All participants in the health and wellness ecosystem should keep an eye on developments around American privacy and data protection law (ADPPA). If passed, the ADPPA will become a watershed in regulating the privacy and security of personal information, including health information. The ADPPA will have a particularly large impact on organizations that currently collect, process and share health information but are not subject to HIPAA.
Our colleagues Cynthia Larose and Christian Fjeld presented a comprehensive summary of the bill for discussion. here.
The privacy and security of health information in the United States is governed by a series of overlapping state and federal laws, and these laws are enforced by various government agencies. While HIPAA is primarily enforced by the HHS Office of Civil Rights, ADPPA enforcement will be enforced by the FTC and state attorneys general. Because HIPAA only applies to entities covered by HIPAA (health plans and health care providers that engage in electronic transactions covered by HIPAA) and their business partners, a number of entities that collect, process, and disclose health information are not subject to subject to HIPAA and are often not subject to HIPAA. state health care privacy laws, which similarly apply to health care providers and insurers. Whether or not HIPAA is currently regulated, health information companies may want to focus on the following aspects of the ADPPA project.
The bill applies to organizations that collect, process or share “covered data”. “Covered Data” means “information that identifies or is, or can reasonably be associated with, an individual or device” which includes “derived data” and “unique identifiers” which may include persistent digital markers such as cookies and IP addresses. Such entities are referred to as “insured entities” under the ADPPA (a nomenclature that can be confusing as the same term is used in a much narrower sense under HIPAA).
The bill also defines “sensitive protected data” to include, among other things, “any information that describes or discloses a person’s past, present or future physical health, mental health, disability, diagnosis or medical treatment” and genetic information. .
Companies will also want to follow the definition of “big data holder”. The wording of the bill provides the following working definition: “an insured entity that in the last calendar year—(A) had an annual gross income of [$250,000,000] or more; [and] (B) collected, processed or transmitted – (i) protected data of more than 5,000,000 persons or devices that identify or are linked or reasonably associated with 1 or more persons; [or] (ii) sensitive covered data of more than [100,000] persons or devices that identify or are associated or reasonably associated with one or more persons. . “. Depending on whether the $250 million figure in square brackets is correct, and whether the bracketed “and” and “or” becomes, it will have a huge impact on the number of health information organizations that are considered “big data holders”.
Consent requirements for sensitive protected data
Under the ADPPA, a covered entity may not collect or process sensitive covered data, including health information, or share such data with a third party without the data subject’s “providing explicit consent”. Under the Act, “confirming express consent” requires specific, informed, unambiguous authorization for an act or practice by the subject subject to the act. When a covered entity requests consent to the collection, processing, or transfer of covered sensitive data, it must comply with the specific requirements for the request, including distinguishing between the actions required to comply with an individual’s request and those with another purpose.
Anticipation and Preservation
Under the ADPPA, entities subject to certain other federal privacy laws, including HIPAA, that comply with the requirements of such data privacy laws are considered to be in compliance with ADPPA’s “collateral requirements”, but only for data subject to such rules. Similarly, ADPPA Section 208, which sets out data security requirements for protected data, provides that HIPAA-compliant entities that comply with HIPAA information security requirements are considered ADPPA-compliant, but only with respect to HIPAA-compliant data. Therefore, an Eligible Entity or Business Associate that does not comply with HIPAA may be subject to enforcement action under both HIPAA and ADPPA. In addition, a qualifying organization or business associate that is in possession of non-HIPAA protected data may be subject to enforcement action for violating the ADPPA. The bill requires the FTC to issue guidance on pre-emptive rights within a year of the ADPPA going into effect.
While the ADPPA contains a broad preemptive provision for state laws, it expressly excludes from this provision any state laws that “regard medical information, health information, medical records, HIV status, or HIV testing.” Thus, the patchwork of state health and privacy laws will remain in place. The ADPPA also largely anticipates the state’s comprehensive privacy laws in recent years, but does not address the right of individuals to file a data breach claim under the California Consumer Law.
As the ADPPA moves through Congress, we will continue to monitor developments around the bill and how its passage could impact the healthcare industry.
©1994-2022 Mintz, Levine, Cohn, Ferris, Glovsky & Popeo, PC. All rights reserved.Review of National Legislation, Volume XII, Number 174