All actors in the health and wellness ecosystem should follow developments in the American Data Privacy and Protection Act (ADPPA). If enacted, the ADPPA would represent a watershed in regulating the privacy and security of personal information, including health information. ADPPA would have a particularly broad impact on entities that currently collect, process and transmit health information but are not subject to HIPAA.
Our colleagues Cynthia Larose and Christian Fjeld have provided here a full summary of the draft bill for discussion.
The privacy and security of health information in the United States is governed by a number of overlapping state and federal laws, and these laws are enforced by a variety of governmental authorities. Although HIPAA is mainly enforced by the HHS Office for Civil Rights, ADPPA would be enforced by the FTC and the state attorneys general. Since HIPAA only applies to covered entities (health plans and health care providers who engage in electronic transactions covered by HIPAA) and their business partners, a number of entities that collect, process and disclose health information do not they are subject to HIPAA and often fall outside the scope of HIPAA. state medical privacy laws that apply similarly to providers and insurers. Regardless of whether they are currently regulated by HIPAA, companies collecting health information may want to pay special attention to the following aspects of the ADPPA draft.
The bill applies to entities that collect, process or transfer “covered data”. “Covered data” means “information that identifies or is linked or reasonably linkable to an individual or device”, which includes “derived data” and “unique identifiers”, which would include persistent digital markers such as cookies and IP addresses. These entities are referred to as “covered entities” under ADPPA (a nomenclature which can be confusing as the same term is used much more narrowly under HIPAA).
The bill also defines “sensitive covered data” to include, among other things, “any information that describes or discloses a person’s past, present or future physical health, mental health, disability, diagnosis or medical treatment. individual “and genetic information.
Businesses will also want to follow the definition of “large data owner”. As drafted, the bill provides the following operational definition: “a hedged entity which, in the most recent calendar year: (A) had annual gross revenues of [$250,000,000] or more; [and] (B) collected, processed or transferred: (i) covered data of more than 5,000,000 persons or devices that identify or are connected or reasonably connected to 1 or more persons; [or] (ii) sensitive data covered by more than [100,000] individuals or devices that identify or are connected or reasonably connected to 1 or more individuals. . . ” Depending on whether the $ 250 million figure in brackets is valid and whether the “and” in brackets becomes and “or” will have a huge impact on the number of entities that collect health information that are considered “big data holders.”
Consent Requirements for Covered Sensitive Data
Under the ADPPA, a covered entity cannot collect or process sensitive covered data, which includes health information, or transfer such data to third parties without the data subject’s “express affirmative consent”. Under the law, “express affirmative consent” requires specific, informed and unambiguous permission for an act or practice on the part of the covered entity. When the entity concerned requests consent to collect, process or transfer sensitive covered data, it must comply with specific requirements of the request, including the distinction between acts necessary to satisfy an individual’s request and acts for another purpose.
Preemption and conservation
Under the ADPPA, covered entities subject to certain other federal privacy laws, including HIPAA, that comply with the data privacy requirements of those laws are deemed to comply with the “related requirements” of the ADPPA, but only in in relation to data subject to this legislation. Similarly, Section 208 of the ADPPA, which sets out data security requirements for covered data, requires entities subject to HIPAA and compliant with HIPAA information security requirements to be deemed ADPPA compliant, but only with respect to the data covered by HIPAA. A hedged entity or business associate who fails to comply with HIPAA could therefore potentially be subject to enforcement action under HIPAA and ADPPA. And a covered entity or business partner that holds covered data that is not subject to HIPAA may also be enforceable against it for breach of ADPPA. The bill requires the FTC to issue guidelines on the preemptive landscape within one year of the ADPPA being enacted.
While the ADPPA contains a broad pre-emption clause for state laws, it explicitly excludes from pre-emption all state laws that “relate to health information, medical information, medical records, HIV status or HIV testing.” Therefore, the patchwork of state laws on medical and health privacy would remain in place. The ADPPA would also largely override comprehensive state privacy laws enacted in recent years, but would leave the private right of action for data security breaches under the California Consumer Protection Act unaffected.
As the ADPPA moves through Congress, we will continue to monitor developments around the bill and how its passage could impact the healthcare industry.
© 1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC All rights reserved.National Law Review, Volume XII, number 174