Introduction
HIPAA
State-level health privacy laws
Workplace health privacy laws
Laws regulating biomedical and behavioural human subject research
Consumer privacy laws
Breach notification laws
Comment


Introduction

Numerous data privacy and security laws govern the private sector's collection and use of health data in the United States. These laws vary in scope and substance but some combination of them would probably apply to a company if, for example, it does any of the following in the country:

  • diagnoses or treats patients' health conditions;
  • offers an app intended to promote the health or wellness of consumers;
  • provides health insurance or helps to process health insurance claims;
  • collects health information from employees or other workers;
  • performs research and receives health information from research subjects and respondents; or
  • provides data processing services to organisations that perform the above functions.

In many situations, companies have to obtain express consent to process health data and may be subject to detailed requirements regarding how to obtain consent (such as mandatory disclosures, placement and font sizes) and how to deal with withdrawals of consent. But there are also situations where it would be inappropriate or illegal to seek an individual's consent to collect or use their health data, such as to use their results from a genetic test to consider whether to promote them. In still other situations, companies must process health data in certain ways regardless of whether the data subject consents, such as where the company is subject to mandatory infectious disease reporting obligations or court disclosure orders. In all cases, companies should develop and maintain reasonable and appropriate information security measures designed to protect the security, integrity, availability and confidentiality of the data.

To help illustrate the detailed legal landscape that applies to the processing of health data, this article outlines some relevant regimes in the United States.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) applies to:

  • healthcare providers;
  • health plans and health care clearinghouses (collectively, "covered entities"); and
  • entities handling protected health information on covered entities' behalf ("business associates").

Just because a company provides health-related services does not mean it is a "healthcare provider" covered by the HIPAA – whether the company engages in health insurance-related or other specified transactions is also relevant. The HIPAA authorises covered entities to use and disclose protected health information without consent for several core purposes, including to treat the data subject, process payments and perform internal healthcare operations. The HIPAA also permits covered entities to use or disclose data without consent in a number of ancillary situations as long as prescribed conditions are met, such as to respond to law enforcement requests, engage in public health activities, fulfil research purposes or avert a serious threat. The HIPAA otherwise requires covered entities to obtain an authorisation to use or disclose an individual's protected health information. Covered entities also have to publish adequate privacy notices and give effect to certain data subject rights. The HIPAA establishes breach reporting and data security standards to which all covered entities and business associates must adhere.

State-level health privacy laws

HIPAA expressly authorises states to enact health privacy laws that are more stringent. Various states have enacted health privacy laws that apply to particular types of data, activities or participants in the health industry. An example is California's Confidentiality of Medical Information Act (CMIA). The CMIA imposes privacy and security requirements on healthcare providers, among others, and defines "healthcare provider" broadly to include certain healthcare practitioners as well as any business that offers software or hardware to a consumer for the purposes of allowing them to manage their medical information or to self-diagnose, treat or manage a medical condition. The CMIA may therefore apply to operators of health and wellness apps that do not involve services covered by health insurance but that do involve the processing of medical information. In 2020, for example, the California Department of Justice enforced the CMIA against the provider of a fertility-tracking mobile app for allegedly disclosing user data to third parties without consent and failing to secure user data. The CMIA generally prohibits healthcare providers and their contractors from disclosing medical information without the data subject's authorisation unless one of a number of specific exceptions applies, some of which overlap with the exceptions under the HIPAA.

Workplace health privacy laws

Companies have legitimate interests in collecting and using health data from their workers, including to keep the workplace safe in accordance with occupational safety and health (OSHA) regulations and administer health benefits. At the same time, statutes such as the Americans with Disabilities Act (ADA), the Genetic Information Non-discrimination Act (GINA) and other federal laws, as well as state laws such as the CMIA, restrict employers' collection, use and disclosure of certain types of health data. For example:

  • the ADA prohibits employers from medically examining their employees unless the examinations are job-related and consistent with business necessity, and regulates how employers must maintain employee medical information internally;
  • the GINA prohibits employers from discriminating against any employee because of their genetic information;
  • OSHA regulations prescribe detailed retention obligations on employee medical records; and
  • the CMIA generally prohibits employers from using or disclosing employee medical information without the data subject's authorisation unless one of several narrow exceptions applies.

Laws regulating biomedical and behavioural human subject research

The Federal Policy for the Protection of Human Subjects (also known as the "Common Rule") comprises a set of ethical standards that 16 federal bodies in the United States have codified as regulatory requirements that apply to human subject research studies under their purview, and that numerous institutions in the United States have voluntarily adopted as a mandatory policy. The Common Rule requires researchers to obtain an individual's prior, informed consent before commencing the research. For consent to be valid, the consent form must contain various disclosures regarding the processing of the research subject's personal information, including:

  • the extent to which confidentiality of personal data will be maintained;
  • whether the research might include whole genome sequencing; and
  • details regarding the researcher's proposed storage, maintenance and secondary research use of the individual's identifiable private information or identifiable biospecimens.

Consumer privacy laws

At the federal level, the Federal Trade Commission (FTC) generally has authority to bring enforcement actions against "unfair and deceptive trade practices", which the FTC recently used to enforce against a health-related app developer that allegedly disclosed users' health data to third parties in contravention of its privacy policy. At the state level, five states have currently enacted general consumer privacy laws that protect the personal information of their own residents: California, Colorado, Connecticut, Virginia and Utah. Only California's privacy law, the California Consumer Privacy Act, is currently in force; the others become effective in 2023. All five of these state laws will impose special requirements on the processing of health information and other categories of "sensitive" data. These requirements include in some cases opt-in consent requirements or else requirements to allow consumers to opt out of certain processing activities involving the sensitive data. The federal American Data Privacy and Protection Act (HR 8152), if enacted in its current form, would also impose more onerous requirements on the processing of health or other prescribed categories of sensitive data.

Breach notification laws

Every state in the United States has its own data breach notification statute, and many of them list health information as a type of information that triggers breach notification requirements if it was subject to unauthorised acquisition and certain other conditions are met. Similarly, the federal Cyber Incident Reporting for Critical Infrastructure Act recognises the healthcare sector as a critical infrastructure sector. Once certain rules implementing this statute have been enacted, it is expected that companies operating in the healthcare sector will be required to report covered cyber incidents within 72 hours of having a reasonable belief that the incident occurred, and report data ransom payments within 24 hours of making them.

Comment

Companies must carefully examine the data privacy and security laws that apply if they collect, use and disclose Americans' health data. Given the sensitivity of health data, regulators in the United States actively monitor compliance in this space, and class actions alleging the unauthorised processing of health data are common.

For further information on this topic please contact Jonathan Tam at Baker McKenzie by telephone (+1 415 576 3000) or email ([email protected]). The Baker McKenzie website can be accessed at www.bakermckenzie.com.