R Street Institute Comments on Senate’s HELP Committee’s Request for Feedback on Health Data and Privacy

September 28, 2023

The Honorable Bill Cassidy, MD
United States Senate
Senate Committee on Health, Education, Labor and Pensions
428 Senate Dirksen Office Building, Washington, D.C. 20510

Re: Request for Feedback on Health Data and Privacy
Submitted electronically ([email protected])

Dear Senator Cassidy,

The R Street Institute (R Street) respectfully submits these comments in response to your request for information on Sept. 7, 2023, on improving the privacy protections of health data to safeguard sensitive information while balancing the need to support medical research and medical technology innovation. We commend your interest in safeguarding patient privacy information, but we believe the need to protect data privacy and security extends beyond the health care context and has broader security and consumer privacy implications.

Limited Existing Scope and the Need for Broader Data Privacy Action
The Health Insurance Portability and Accountability Act (HIPAA) was designed to regulate medical providers, insurers and other health care entities—not consumer health technologies and applications.[1] However, the expansion of technology and data usage since HIPAA’s emergence has significantly increased the number of ways in which sensitive health data can be used and collected.[2]

HIPAA focuses on how covered entities use, disclose and safeguard protected health information. It does not establish consumer rights over access, correction, portability or data deletion, nor does it provide broader privacy measures. While there could be room for some updates and amendments to HIPAA for existing covered entities and data, any expansion that attempted to morph the law into a comprehensive data privacy and security law would be complex and disruptive, leaving gaps that harm consumer privacy and security. However, passing a comprehensive federal privacy and security law independently could protect consumer health data while filling in gaps that an expanded HIPAA might not be able to address alone, such as provisions on third-party collecting entities (“data brokers”) and advertising provisions.

A law like the American Data Privacy and Protection Act (ADPPA) would help fill gaps for entities and data not covered by HIPAA rather than expand the scope of HIPAA to cover additional entity types.[3] However, it should be noted that the ADPPA explicitly deemed covered entities in compliance with several federal laws, including HIPAA, to be in compliance with specific ADPPA provisions with respect to data subject to those laws.[4] R Street’s recommendations previously argued for that exemption to avoid compliance burdens and additional requirements on covered entities.[5]

An ADPPA-like law would be a viable solution to the alarming amount of unprotected consumer health data arising from a piecemeal approach to U.S. privacy laws.[6] R Street has supported a comprehensive national privacy and security law to promote global competitiveness, reduce data security and national security risks, and provide all Americans with privacy protections outside a single context.[7] We also believe that Congress—not a federal agency alone—should set the standard.

The ADPPA would have addressed several areas around consumer health data. For example, Section 102 would have required an entity that collects “sensitive covered data” to have received an “affirmative express consent” from the user before transferring that data to a third party.[8] Sensitive data includes “[a]ny information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.”[9] For example, a smartwatch device company could reveal a user’s past, present or future health condition.[10] Under an ADPPA-like law, the company that collected that data would generally not be permitted to share that information with a third-party advertising platform without receiving affirmative, express consent from the user. That is one of the multiple ways in which a comprehensive data privacy and security law connects to health data.

While acknowledging the critical need to protect consumer health data is laudable, reinventing HIPAA to address the modern digital landscape seems incomplete when options like the ADPPA are on the table.

National Security and Cybersecurity Implications
We are encouraged by the focus on health data protection because we believe it has national security implications, and there should be adequate attention to this matter when it comes to any efforts that involve revisiting HIPAA. To this point, the 2023 Annual Threat Assessment of the U.S. Intelligence Community illuminates the national security risks from foreign adversaries acquiring and analyzing U.S. persons’ data to increase the success of their espionage, influence, kinetic and cyber attack operations.[11] It highlighted that China has acquired many U.S. persons’ genetic and health data from cyber breaches and by acquiring and investing in biotech companies.[12]

Similarly, the National Cybersecurity Strategy noted that “the dramatic proliferation of personal information expands the threat environment and increases the impact of data breaches on consumers.”[13] The administration highlighted the need for “robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information.”[14]

We share the sentiments expressed in both documents and underscored this in recent congressional testimony.[15] The need to secure Americans’ data is dire because the United States lacks a comprehensive federal privacy law, and HIPAA does not sufficiently protect health data collected from emerging technologies and smart devices. Additional provisions to better account for this are possible, but a comprehensive data privacy and security law would address security more completely.

