Proposed Bill Would Close HIPAA Gaps, Curb Health App Privacy Risks

June 17, 2019 - Sens. Amy Klobuchar, D-Minnesota, and Lisa Murkowski, R-Alaska, unveiled legislation on June 14, focused on closing privacy gaps in HIPAA, which does not currently cover tech like health apps, direct-to-consumer genetic tests, and other consumer-focused health technology.

The Protecting Personal Health Data Act is solely focused on creating regulation and standards for data not currently covered by HIPAA.

The Department of Health and Human Services Office for Civil Rights released an FAQ in April, which explained that providers aren’t liable for the third-party apps, APIs, and other patient data sharing uses that patients opt into without recommendation from their provider.

“The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA-covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate,” OCR officials explained.

In response, Congress expressed concerned that HHS is not doing enough to protect patient data privacy with these health apps and APIs, which are a key component to the info blocking rule proposed by the Office of the National Coordinator in February.

Specifically, the proposed legislation would direct the HHS Secretary to create regulations for these apps to help strengthen privacy and security concerns for patients’ personal health data.

When building the regulations, HHS must take into account appropriate standards for consent tailored to each type of data and account for differences in sensitivity of that information including, genetic data, biometrics, and general personal health data.

Further, the regulations must account for the ability of individuals to navigate their health privacy options and give them the ability to access, amend, and delete copies of their personal health data used or collected by companies.

HHS would also need to create a national task force on health data protection, designed to evaluate and provide input to address cybersecurity risks and privacy concerns associated with these direct-to-consumer platforms that handle personal health data.

The task force would also be tasked with developing security standards for consumer devices, services, apps, and software, as well as study the long-term effectiveness of deidentification strategies for genetic and biometric data and advice on the appropriate resources to educate consumers about consumer-directed genetic testing.

HHS must consult with ONC and the Federal Trade Commission in order to have the regulations ready within six months of enactment.

The bill is endorsed by Consumer Reports. Calling HIPAA out of date, its Senior Policy Counsel Dena Mendelsohn said the bill would enable consumers to take advantage of new health tech without losing rights to privacy.

“New technologies have made it easier for people to monitor their own health, but health tracking apps and home DNA testing kits have also given companies access to personal, private data with limited oversight,” Klobuchar said in a statement.

To Murkowski, the bill “takes important steps to ensure guidelines are created for security and privacy protections of modern health information. Our policies must evolve to keep up with advancements in recent technology.”

Congress has steadily increased its efforts to shore up consumer privacy, after multiple Facebook data scandals and several reports revealing that health and mental health apps routinely share consumer health data without transparency about the process.

Many healthcare industry stakeholders have called for a federal privacy legislation, or at least API and app standards to protect patient privacy.