On February 21, 2024, Sen. Bill Cassidy (R-LA), Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, announced “Strengthening Americans’ Health Data Privacy: “Meeting Modern Challenges” proposes several updates to health data privacy protections. This is how Senator Cassidy will strengthen privacy protections for health data covered under the Health Insurance Portability and Accountability Act (“HIPAA”) framework in September 2023, and what is currently covered by HIPAA. This follows a request for information from stakeholders on how to consider protecting the privacy of other health data sources that have not yet been established. . The white paper notes that multiple organizations responded to the RFI, including industry associations, hospitals, medical technology companies, and think tanks.
The white paper explains the importance of health information, including “increasing access to health care, supporting research for new diagnoses and treatments, improving quality and outcomes, and reducing health care costs.” It also includes the possibility that such data may be used to reduce At the same time, Sen. Cassidy noted that health data is at greater risk of misuse than other types of data, which is why he believes changes to existing health privacy protections are necessary.
In short, Senator Cassidy urges Congress to consider specific updates to the HIPAA framework, including the use of de-identified data for research, and to provide specific updates to the HIPAA framework that the Department of Health and Human Services (“HHS”) deems necessary. We are asking you to consider this area. ) Guidance from the Office of Civil Rights (“OCR”) interpreting HIPAA is insufficient. He also called on Congress to pass comprehensive data privacy laws, with 13 states and 137 countries passing data privacy frameworks and considering federal minimum standards for health data not regulated by HIPAA. I pointed out what I was doing. Additionally, Senator Cassidy will focus primarily on direct-to-consumer companies and advocate for efforts to bring existing health privacy frameworks more in line with consumer expectations, including those related to the use of genetic data for research. We are asking Congress to take action.
Senator Cassidy’s white paper categorizes the proposals into the following categories: (1) updates to the current HIPAA framework, (2) health data in the “gray areas” of HIPAA, and (3) outside the scope of HIPAA. Data of. This is part 1 of his two-part series on Senator Cassidy’s white paper. Below, we discuss Senator Cassidy’s proposed updates to his existing HIPAA framework as proposed in his white paper. I will discuss his other two categories in Part 2 next time.
HIPAA framework updates
Senator Cassidy’s white paper states that he believes major changes to HIPAA could cause disruption to the broader healthcare industry, including overturning decades of case law and disrupting patient care. This suggests that Specifically, Senator Cassidy said that HIPAA has served as a “robust privacy framework for more than 30 years,” and that covered organizations are required to protect patient privacy and share patient information in certain appropriate circumstances. He points out that he was able to strike a good balance between the two. The white paper recommends “specific updates and clarifications”, particularly due to the emergence of new medical technologies and AI that are not accounted for in the existing framework. These suggestions include:
- Coordinate the processing of all health data. The white paper calls for “full coordination of all health data within HIPAA.” For example, it discusses certain reforms made as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, which requires HHS to provide Part 2 records (related to substance use disorder history). ) to increase harmonization of HIPAA with the regulations governing the Reduces the regulatory burden for companies that need to comply with both frameworks. Senator Cassidy encourages Congress to continue these collaborative efforts. The white paper cautions against treating certain health data differently and points to his proposed updates to the HIPAA Privacy Rule to specifically limit certain sharing of reproductive health information for law enforcement purposes. I am. The white paper states that treating certain health data differently can result in “inappropriate withholding” of medical information, as well as “uncertainty and confusion” from providers who need it. It states that there is.
- Patient ownership of medical data. The white paper asks Congress to clarify “how patient information can and cannot be used for research.” While Senator Cassidy noted that data de-identified pursuant to HIPAA has been used for research purposes for more than 20 years and has helped develop AI tools that can improve care and reduce disparities, the white paper specifically addresses re-identification. Discusses the risks of stemming. It arises from concerns about AI tools and patient ownership and autonomy over the use of their health data. Senator Cassidy urged Congress to “consider whether existing exemptions that allow de-identified data to be used in research should consider whether patients can opt in or out of participation.” We encourage them to consider the risks of re-identification. Patient information for research purposes is to ensure that individuals cannot be identified without their explicit consent. ”Senator Cassidy also discussed how patients should have the right to be compensated for sharing their personally identifiable data, similar to how patients are compensated for participating in clinical trials. We are asking Congress to consider this.
- Other suggestions. The white paper also calls on Congress to direct HHS OCR to clarify how the “minimum necessary” standards within HIPAA align with other regulatory requirements (e.g., the 21st Century Cures Act). There is. Additionally, the white paper urges Congress to more clearly define certain aspects of HIPAA’s access rights, particularly certain aspects of the Third Party Directive related to fees charged in response to these requests.
