- On Friday, a group of bipartisan Senators became the latest Congressional members to enter the data privacy discussion, unveiling legislation that would require publicly-traded companies to disclose whether their board of directors includes a cybersecurity expert.
The legislation comes on the heels of a recent privacy legislation proposal from Sen. Catherine Cortez Masto, D-Nevada that would require companies to obtain explicit consent from individuals before gathering and sharing health and genetic data.
The proposals closed out a week that saw House members weigh a national data privacy law to reduce the risk to consumer data, while Senators continued the debate with their own privacy meeting – with staunch differences on both sides of the aisle on just how a federal privacy bill would work.
“Congress need to develop a uniquely American data privacy framework,” Sen. Roger Wicker,R-Mississippi said during the meeting. “It's clear we need a strong national data privacy law.”
“I believe that notice and consent are no longer enough,” Sen. Maria Cantwell, D-Washington, said at the time.
While it appears the privacy conversation is picking up speed, a unified federal privacy bill, if passed, is still a long way from fruition. However, the Congressional hearings provided insight into what could potentially be included in the legislation, including explicit consent, a feasible way for consumers to opt-in or out of data collection, and whether the federal bill will supersede the patchwork of state laws.
In fact, during the Senate hearing, it was revealed that there are currently 94 data privacy laws being considered at the state level. Some of those, including North Carolina’s proposed 30-day breach notification, contain key elements that could potentially impact healthcare providers.
Meanwhile, the privacy debate has shed light on key takeaways that providers can begin to consider now, which may help them to prepare for the inevitable shift into tighter privacy regulations.
HealthITSecurity.com spoke with healthcare attorney Daniel Gottlieb, a partner at Chicago law firm McDermott Will & Emery and Julia Hesse, a leading HIPAA attorney and partner with Choate, Hall & Stewart, to get a sense of just what can be expected – and how providers can begin to prepare.
“It’s hard for healthcare to track where that data has gone within the continuity of care.”
A common goal of all of these bills is data harmonization, Gottlieb explained. And while there’s a general agreement that data harmonization is a good thing, there are varying opinions on what that actually looks like, depending on the side of the political spectrum.
Historically, those on the left want states to adopt stricter laws that are consumer-friendly, while those on the right don’t want more federal requirements, said Gottlieb.
“That’s become the challenge with getting these national laws passed, in my opinion,” said Gottlieb. “Sometimes it’s partisan, sometimes it’s not, when it comes with penalties and so forth… In the business community, there’s a lot of talk around harmonization.”
“We’re tracking these proposals and getting a lot of questions to look into crystal balls,” he added. “In terms of laws already adopted: We’re working with clients on GDPR and starting to work on implementation of California’s privacy act.”
Right to Access
For Hesse, EU's GDPR is a strong blueprint that could make sense for real authorities to pursue, as so many in the U.S. must comply with GDPR. Even California attempted to mirror some of GDPR’s language to reduce the regulatory problems and make the privacy law more consistent with what companies are already having to do to comply with GDPR.
One major component of GDPR is the right to access. And frankly, Gottlieb explained, that’s the biggest challenge the U.S and the healthcare sector is facing. Many of these proposed state and federal privacy laws are mindful of the GDPR elements, although not completely patterned after it.
“[With right to access] the data controller or business needs to, not only provide a copy of personal data on request, but also needs to tell the individual who the recipients of their personal data will be or other means.”
“It’s often hard for healthcare providers to track where data has gone within the continuity of care,” he continued. “There are so many third-parties, such as providers at other organizations, third-party payers and intermediaries between providers and third-party payers, or perhaps analytics suppliers engaged to help improve the quality of care or reduce costs. It’s just data going all over the place, for purposes permitted under HIPAA and other states’ health information privacy laws.”
Further, the EHR and other health tech isn’t set up to efficiently or easily track every place the data is going outside the enterprise of the organization that licensed the EHR, Gottlieb explained. However, the issue is not new. Since 2003, HIPAA has included a right to an accounting of accountable disclosures, but that right excludes disclosures for treatment, payment and health care operations activities – or “the vast majority of disclosures.”
“There just hasn’t been an incentive for health IT companies to develop solutions for tracking all of the GDPR access rights and will be required under some pending state legislations.”
“What’s accounted for is just a very small percentage of all disclosures that take place,” said Gottlieb. “The privacy community complained that it’s inadequate, and does not hold HIPAA Covered Entities accountable for their disclosures of patient information. HIPAA was amended by the HITECH Act to require covered entity to account for disclosures for treatment, payment and health care operations purposes. But OCR never implemented the enhanced accounting requirement, as it couldn’t identify a way for health IT vendors and their HIPAA covered entity customers to practically do it, So, OCR never amended the HIPAA Privacy Rule to implement the enhanced accounting requirement.”
“The point is: these other laws would require just that. The federal government, the administration, and Congress is probably likely to add that measure, but it’s not practical,” he added. “Notwithstanding, a new law will be put into place at that level of accountability. They’ll need EHR vendors and other IT vendors to come out with solutions to accommodate it. There just hasn’t been an incentive for health IT companies to develop solutions for tracking all of the GDPR access rights and will be required under some pending state legislations.”
While it’s hard to say how likely it will be for these laws to pass, as there will need to be bipartisan agreement, Gottlieb explained that there is support for the right to access measures based on the outrage around the Facebook data scandals.
“Many more voters are concerned about this issue now than was the case five to 10 years ago when there was less awareness,” he said. “There’s a clear trend toward greater access rights. GDPR is an effective law, and the California law is effective Jan. 1, 2020.”
“I think the health delivery organizations should anticipate needing to comply with access rights,” he added. “I don’t think healthcare needs to make it a number one priority, as I would hope there would be a period of time to enact compliance, like a year before it becomes effective… But they should see this on the horizon.”