Congress is debating whether to enact a national privacy law. Such a law would upend the approach that has been taken so far in connection with privacy law in the United States, which has either been sector specific (healthcare, financial services, education) or has addressed specific practices (telemarketing, email marketing, data gathering from children). The United States does not, today, have a national privacy law. Pressure from the European Union’s General Data Protection Regulation (GDPR)1 and from California, through the California Consumer Privacy Act (CCPA),2 are driving some of this national debate. The conventional wisdom is that, while the United States is moving towards this legislation, there is still a long way to go. Part of this debate is a significant disagreement about many of the core provisions of what would go into this law, including (but clearly not limited to) how to treat healthcare — either as a category of data or as an industry.
So far, healthcare data may not be getting enough attention in the debate, driven (in part) by the sense of many that healthcare privacy already has been addressed. Due to the odd legislative history of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),3 however, we are seeing the implications of a law that (1) was driven by considerations not involving privacy and security, and (2) reflected a concept of an industry that no longer reflects how the healthcare system works today. Accordingly, there is a growing volume of “non-HIPAA health data,” across enormous segments of the economy, and the challenge of figuring out how to address concerns about this data in a system where there is no specific regulation of this data today.
The substantial history behind the HIPAA experience to date also provides meaningful insight into how a future privacy law could work. There are critical elements of HIPAA that have worked well — for both consumers and industry — and from which we may take lessons for the future. At the same time, the gaps in HIPAA’s protections — mainly the result of a legislative accident and significant technological and industry change — have grown to largely untenable levels. These gaps have led to a broad range of entities that create, use, and disclose healthcare information outside of the reach of the HIPAA Rules. This growing range of non-HIPAA health data needs to be addressed in some way.
This leads to the national debate. There are a variety of approaches that are being applied today to healthcare. This article will explore some of the models to date, and reviews other efforts to provide standards for the treatment of healthcare data. In addition, this article will look at a new challenge — the usefulness of data that does not seem to be about our health in the healthcare industry. The primary goal of this article is to identify these issues and begin (or, to be fair, continue) a dialogue (although one that has largely stalled and then been taken over by the broader national privacy law debate) on how these principles should be applied to protect consumers while at the same time permit the critical healthcare industry to move forward effectively and efficiently.