy policy, but most agreed it was a sound start. The Senate will hold its own privacy hearing on Wednesday, February 27.

“We’ve been talking about it for years, and nothing has been done to address the problem,” Pallone said. “This hearing is the beginning of a long overdue conversation.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...