By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
The scope of actual and proposed privacy regulators, laws, requirements, processes, and more keep expanding. The expansion is occurring at both the federal and state level resulting in an ever-increasing patchwork of requirements for organizations to be aware of and comply with.
The Federal Growth
From the federal perspective, not much has occurred yet on a legislative front. The pre-pandemic momentum for comprehensive privacy legislation appears to have evaporated. While bills are pending in Congress, there is not much likelihood of any bill passing. Leaving aside the lack of alignment over what should be included in the text of any bill, the looming election year is also casting a big shadow. The election year can cynically be viewed as setting the stage for neither party wanting to provide a victory to campaign on for the other side. That practical reality will certainly complicate any efforts in Congress.
The Federal Trade Commission (FTC) is making the biggest current waves on the agency front. First, the FTC has waded into the regulation of healthcare data with three recent enforcement actions. The enforcement actions focused on misleading terms or insufficient privacy protections of sensitive information. The enforcement focused on the use of healthcare information for marketing reasons without necessarily obtaining full consent or providing clear notice of what would happen with their data. That is especially concerning since the information being shared out is about each individual’s health. Most folks do not want that information being shared without knowing what is happening.
The second action taken by the FTC was publishing a proposed rule to modify its health breach notification rule. The FTC’s rule is intended to cover breaches that fall outside the coverage of HIPAA. The proposed rule seeks to further expand the regulatory coverage by more explicitly applying to healthcare information contained in applications and other technology that fall outside the score of HIPAA. The proposed rule also expands when breach notification would be required and improve notice to consumers among other changes. The basic intent is to fill the void left without an overarching federal privacy scheme.
The last federal action of note is the proposed rule from the Office for Civil Rights to encode new limitations on the use and disclosure of data related to reproductive health care. More detail on the proposed rule to change HIPAA can be found here.
States Continue to Wade In
In the absence of a comprehensive federal approach to privacy, states continue to pass their own laws. The growing multitude of laws complicates compliance efforts for organizations because there is a continually moving target of what needs to be done.
The list will likely keep changing as 2023 progresses, but here is the current list of states that are having new privacy laws become effective in 2023 and/or have passed new laws:
- California
- Colorado
- Connecticut
- Indiana
- Iowa
- Tennessee
- Utah
- Washington
- Virginia
Each of those laws can contain unique specifications as to when the law becomes applicable to an organization, which means diving into the details to determine if or when compliance becomes necessary. Each new state that enacts or expands privacy protection also continues the divide across the country of which state residents can benefit from enhanced protections.
Problems with a Patchwork
Why is a patchwork approach problematic? As already suggested, the patchwork approach means state residency can play a large role in determining how well an individual’s data may be protected. That means individuals are left uncertain as to when or how their sensitive information will be kept private and what rights an individual may enjoy over the information. A nuance that individuals likely will not consider is that the laws do not apply to every organization. Quite frequently the laws have minimum thresholds that must be met before an organization needs to comply. That results in many startups not yet having to comply because a startup’s data quantity and/or revenue will fall short of what the law calls for prior to compliance becoming mandatory. The disparity in data treatment can leave individuals with insufficient protection in states that favor a less regulated approach or do not have the ability to pass legislation.
Another complication again suggested above, is that having each state pass its own privacy scheme makes operating a business harder. Organizations have to track legislation and regulations in each state, assess whether the laws apply, and then develop compliance programs to meet the requirements of those laws. That is a costly, time-consuming, and burdensome process that just sets organizations up for missing a detail and becoming exposed to enforcement action.
While a single comprehensive, pre-emptive federal privacy scheme is most likely a long ways off at this point in time, it is important to recognize the potential benefit of that approach and keep discussions around it alive. Maintaining public discourse on the drawbacks of the patchwork approach could also facilitate the development of a better approach. It is not out of the realm of possibility that more productive or beneficial ideas could be developed. The important point is that such an outcome can only occur if privacy remains an active consideration.
This article was originally published on The Pulse blog and is republished here with permission.