States Should Fill Gaps in HIPAA, Privacy Lawyers Say
States must step in to protect healthcare privacy when the federal administration is likely to try and undermine the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule, said privacy lawyers in a keynote fireside chat on the politics of healthcare privacy at the National HIPAA Summit Tuesday.
Sign up for a free preview to unlock the rest of this article
“States need to wake up to the fact that this rule under HIPAA might not be very long-lived or might not be enforced, and that they might need to pass laws not just to fill areas that HIPAA doesn't apply to, but also to address areas that HIPAA does apply to, to add strength to HIPAA,” said Daniel Solove, law professor at the George Washington University Law School. “HIPAA doesn't preempt stricter state law.”
Historically, the Privacy Rule has almost always deferred to state law, as it contains a provision that says if state law requires something, it’s fine, said Adam Greene, who co-chairs Davis Wright's health information and HIPAA practice. “While state law may be stringent, more stringent than HIPAA, there historically has not been much conflict between HIPAA and state law,” he said. A complication, however, is that state attorneys general can enforce HIPAA, which means “the state AGs are definitely a wild card.”
Concerning legislation, “we're seeing the rise of the states,” said Solove. “The states are passing a lot of privacy laws,” both “general consumer privacy laws” and “subject-specific privacy” ones about health data, biometric data [and] children's data. The professor predicted more states will "jump into the health data arena." The U.S. Supreme Court overturning Roe v. Wade was a “big impetus” in getting states to pass those kinds of laws, he said.
If the HIPAA rule is rolled back in some way, “the states might reconsider the scope of the laws that they're applying,” Solove said. “The states are going to step up, and especially in a climate where there are threats to reproductive healthcare, they're going to take more aggressive steps with these laws.” While Washington state’s My Health My Data Act is a leading model, Solove said that if influential states like New York or California enact additional health privacy legislation, more states will likely follow.
Greene said that 10-15 years ago, the idea of a federal privacy law was opposed, especially by industry. “But now, with so many states passing laws, and this patchwork becoming more and more complicated to comply with, I think there's greater driver ... for a federal privacy law to potentially preempt the patchwork of differing state laws."
However, Solove thinks a federal privacy is unlikely. “There are so many issues that could be very politically charged, and this Congress … can't even change the lightbulb, they can barely keep the lights on,” he said. “How are they going to do a complicated issue like privacy?"
Additionally, “states like California, which have a very large number of representatives, are not going to want to undermine their power,” Solove said. “They're not going to want to vote for a law that preempts and then gives all the power to the federal government at a time when the federal government is at odds with the interests of their state.”