- The Information Technology and Innovation Fund is recommending a repeal of privacy regulations across the U.S., including HIPAA, to replace the patchwork of federal laws with a unified approach.
Among its recommendations, ITIF is calling for data protection rules based on the type of data and the entity collecting it, that enables consumers to make more informed decisions around their data, establishes clear consumer rights, and addresses concrete consumer harms – rather than hypothetical ones.
Further, Congress should minimize compliance costs, while improving enforcement and promoting international interoperability.
“The U.S. should not stand by while other countries adopt privacy rules that affect U.S. competitiveness,” ITIF said. “To push back on badly designed frameworks and ensure international interoperability, U.S. privacy legislation should direct the executive branch to vocally and forcefully advocate for the new U.S. approach to data privacy abroad.”
“Legislation should direct the U.S. government to do this through bilateral agreements, such as those established in the Clarifying Overseas Use of Data (CLOUD) Act, through trade agreements, and in international multi-stakeholder forums,” they added.
Facebook Scandal Moves Privacy Needle
In the wake of the Cambridge Analytica, Facebook scandal and the enactment of the EU General Data Protection Regulation, Congress and industry stakeholders have called for greater consumer data protections.
The healthcare sector has echoed that cry, while calling for a HIPAA update to address the digital nature of the industry. To Alan McQuinn, ITIF Senior Policy Analyst, there are two main opinions around the idea of HIPAA and what can be done to improve the regulation.
“HIPAA was designed for health providers, to protect doctor-patient confidentiality. It would be bad for a lot of health apps.”
There are those who want to replace HIPAA, as it’s not doing enough in the digital world. Technology has outpaced the policy and it hasn’t done enough with its updates to address privacy concerns, he explained.
“HIPAA does its job fairly well, in the sense that it’s easier for healthcare providers to transmit claims to insurers, securely share information and the like,” said McQuinn. “It does what it’s supposed to do—for who it covers.”
The other opinion is that HIPAA could be amended to cover things like health apps.
“Here again, it’s a bad idea,” said McQuinn. “HIPAA was designed for health providers, to protect doctor-patient confidentiality. It would be bad for a lot of health apps – and it would stifle innovation.”
Instead, ITIF proposed getting at both sides of the coin: replace HIPAA and the patchwork of regulations across the country with a single, unified framework.
To McQuinn, the idea is that some data is just more sensitive and requires higher protection. The framework would extend across all industries, giving some data greater privacy protections than others.
“Congress can repeal these regulations to create a single set of protections for sensitive data in certain instances, like health and financial services, while creating less burdens of rules for those who fall out of HIPAA traditionally, such as apps, labs, etc.,” said McQuinn.
For example, consumers have strong privacy rights under HIPAA, like right to data access and affirmative consent for that data to be used. In fact, McQuinn said many of the recommendations in the proposal are covered by HIPAA. But the idea is to unify all sectors, especially in an increasingly connected world.
“The idea is to make compliance in the space easier for health providers and everyone,” said McQuinn.
The Need for Data Privacy
Consumer privacy has been a top discussion in Congress as of late. In fact, Sen. Marco Rubio, R-Florida, became the latest senator to introduce his take on federal privacy laws on Wednesday. According to the release, Rubio’s goal is to protect consumers, while ensuring businesses can still innovate. And 15 Democrats proposed their own data privacy law in December.
“The U.S. should not stand by while other countries adopt privacy rules that affect U.S. competitiveness.”
These proposed laws solidify ITIF’s point: Everyone needs to be on the same page.
“If Congress passes data privacy legislation, its key task will not be to maximize consumer privacy, but rather to balance competing goals such as consumer privacy, free speech, productivity, U.S. economic competitiveness, and innovation,” the ITIF proposal reads. “It is relatively easy to pass legislation to maximize consumer privacy.”
“Right now, we’re having a big conversation around privacy in the U.S.,” said McQuinn. “While others are proposing bureaucracy to put onto these general privacy laws. Our proposal is here: if we’re going to open the hood and look at privacy laws, let’s do a grand privacy law, for all industries, based on sensitivity of data and collection that applies to everyone and their data.”
Indeed, when California enacted its heightened privacy law last year, many were quick to point out its similarity to GDPR. But while the law was crafted with input from across all sectors, some have said it’s ambiguous and will lead to regulatory confusion.
And GDPR itself is not without its own flaws. While it’s positive that the regulation ensures there’s no differing rules between sectors, McQuinn stressed that GDPR may actually stifle innovation due to its broad nature.
“Let’s face it, HIPAA has not worked well: Healthcare providers see it as check the box situation and are not protecting IT systems as a result.”
In response, ITIF took on some of the more burdensome rules in its proposal, McQuinn explained.
“The goal of data privacy legislation should therefore not be to myopically maximize consumer privacy, but to maximize consumer welfare,” the report authors wrote. “In other words, consumer welfare involves privacy, but it also involves lower prices (or free products and services) and the development of new products and services.”
“This approach requires finding the optimal level of regulation for the digital economy, with rules that are neither too weak nor too strong,” they added.
ITIF’s proposal is not specific by industry nor does it fully address security needs, especially in the healthcare space. Rather, McQuinn stressed that the idea was to approach data privacy regulation in a more market-focused way. Further, the proposal is just that: a proposed idea that can be improved upon to address concerns.
ITIF is currently speaking with members on the Hill on how best to pursue the proposed law and are open to analyzing any proposal.
“Let’s face it, HIPAA has not worked well: Healthcare providers see it as check the box situation and are not protecting IT systems as a result,” said McQuinn. “We’re going to see the need arise more as states push for [a federal privacy law]. The point of this exercise is to add more ideas to the debate.”
“The push is there,” he continued. “One of the ways folks can come together is to reduce compliance burdens with federal privacy bill by creating more robust protections around consumers… We’re not here to disrupt business models or to create overburden costs, but to help digital business for the end consumer.”