Regulatory schemes for the protection of data, whether healthcare or otherwise, are often criticized in the United States for being fragmentary and siloed. No coordinated regulatory framework exists because that is not the way in which United States law was implemented. Instead, different industries have their own structures, and those are the “lucky” industries as many do not have any protective scheme at all. Healthcare has arguably the most famous data protection scheme in place, the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).
Despite the arguably robust privacy protections contained within HIPAA, the question remains whether those protections are sufficient. Professor Nicolas Terry raised this question in his recent article “Existential Challenges for Healthcare Data Protection in the United States.” While Professor Terry praises the robust nature of privacy protections of HIPAA, it is really only a positive endorsement by comparison to the poor state of other privacy protections in the United States.
As explained by Professor Terry, HIPAA places almost all of its eggs in implementing “downstream rules.” Downstream rules focus the processing or use and disclosure of data. For those familiar with the HIPAA Privacy Rule, this explanation makes a lot of sense. The Privacy Rule governs the use and disclosure of protected health information. There is no focus on “upstream” or collection activities. All efforts are placed on setting parameters around how data are distributed. Further, HIPAA is limited in the scope of players to which it applies. There are three broad categories of entities who need to comply with HIPAA: covered entities, business associates, and subcontractors. Covered entities are the driving force, who are really the traditional players in healthcare, namely providers (encompassing physicians, hospitals, nursing homes, home health care, and more) and health insurers. Noticeably absent are the newer entities like mobile health app developers or wearable manufacturers who operate on the periphery of the traditional healthcare system.
To the heart of Professor Terry’s concern, the overabundance of downstream protections and the hyper focus on traditional healthcare, create significant deficiencies in what is arguably the best set of privacy protections in the United States. The incoming General Data Protection Regulation (“GDPR”) that will soon be in full force and effect in the European Union is cited as the premier privacy scheme as it combines a variety of protective measures. Is implementation of such a scheme like the GDPR possible in the United States? That is an open question.
Systems in the United States have been allowed to develop in silos and without much coordination. As a result, the systems that are in place have developed in a specialized manner uniquely tailored to their individual industries. While it would be good to see a generally applicable framework for protection of all data that is industry agnostic, such a hope is unlikely to come to fruition any time in the near future. Given that reality, it is necessary to work within the existing framework (HIPAA) and get creative in finding the means of expanding requirements.
One “creative” (or confusing) means of expanding the framework of privacy protections is the layer added by state law. While state law cannot loosen protections created by federal law, it can add more proscriptive requirements. Many states have piled onto the HIPAA’s downstream protections by restricting use and dislcosure of different forms of sensitive information, such as mental health, HIV/AIDS or other discrete matters. Additionally, states are imposing data breach notification requirements onto entities in the healthcare industry that go beyond notice required by HIPAA. From this perspective, maybe states could help in switching the paradigm to add “upstream” protective requirements. A patchwork approach from the state level would impose burdens on entities at first, but could result in a couple of federal level scenarios. One would be pre-emption by federal law imposing uniform collection requirements, or such laws could be struck down in a different form of pre-emption. Either way, a clear standard could be set.
The bottomline is that the world of data protection has entered a new reality. The amount of data being created increases every day with no sign of slwiing down any time soon. Will the law be able to keep up?