Ruminations on the request for comments on overhauling HIPAA

Although the September 28th deadline has passed to submit feedback to the Senate Health, Education, Labor, and Pensions (HELP) Committee’s Ranking Member’s request, both the “ask” and the stakeholder feedback are worth considering. The “ask” by Sen. Cassidy, M.D. was for information “on ways to improve the privacy protections of health data to safeguard sensitive information while balancing the need to support medical research. Currently, health data that is collected from new technologies such as wearable and smart devices, and health and wellness apps is not protected under the Health Insurance Portability and Accountability Act (HIPAA).” What follows are different categories ranging from “[w]hat is health data” to data collection to artificial intelligence, among other relevant items.

The first question, “[w]hat is health data” is interesting, as well as the follow-up, do other laws other than HIPAA apply? Upon reading these questions, the following thoughts popped into my head:

• Other relevant laws include the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) (Pub. L. 1111-5), 21st Century Cures Act (Pub. L. 114-255), the Federal Trade Commission Act, as well as the Federal Trade Commission’s Health Breach Notification Rule (16 CFR Part 318), the Genetic Information Non-Disclosure Act (Pub. L. 110-233), and the well-known HIPAA Privacy Rule, Security Rule, and Health Breach Notification Rule (collectively, “Rules”). State laws are also relevant, although HIPAA serves as a floor and state laws cannot go below what is set forth in HIPAA and the implementing Rules. The Electronic Health Record Programs, whether Meaningful Use, the Interoperability Programs, or MIPS all have a data aggregation component.
• As for the definition of “health data” how does it relates to HIPAA? There are a numerous other terms set forth in 45 CFR §160.103 – Definitions (i.e., PHI and ePHI); 45 CFR § 164.501 – Definitions (i.e., data aggregation); and 45 CFR § 164.501 (designated record set definition). Electronic health information (EHI) is found in the 21st Century Cures Act. In addition, the Proposed Rule, which was published in the Federal Register (88 Fed. Reg. 23746 (Apr. 18, 2023)) mentions “Health Data” in the title and numerous laws, programs, and regulations are mentioned throughout but a uniform definition of health data is not present.

My perspective on the first two items is that a uniform definition of “health data” needs to be adopted. Health data is covered by HIPAA when it relates to patients and the electronic transmission between a covered entity and a business associate. Health data is also covered by the Federal Trade Commission Act when it relates to consumers. All patients are consumers but not all consumers may be patients. Hence why the FTC enforcement actions expressly relate consumer’s health data and utilizing the data without the individual’s knowledge or consent for downstream remunerative purposes. I respectfully disagree with some stakeholders that IP addresses do not fall under HIPAA or the Federal Trade Commission Act. To the contrary, CFR §164.514(a) identifies the 18 individually identifying factors. Biometrics and IP addresses are expressly stated. Depending on the type of information that is being extracted from websites via pixels, it can put the pieces of the puzzle together and fit into the definition of PHI. And, the FTC’s enforcement actions against GoodRx and BetterHelp, Inc. (and other entities) expressly related to IP addresses and the flow of health data to third parties utilizing pixels. Hence, there are two prongs that are prudent: (1) a Business Associate Agreement or other similar agreement which includes both the FTC and HIPAA requirements between the business entities; and (2) obtaining patient and/or consumer consent, which is a separate obligation.

Additionally, what was overlooked was the marketing and sale of PHI which is set forth in the HIPAA Omnibus Rule (78 Fed. Reg. 5566 (Jan. 25, 2013)). "With limited exceptions, the Rule requires an individual's written authorization before a use or disclosure of his or her protected health information can be made for marketing." The Authorization for a Sale must specifically state that the Sale will result in remuneration.

1. The sale of PHI was given additional emphasis in the Final Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013). Fundamentally, the sale of PHI equates to disclosure for remuneration. A sale of PHI occurs when there is direct or indirect remuneration, including in-kind remuneration.
2. The definition of a sale of PHI includes a transfer of ownership of the PHI, as well as disclosures of PHI based on an access, license, or lease agreement.
3. There are a number of exclusions to the definition of a Sale of PHI, including for purposes of (i) public health; (ii) research that is covered by HIPAA (e.g., clinical research) if the payment is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI; (iii) treatment and payment; (iv) a sale and merger transaction involving the covered entity or the business associate; (v) activities performed by a business associate for or on behalf of the covered entity (or by a business associate subcontractor for or on behalf of the business associate) if the payment is for the business associate's performance of such activities (or for the subcontractor's performance of such activities); (vi) providing an access or an accounting to an individual; (vii) as required by law; and (viii) as otherwise permitted under HIPAA, where only a reasonable, cost-based fee is paid (or such other fee as permitted by law).

Adhering to these requirements is crucial, as the sale of PHI may serve as the basis of a False Claims Act (FCA) case. In United States v. America at Home Healthcare and Nursing Services, Ltd., 2018 U.S. Dist. LEXIS 2592 (N.D. Ill. Jan. 8, 2018) (hereinafter "America at Home"), the Honorable Robert John Blakely analogized violations of 42 U.S.C. § 1302d-6(a) to violations under the Anti-Kickback Statute in relation to the submission of false claims.

The Centers for Disease Control (CDC) discusses how “data” comes to public health but there is not definition of “health data.” In fact the HIPAA Privacy Rule exception for “[u]ses and disclosures for public health activities” (45 CFR §164.512(b)) uses the term “protected health information” when describing situations where a “public health authority” such as the CDC, may collect or receive information on, among items, communicable diseases.

I do think there is plenty of room for joint enforcement jurisdiction between HHS-OCR and the FTC. This requires a change in the Electronic Data Interchange (EDI) because it has been argued that only entities submitting electronic claims to a government program or a private insurance company are required to comply with HIPAA. If it is a cash transaction, the position is HIPAA does not apply. As stated on the CMS website,

The information in this section is intended for the use of health care providers, clearinghouses and billing services that submit transactions to or receive transactions from Medicare fee-for-service contractors. EDI is the automated transfer of data in a specific format following specific data content rules between a health care provider and Medicare, or between Medicare and another health care plan. In some cases, that transfer may take place with the assistance of a clearinghouse or billing service that represents a provider of health care or another payer. EDI transactions are transferred via computer either to or from Medicare. Through use of EDI, both Medicare and health care providers can process transactions faster and at a lower cost.

State laws, including Texas H.B. 300, which has a broader reach over the persons that are covered, would absolutely need to be considered. A solution would be to change the scope and the definition of EHI, which references ePHI and PHI, to cast a broader net for HHS-OCR enforcement and joint enforcement with the FTC.

In sum, my “two cents” is that HIPAA should not be completely overhauled to accommodate new technologies and state law privacy considerations because the framework is in place. I agree with some stakeholders about a complete overall being burdensome on hospitals, as well as other covered entities and business associates. I also contend that HIPAA’s scope could be broader and that coordination between a multitude of government agencies is required.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.