Emerging Technologies Implications
Like many emerging technologies, there are extraordinary opportunities as well as risks. Threats from emerging technologies like artificial intelligence (AI) exist, and adversaries will look to exploit them.[16] When combining high-performance computing, AI and large amounts of health data, our foreign adversaries potentially have the means to influence future battlefields and even target Americans directly through cyber attacks and mis/disinformation campaigns. Not only would comprehensive privacy legislation help protect health data, but it would also help address privacy risks present with AI and emerging technologies through general data privacy principles.[17] We believe a comprehensive data privacy law is a critical step in addressing any privacy concerns with AI.

R Street is happy to be a resource as your consideration of health data and privacy continues. Please do not hesitate to reach out to us at any time.

Respectfully submitted,

Brandon Pugh
Director, Cybersecurity and Emerging Threats
[email protected]

Steven Ward
Fellow, Cybersecurity and Emerging Threats
[email protected]

[1] Public Health Law, “Health Insurance Portability and Accountability Act of 1996,” Public Health Professionals Gateway, June 27, 2022. https://www.cdc.gov/phlp/publications/topic/hipaa.html.

[2] Thorin Klosowski, “The State of Consumer Data Privacy Laws in the US (And Why It Matters),” Wirecutter, Sept. 6, 2021. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us.

[3] H.R. 8152, American Data Privacy and Protection Act, 117th Congress. https://www.congress.gov/bill/117th-congress/house-bill/8152/text/ih#toc-H9226B696D3C4437D8AB1E53B03DBBC7F.

[4] Ibid.

[5] Tatyana Bolton et al., “Preemption in Federal Data Security and Privacy Legislation,” R Street Institute, May 31, 2022. https://www.rstreet.org/commentary/preemption-in-federal-data-security-and-privacy-legislation.

[6] Steven Ward, “FTC takes a swing at protecting consumer health data,” R Street Institute, Feb. 14, 2023.
https://www.rstreet.org/commentary/ftc-takes-a-swing-at-protecting-consumer-health-data.

[7] Tatyana Bolton et al., “The Path to Reaching Consensus for Federal Data Security and Privacy Legislation,” R Street Institute, May 26, 2022. https://www.rstreet.org/commentary/the-path-to-reaching-consensus-for-federal-data-security-and-privacy-legislation.

[8] H.R. 8152. https://www.congress.gov/bill/117th-congress/house-bill/8152/text/ih#toc-
H9226B696D3C4437D8AB1E53B03DBBC7F.

[9] Ibid.

[10] Natasha Singer, “GoodRx Leaked User Health Data to Facebook and Google, F.T.C. Says,” The New York Times, Feb. 1, 2023. https://www.nytimes.com/2023/02/01/business/goodrx-user-data-facebook-google.html.

[11] “Annual Threat Assessment of the U.S. Intelligence Community,” Office of the Director of National Intelligence, Feb. 6, 2023. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf.

[12] Ibid.

[13] “National Cybersecurity Strategy,” The White House, March 1, 2023. https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.

[14] Ibid.

[15] Brandon J. Pugh, “Submitted Statement of Brandon J. Pugh, Esq. Policy Director & Resident Senior Fellow, Cybersecurity & Emerging Threats, R Street Institute, Before the Subcommittee on Innovation, Data, and Commerce, United States House of Representatives,” R Street Institute, Feb. 1, 2023.
https://d1dth6e84htgma.cloudfront.net/Brandon_Pugh_Testimony_020123_Hearing_36ecfd8b92.pdf?updated_at=2023-02-01T14:31:57.744Z.

[16] “Annual Threat Assessment of the U.S. Intelligence Community.”
https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf.

[17] Brandon Pugh and Steven Ward, “What does AI need? A comprehensive federal data privacy and security law,” International Association of Privacy Professionals, July 12, 2023. https://iapp.org/news/a/what-does-ai-need-a-comprehensive-federal-data-privacy-and-security-law.