One of the negative side-effects of the sectoral approach the United States has taken to privacy regulation is confusion over whether certain types of personal information are protected under existing rules. Specifically, many people – and, it appears, legislators – seem to assume that all health information is protected under HIPAA. This is incorrect, however, and the assumption that health information is already fully protected in commercial contexts may be leading to its exclusion in proposed data breach bills currently circulating in Congress. Not only do the bills fail to protect health data, but the preemption clauses in some of the bills would prevent state legislatures from enacting their own health privacy safeguards. As a result, if any of the data breach bills introduced in this Congress pass as currently written, a commercial entity that loses, say, your full name and a list of your medications would not be obligated to notify you.
HIPAA Provides Limited Coverage
The HIPAA Privacy Rule is the nation’s foremost health privacy regulation. The Privacy Rule only applies to certain organizations, collectively referred to as “covered entities” – 1) health plans, 2) health care clearinghouses, and 3) health care providers. The Privacy Rule requires covered entities to notify individual patients when they suffer a data breach of identifiable health information. (See our previous blog post for more on HIPAA breach notification requirements.)
HIPAA’s limited reach means that the Privacy Rule does not apply to health information held by a company or organization that is not a covered entity. This was less of a problem even five years ago, when fewer non-covered companies and organizations held such information. But with the explosive growth of health IT systems and the rapid digitization of health information, urged along by government incentive programs, health information is increasingly finding its way into commercial products and services. Examples include mobile health apps and social networking sites devoted to medical conditions. Personal health record products offered by HIPAA covered entities are subject to HIPAA data breach rules, while the Federal Trade Commission (FTC) has issued data breach rules for personal health records not covered by HIPAA. Outside of personal health records, however, breach notification requirements for health information held by companies not covered by HIPAA are weak or unclear. Studies indicate that consumers are interested in using commercial health IT applications, so consumer adoption of such services are likely to grow over time. That makes it all the more important that the law evolves with technology to provide blanket privacy protection for health information in commercial contexts.
Bills’ Definitions, Preemption Provisions Need Adjusting
Thanks to a rash of high profile data breaches, legislators this year have introduced (or in many cases re-introduced) numerous bills covering data breach notification and information security. We count seven to date, from Senators Carper, Feinstein, Leahy, and Pryor and Representatives Bono Mack, Rush and Stearns. The White House added its own voice to the debate by including data breach notification language in its cybersecurity proposal in May. The bills and proposal follow a similar pattern, though they use somewhat different terms. They apply to commercial entities – rather than entities covered by HIPAA – and generally define a security breach as the compromise of the integrity or confidentiality of “personal information.” But they define “personal information” quite narrowly, and the loss of information that falls outside the definition of personal information would not be considered a data breach.
For example, Rep. Bono Mack’s SAFE Data Act limits the definition of “personal information”, in short, to an individual’s name, address, or phone number in combination with either a Social Security number (SSN), other government-issued ID number, financial account or credit card number. (Interestingly, an amendment to the SAFE Data Act offered by Rep. Waxman that would have included some health information was defeated during a recent Subcommittee mark up). The data breach provisions in the White House cybersecurity proposal (as well as Sen. Leahy’s and Sen. Feinstein’s data breach bills) have a slightly different formulation, as CDT described in a previous blog post. The proposal would cover any information or compilation of information that includes identifiers roughly similar to those listed in the Bono Mack bill.
None of the bills explicitly protect health information held by companies that are not HIPAA covered entities. Thus, if a company lost an individual’s name, SSN and full medical record, the SAFE Data Act would require the company to only notify the consumer of the loss of the name and SSN. The wording of the White House proposal suggests that companies (under the same scenario) would be required to notify the individual of the loss of a medical record only if the name and SSN were also breached.
CDT does not think this is good policy. There is widespread agreement on the sensitivity of identifiable health information and individuals should know when such information is breached in commercial contexts, not just by HIPAA covered entities. A January 2011 survey from the Markle Foundation backs up this reasoning – the survey found that 82 percent of consumers and 85 percent of doctors agreed on the importance of notifying individuals when health information is exposed.
This problem is compounded by the bills’ preemption provisions. Essentially, the bills would trump state laws on data breach, thus eliminating state requirements (like those in California) that patients be notified when commercial entities lose identifiable health information. CDT believes data breach legislation should only preempt the categories of information they cover. If the federal legislation does not cover health information, then a state should be able to establish its own protections for health information.
Fortunately, most of the pending bills provide the Federal Trade Commission with the authority to modify the categories of information covered by the law. This is a crucial provision if any new data breach law is to stay up to date as technology evolves and new categories of sensitive data find wide commercial use. Nonetheless, though an administrative rulemaking is considerably less drawn out than the national legislative process, rulemakings are not painless and it would be more desirable if data breach legislation included health information from the get-go.
Plugging A Hole In Privacy Law
It is very positive that Congress is concerned about data breaches, and there is a good argument for adopting a federal standard for breach notification framework to replace the forty-some state laws that govern breach notification today. It would be unfortunate, however, if data breach legislation neglects to include health information in commercial contexts, especially if the legislation prevents states from offering their citizens such protection. U.S. privacy law has long suffered from gaps in coverage, where the law protects data in one area but not another. Another gap is fast forming – that of digital health information used by entities not covered under HIPAA. Here there is a clear opportunity to close that gap for data breach notification purposes, and we hope Congress takes it.