February 9, 2022

Cassidy, Baldwin Introduce Legislation to Begin Modernization of Health Privacy Laws

WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) today introduced the Health Data Use and Privacy Commission Act to begin the process of modernizing our outdated health privacy laws and regulations. The presence of technology companies is increasing in health care, and health information is expanding beyond the reach of The Health Insurance Portability and Accountability Act (HIPAA). HIPAA is an over 25-year-old law that protects all interactions between patients and their doctors, but does not protect health data recorded on emerging technologies (cell phones, smart watches, etc.) which puts this data at significant potential risk.

This legislation forms a health and privacy commission to research and give official recommendation to Congress on how to modernize the use of health data and privacy laws to ensure patient privacy and trust while balancing the need of doctors to have information at their fingertips to provide care.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

“Folks across Wisconsin and the country are rightfully concerned about the security of their personal information, especially individual health care data, and it is time to give Americans better protection over these records,” said Senator Baldwin. “I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

This legislation is supported by American College of Cardiology, Association for Behavioral Health and Wellness, Association of Clinical Research Organizations, athenahealth, Inc, Epic Systems Corporation, Executives for Health Innovation, Federation of American Hospitals, Heath Innovation Alliance, IBM, National Multiple Sclerosis Society, Teladoc Health and United Spinal Association.

The Health Data Use and Privacy Commission Act would establish a commission to –

  • Conduct a coordinated and comprehensive review and comparison of existing protections of personal health information at the state and federal level, as well as current practices for health data use by the health care, insurance, financial services, consumer electronics, advertising, and other industries;
  • Provide recommendations to Congress on whether federal legislation is needed to modernize health data privacy, and if so, how to do it; and
  • Be charged with submitting a report to Congress and the President six months after all members are appointed, and include 17 members to be appointed by the Comptroller General.

Specifically, the Commission is charged with drafting recommendations and conclusions on the following:

  • The potential threats posed to individual health privacy and legitimate business and policy interests.
  • The purposes for which sharing health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent.
  • The effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy.
  • Recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy, including reforms or additions to existing law related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices.
  • Analysis of whether additional regulations may impose costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, health care cost containment, improved patient outcomes, public health or critical infrastructure protection, and whether such costs or burdens are justified by the additional regulations or benefits to privacy, including whether such benefits may be achieved through less onerous means.
  • The cost analysis of legislative or regulatory changes proposed in the report.
  • Recommendations on non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies.
  • Review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements.