Numerous data privacy and security laws govern the private sector’s collection and use of health data in the USA. These laws vary in scope and substance but some combination of them would probably apply to your company if, for example, it does any of the following in the country:
- Diagnoses or treats patients’ health conditions;
- Offers an app intended to promote the health or wellness of consumers;
- Provides health insurance or helps to process health insurance claims;
- Collects health information from employees or other workers;
- Performs research and receives health information from research subjects and respondents; or
- Provides data processing services to organizations that perform the above functions.
In many situations, companies have to obtain express consent to process health data and may be subject to detailed requirements regarding how to obtain consent (such as mandatory disclosures, placement and font sizes) and how to deal with withdrawals of consent. But there are also situations where it would be inappropriate or illegal to seek an individual’s consent to collect or use their health data, such as to use their results from a genetic test to consider whether to promote them. In still other situations, companies must process health data in certain ways regardless of whether the data subject consents, such as where the company is subject to mandatory infectious disease reporting obligations or court disclosure orders. In all cases, companies should develop and maintain reasonable and appropriate information security measures designed to protect the security, integrity, availability and confidentiality of the data.
To help illustrate the detailed legal landscape that applies to the processing of health data, the following outlines some relevant regimes in the USA:
- The Health Insurance Portability and Accountability Act (HIPAA): This federal statute applies to health care providers, health plans and health care clearinghouses (collectively, “covered entities”), and entities handling protected health information on covered entities’ behalf (“business associates”). Just because a company provides health-related services does not mean it is a “health care provider” covered by HIPAA—whether the company engages in health insurance-related or other specified transactions is also relevant. HIPAA authorizes covered entities to use and disclose protected health information without consent for several core purposes, including to treat the data subject, process payments, and perform internal health care operations. HIPAA also permits covered entities to use or disclose data without consent in a number of ancillary situations as long as prescribed conditions are met, such as to respond to law enforcement requests, engage in public health activities, fulfil research purposes, or avert a serious threat. HIPAA otherwise requires covered entities to obtain an authorization to use or disclose an individual’s protected health information. Covered entities also have to publish adequate privacy notices and give effect to certain data subject rights. HIPAA establishes breach reporting and data security standards to which all covered entities and business associates must adhere.
- State-Level Health Privacy Laws: HIPAA expressly authorizes states to enact health privacy laws that are more stringent. Various states have enacted health privacy laws that apply to particular types of data, activities or participants in the health industry. An example is California’s Confidentiality of Medical Information Act (CMIA). CMIA imposes privacy and security requirements on healthcare providers, among others, and defines healthcare provider broadly to include certain healthcare practitioners as well as any business that offers software or hardware to a consumer for the purposes of allowing them to manage their medical information or to self-diagnose, treat, or manage a medical condition. CMIA may therefore apply to operators of health and wellness apps that don’t involve services covered by health insurance but which do involve the processing of medical information. In 2020, for example, the California Department of Justice enforced CMIA against the provider of a fertility-tracking mobile app for allegedly disclosing user data to third parties without consent and failing to secure user data. CMIA generally prohibits health care providers and their contractors from disclosing medical information without the data subject’s authorization unless one of a number of specific exceptions applies, some of which overlap with the exceptions under HIPAA.
- Health Privacy Laws in the Workplace: Companies have legitimate interests in collecting and using health data from their workers, including to keep the workplace safe in accordance with occupational safety and health (OSHA) regulations and administer health benefits. At the same time, statutes such as the Americans with Disabilities Act (ADA), Genetic Information Nondiscrimination Act (GINA), and other federal laws, as well as state laws such as CMIA, restrict employers’ collection, use and disclosure of certain types of health data. For example, ADA prohibits employers from medically examining their employees unless the examinations are job-related and consistent with business necessity, and regulates how employers must maintain employee medical information internally; GINA prohibits employers from discriminating against any employee because of their genetic information; OSHA regulations prescribe detailed retention obligations on employee medical records; and CMIA generally prohibits employers from using or disclosing employee medical information without the data subject’s authorization unless one of several narrow exceptions applies.
- Laws regulating Biomedical and Behavioral Human Subject Research: The Federal Policy for the Protection of Human Subjects (also known as the “Common Rule”) comprises a set of ethical standards that 16 federal bodies in the USA have codified as regulatory requirements that apply to human subject research studies under their purview, and which numerous institutions in the USA have voluntarily adopted as a mandatory policy. The Common Rule requires researchers to obtain an individual’s prior, informed consent before commencing the research. For consent to be valid, the consent form must contain various disclosures regarding the processing of the research subject’s personal information, including the extent to which confidentiality of personal data will be maintained, whether the research might include whole genome sequencing, and details regarding the researcher’s proposed storage, maintenance and secondary research use of the individual’s identifiable private information or identifiable biospecimens.
- Consumer Privacy Laws: At the federal level, the Federal Trade Commission (FTC) generally has authority to bring enforcement actions against “unfair and deceptive trade practices”, which the FTC recently used to enforce against a health-related app developer that allegedly disclosed users’ health data to third parties in contravention of its privacy policy. At the state level, five states have currently enacted general consumer privacy laws that protect the personal information of their own residents: California, Colorado, Connecticut, Virginia and Utah. Only California’s privacy law, the California Consumer Privacy Act (CCPA), is currently in force; the others become effective in 2023. All five of these state laws will impose special requirements on the processing of health information and other categories of “sensitive” data. These requirements include in some cases opt-in consent requirements or else requirements to allow consumers to opt out of certain processing activities involving the sensitive data. The federal American Data Privacy and Protection Act (HR 8152), if enacted in its current form, would also impose more onerous requirements on the processing of health or other prescribed categories of sensitive data.
- Breach Notification Laws: Every state in the USA has its own data breach notification statute, and many of them list health information as a type of information that triggers breach notification requirements if it was subject to unauthorized acquisition and certain other conditions are met. Similarly, the federal Cyber Incident Reporting for Critical Infrastructure Act recognizes the healthcare sector as a critical infrastructure sector. Once certain rules implementing this statute have been enacted, it is expected that companies operating in the healthcare sector will be required to report covered cyber incidents within 72 hours of having a reasonable belief that the incident occurred, and report data ransom payments within 24 hours of making them.
Companies must therefore carefully examine the data privacy and security laws that apply if they collect, use and disclose Americans’ health data. Given the sensitivity of health data, regulators in the USA actively monitor compliance in this space, and class actions alleging the unauthorized processing of health data are common.