I wear a fitness tracker. I rarely take it off. Throughout the course of the day, it collects a bevy of information about me: my heart rate, my exercise habits, the length and quality of my sleep. When aggregated and observed over time, this information certainly reveals quite a bit of insight into my personal health. Yet this health information is not Protected Health Information under HIPAA because the device manufacturer is not a HIPAA-regulated entity.
Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) recently introduced legislation that recognizes this issue. The “Protecting Personal Health Data Act” seeks to “protect the personal health data of all Americans.” It would apply to consumer devices, services, applications, and software that are primarily designed for or marketed to consumers and a substantial purpose of which is to collect personal health data. This would include direct-to-consumer genetic testing services, wearable fitness trackers, and social media sites that are designed for users to share health conditions and experiences.
The proposed law directs the Secretary of Health and Human Services, in consultation with the Chairman of the Federal Trade Commission and others, to promulgate regulations to strengthen privacy and data security protections for personal health information that is collected by consumer devices. In doing so, the Secretary would have to account for differences in the nature and sensitivity of the data collected or stored on the consumer device. Not all personal health data is created equal.
Among other things, the Secretary would also have to consider (i) standards for consent related to the handling of genetic, biometric, and personal health data with potential exceptions for law enforcement, academic research, emergency medical treatment, or determining paternity, (ii) minimum security standards for collected personal health data, and (iii) standards for the de-identification of personal health data. These standards would include limitations on transferring personal health data to third parties. They would also include an individual’s right to withdraw consent and access and delete his or her personal health data.
The proposed law would also establish a National Task Force on Health Data Protection to:
(1) study the long-term effectiveness of de-identification methodologies for genetic and biometric data;
(2) evaluate and provide input on the development of security standards, including encryption standards and transfer protocols, for consumer devices, services, applications, and software;
(3) evaluate and provide input with respect to addressing cybersecurity risks and security concerns related to consumer devices, services, applications, and software;
(4) evaluate and provide input with respect to the privacy concerns and protection standards related to consumer and employee health data; and
(5) provide advice and consultation in establishing and disseminating resources to educate and advise consumers about the basics of genetics and direct-to-consumer genetic testing, and the risks, benefits, and limitations of such testing.
Under the bill, the Task Force would have one year to report its findings to Congress, after which the Secretary would have six months to promulgate appropriate regulations. The bill has been referred to the Committee on Health, Education, Labor, and Pensions.