Recent bipartisan legislation aims to tackle ongoing health data privacy issues, particularly around health information not covered by HIPAA regulation. (Photo by Lauren DeCicca/Getty Images)

Bipartisan legislation introduced by Sens. Bill Cassidy, R-La., and Tammy Baldwin, D-Wis., would establish a commission to assess the current state of health data privacy and The Health Insurance Portability and Accountability Act in an effort to address longstanding technology and security challenges posed by the outdated health data privacy regulation.

The Health Data Use and Privacy Commission Act revives the federal effort to modernize HIPAA, which was drafted decades before modern digital transformation in the healthcare sector. 

The legislation would establish a commission that would, among other research areas, “provide recommendations on whether federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy.”

The potential reforms to existing laws would consider “enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices.” The commission must include 17 members that will be appointed by the comptroller general.

Modernizing HIPAA to address digital transformation

The bill and commission would place health data privacy and potential HIPAA modernization in its crosshairs, after a relative lull on past congressional efforts that sought similar means. Prior to the pandemic, it was a key federal priority with multiple health privacy laws introduced on both sides of the aisle.

The goal is to address the proverbial white elephant in the room: HIPAA was written when the majority of providers still leveraged paper charts and documentation, which means it doesn’t apply to health apps, smart technologies, or other emerging tech.

The largest push to overhaul the outdated rule was last seen in 2019, with many privacy groups proposing their ideas on key issues a federal privacy standard or law should address. Further updates to the rule have been proposed by stakeholder groups for more than five years. 

In 2021, the Center for Democracy & Technology and the eHealth Initiative & Foundation proposed their view for a consumer health data privacy framework focused on much-needed standards for the collection, disclosure, and use of consumer health data, for which HIPAA does not apply.

The newly proposed bill would assess these privacy and security risks, as well as previous recommendations to Congress on how to modernize these health data and privacy laws. The legislation has a keen focus on patient privacy and building patient trust, all while maintaining the ease in which doctors can access much-needed patient data at the point of care.

The drive for digital adoption and innovation in healthcare has further compounded patient privacy and trust issues, Cassidy, who is also a medical doctor, explained in a release. In order for these modernization efforts to succeed, "patients need to trust their providers are keeping their data secure.“

In short, “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right,” Cassidy added.

Commission to focus on health information security

For Baldwin, the bill is the first step in informing Congress on the right path to modernizing healthcare privacy laws and regulations, with a keen focus on health information security and the tools needed to maintain care quality.

The legislation would establish a commission tasked with the launch of a coordinated, comprehensive review of existing protected and personal health information security measures addressed at the state and federal levels, while assessing the methods used by healthcare providers, insurance companies, financial services, consumer electronics, and other sectors.

The commission would be tasked with determining potential threats to health privacy and policy interests, when health information sharing is appropriate and beneficial to consumers, and the “effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy.”

The group would also address any potential costs associated with regulations proposed in the compiled report, as well as any unintended consequences in other policy areas and possible “threats to health outcomes and costs if privacy rules are too stringent.” 

The report must also provide a cost analysis of any proposed legislative or regulatory changes.

The gathered research would inform recommendations to be provided to Congress and “whether federal legislation is needed to modernize health data privacy, and if so, how to do it.” The legislation would also mandate the data be distilled into a report that would be submitted to Congress and the president six months after the appointment of commission members.

The proposed legislation has already garnered support from athenahealth, Epic Systems, IBM, Teladoc Health, Federation of American Hospitals and the American College of Cardiology, Association for Behavioral Health and Wellness, among others.

A letter sent to Cassidy and Baldwin from these entities hail the bill, and the potential commission, as a much needed tool to inform perspectives in the ongoing privacy debate. 

The recommendations outlined in the bill to inform Congress will only further the mission to “help modernize health data use and privacy policies” rooted in clear, consistent patient protections. But the groups make it clear that health data is far too often crafted into a subset from consumer-driven information and medical data on patients generated by providers.

As Congress contemplates comprehensive privacy reform, HIPAA-covered data must also be included in these debates to ensure entities aren’t subjected to duplicative requirements. All healthcare entities need “clarity and consistency in health data privacy and use rules.” 

“Given the advancements Congress has made in improving the interoperability of healthcare information and systems, your efforts to ensure robust consideration of healthcare data and privacy through the Health Data Use and Privacy Commission will provide useful perspective to the ongoing privacy debate,” the groups wrote.

“Secure and private health information should not be the enemy of medical innovation, clinical process improvement, or public health response,” they added. “Careful consideration of these issues by the commission will inform policy makers to achieve the necessary balance of data liquidity and confidentiality necessary for a highly functional and trusted health system.”