All players in the health and wellness ecosystem should be following developments around the American Data Privacy and Protection Act (ADPPA). If enacted, the ADPPA would be a watershed in the regulation of the privacy and security of personal information, including health information. The ADPPA would have a particularly large impact on entities that currently collect, process, and transmit health information but are not subject to HIPAA.
Our colleagues Cynthia Larose and Christian Fjeld have provided a comprehensive summary of the draft discussion bill here and the Mintz Privacy & Cybersecurity Practice will continue to follow developments related to the Act.
The privacy and security of health information in the United States are regulated by a number of overlapping state and federal laws and these laws are enforced by a variety of government authorities. While HIPAA is primarily enforced by the HHS Office for Civil Rights, the ADPPA would be enforced by the FTC and by state attorneys general. Because HIPAA only applies to covered entities (health plans and health care providers who engage in electronic HIPAA covered transactions) and their business associates, a number of entities that collect, process, and disclose health information are not subject to HIPAA and often fall outside of state medical privacy laws that similarly apply to providers and insurers. Whether or not currently regulated by HIPAA, companies collecting health information may want to pay particular attention to the following aspects of the draft of the ADPPA.
The bill applies to entities that collect, process, or transfer “covered data.” “Covered data” means “information that identifies or is linked or reasonably linkable to an individual or a device”, which includes “derived data” and “unique identifiers”, which would include persistent digital markers such as cookies and IP addresses. Such entities are termed “covered entities” under the ADPPA (a nomenclature that may become confusing as the same term is used much more narrowly under HIPAA).
The bill also defines “sensitive covered data” to include, among other things, “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual” and genetic information.
Companies will also want to follow the definition of a “large data holder.” As drafted, the bill provides the following working definition: “a covered entity that, in the most recent calendar year—(A) had annual gross revenues of [$250,000,000] or more; [and] (B) collected, processed, or transferred—(i) the covered data of more than 5,0000,000 individuals or devices that identify or are linked or reasonably linked to 1 or more individuals; [or] (ii) the sensitive covered data of more than [100,000] individuals or devices that identify or are linked or reasonably linked to 1 or more individuals. . .” Depending on whether the bracketed $250 million figure stands and whether the bracketed “and” becomes and “or” will have an enormous impact on the number of entities collecting health information that are considered “large data holders.”
Consent Requirements for Sensitive Covered Data
Under the ADPPA, a covered entity cannot collect or process sensitive covered data, which includes health information, or transfer such data to a third party without the data subject’s “affirmative express consent.” Under the Act, “affirmative express consent” requires a specific, informed, unambiguous authorization for an act or practice by the covered entity. When the covered entity requests the consent to collect, process, or transfer sensitive covered data, it must comply with specific request requirements, including distinguishing between acts necessary to fulfill a request of the individual and acts for another purpose.
Preemption and Preservation
Under the ADPPA, covered entities subject to certain other federal privacy laws, including HIPAA, who are in compliance with the data privacy requirements of such laws are deemed to be in compliance with the “related requirements” of the ADPPA, but only with respect to data that is subject to such regulations. Similarly, Section 208 of the ADPPA, which sets forth data security requirements for covered data, provides that entities that are subject to HIPAA and are in compliance with the information security requirements of HIPAA are deemed to be in compliance with the ADPPA, but only with respect to data covered by HIPAA. A covered entity or business associate that fails to comply with HIPAA could therefore potentially be subject to enforcement actions under both HIPAA and the ADPPA. And a covered entity or business associate that holds covered data that is not subject to HIPAA could also potentially have an enforcement action brought against it for violation of the ADPPA. The draft bill requires the FTC to issue guidance on the preemption landscape within a year of the enactment of the ADPPA.
Though the ADPPA contains a broad preemption clause for state laws, it explicitly carves out from the preemption any state laws that “address health information, medical information, medical records, HIV status, or HIV testing.” Thus, the patchwork of state laws addressing medical and health privacy would remain in place. The ADPPA would also largely preempt the comprehensive state privacy laws enacted in recent years, but would leave the private right of action for data security violations under the California Consumer Protection Act unaffected.
As the ADPPA moves through Congress, we will continue to monitor developments around the bill and how its passage could impact the health industry.