Sen. Cassidy Weighs HIPAA Update Covering Modern Devices
The Health Insurance Portability and Accountability Act (HIPAA) hasn’t kept pace with privacy risks associated with wearable devices, Senate Health Committee Chairman Bill Cassidy, R-La., said during a hearing Wednesday. Sen. John Hickenlooper, D-Colo., also addressed the issue, noting state laws like the Colorado Privacy Act impose security requirements on companies selling wearables.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Cassidy in February 2024 released a report on proposals for modernizing HIPAA. It references his Stop Marketing and Revealing the Wearables and Trackers Consumer Health (Smartwatch) Data Act, a bipartisan bill co-authored with Sen. Jacky Rosen, D-Nev.
Consumers are often unaware that makers of these devices and the sensitive data they collect aren’t covered under HIPAA, he said. Device makers can sell this data to third parties, and in turn, it can be used against consumers for health-related reasons, he added.
Cassidy asked witnesses if they would object to Congress expanding HIPAA to cover these devices.
Consumer Technology Association Vice President of Digital Health Rene Quashie was the only witness to object. The data can be used to make discriminatory health-related decisions, he agreed, but said passing a federal privacy bill is a better approach.
Companies selling wearable devices often aren’t healthcare entities and shouldn’t be subjected to HIPAA compliance, he said. Quashie called for a congressional federal privacy law preempting state measures. In addition, such a law should not have a private right of action. Instead, he suggested a designated federal enforcer with state officers supplementing.
Hickenlooper, during his questions, suggested there’s a legal gap for wearable technology. He noted that the Department of Health and Human Services in March collected public comment on a proposal to update its HIPAA Security Rule (see 2503140058). A lack of standardized data-sharing protocols and a lack of encryption mandates are weaknesses in the rule, said Hickenlooper.
Fisher-Titus Chief Information Officer Linda Stevenson agreed, but said that some of the changes proposed by the Biden administration in the Security Rule are excessively burdensome.
Cassidy asked if states should pass health data privacy laws or if Congress should preempt them. Healthcare and Public Health Sector Coordinating Council Executive Director Greg Garcia said that having too many privacy and reporting laws is a longstanding issue: It’s “very expensive and inefficient.”
Ranking member Bernie Sanders, I-Vt., and several of the committee Democrats focused their remarks on the impact of the recently passed reconciliation bill on the healthcare system.