Exclusion Screening

New Legislation Introduced to Modernize Health Data Privacy Laws


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

Health Data Privacy, Healthcare Compliance

The use of technology for healthcare and health information continuously grows in a way that could not be envisaged by previous healthcare privacy laws. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. Thus, in February 2022, US Senators Bill Cassidy, M.D. (R-LA), and Tammy Baldwin (D-WI) introduced bipartisan legislation designed to modernize health data privacy laws and reflect emerging healthcare technologies not addressed by existing law.

The Health Insurance Portability and Accountability Act (HIPAA) transformed the healthcare sector when it was enacted 25 years ago. However, it does not cover data privacy issues associated with today’s developing technologies. Therefore, the Health Data Use and Privacy Commission Act seeks to close the gap between existing protections and risk to personal health information (PHI) created by new healthcare technology that extends beyond the scope of HIPAA. 

HIPAA Overview

HIPAA was signed into law in 1996 at a time when healthcare providers were recording patient information manually. The law transformed the healthcare sector and helped to improve efficiency and eliminate waste. In addition to this, the HIPAA Privacy and Security Rules introduced safeguards to ensure the privacy and security of healthcare data.

However, nowadays, the use of technologies for receiving, storing, transmitting, and sharing healthcare data is putting sensitive health data at risk. While HIPAA protects interactions between patients and their healthcare providers, the legislation does not adequately cover privacy and security gaps related to the use of emerging technologies, such as third-party health applications and connected devices.

Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year. Still, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk. Consequently, to help address these privacy and security issues, it became necessary to modernize health data privacy laws.

Health Data Use and Privacy Commission Act

New bipartisan legislation aims to start the process of identifying and closing the current privacy gaps associated with emerging technologies and ensure health data are better protected, including health data that HIPAA does not currently protect. To facilitate this, the Health Data Use and Privacy Commission Act would form a health and privacy commission to conduct research and give official recommendations to Congress on how to reform health data privacy laws. 

The commission would be required to submit its report with its conclusions and recommendations to Congress and the President within six months. It would be composed of seventeen members appointed by the Comptroller General, including individuals that represent various viewpoints within healthcare, including providers, health plans, health technology developers, researchers, and consumers.

In order to help achieve a balance between protecting individual privacy and allowing appropriate uses of personal health information, the commission would study the following:

  • The potential threats posed to individual health privacy as well as business and policy interests,
  • The purposes for which sharing PHI is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too strict,
  • The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy,
  • Recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, or augment current laws and regulations relating to individual privacy,
  • An analysis of the burdens additional regulations would place on healthcare organizations and the potential for unintended consequences in other policy areas,
  • The cost analysis of any legislative or regulatory changes proposed in the report,
  • Recommendations for non-legislative solutions, and
  • A review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, and third-party certification and accreditation programs for ensuring compliance with privacy requirements.

Proposed legislation stemming from the studies may be based on state law, such as the California Consumer Privacy Act of 2018 (CCPA), as the commission would be instructed to evaluate relevant proposed state legislation and existing state law. Modernization of health data privacy laws may also be inspired by General Data Protection Regulation (GDPR), as the commission would be instructed to evaluate privacy protections undertaken by foreign governments and international governing bodies. 

The Health Data Use and Privacy Commission Act has attracted support from a dozen medical associations and technology vendors, as reflected in a joint statement of support.

Preparing for the Impact of Emerging Technologies on Health Data Privacy Laws

In order to cover the current technology landscape, alternations of existing data privacy laws are necessary. Thus, it would be possible to balance innovation while ensuring that health data still advances patient care. If the Health Data Use and Privacy Commission Act is enacted and the proposed commission is formed, it will be critical for healthcare providers and organizations to monitor if and how healthcare privacy and PHI are managed under modernized health data privacy laws. 

Meeting constantly changing regulatory requirements concerning the healthcare industry while staying compliant with OIG guidelines becomes increasingly demanding. Employers can rely on exclusion screening software solutions to simplify this process and ensure healthcare compliance. As a result, they can ensure that everyone engaged with their healthcare facility is compliant, eliminate the risk of being fined and excluded from federally-funded healthcare programs, and stay ahead of the stringent compliance standards unique to the healthcare industry.

The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.