Bridging the Health Data Privacy and Security Gap
On April 30, 2015, Senator Patrick Leahy (Vt.) a longstanding supporter of consumer privacy and data protection, introduced the Consumer Privacy Protection Act of 2015 (CPPA) to protect personal data. Though it does not provide a private cause of action, it does hold companies accountable for their handling of personal information and seeks to keep consumers informed.
But I thought health information was protected!
Not so fast- health information handled by Covered Entities (healthcare providers) and Business Associates (handling health information for healthcare providers) is protected under HIPAA. But HIPAA does not regulate data held by anyone else, such as data about sleep schedules, dietary intake, weight, height, or any other personally identifiable information.
If a non-HIPAA covered company experiences a data breach, the company does not have responsibilities about the health information or other personal data unless there is identity theft or financial harm to the consumers.
10% of Americans have fitness trackers such as FitBit, and many more use apps to track sleeping, eating, workouts and chronic health conditions, among other pieces of personal information. None of this data is protected despite being “health” information, simply because it is outside of the Covered Entity and Business Associate interactions. Over 90% of the respondents in a survey conducted by the California Institute of Technology wanted information about health and physical activity anonymized, consistent with the Pew Research Center’s report that 86% their respondents about online behavior were attempting to mask or remove their digital data.
This means that to date, it is really difficult to know when your information is compromised and it is even more difficult for companies to be held responsible for lax data privacy and security standards.
What does the CPPA do?
Subtitle A of the CPPA requires covered entities handling Sensitive Personally Identifiable Information (SPII) of 10,000 individuals during any 12-month period to maintain a comprehensive Consumer Privacy and Data Security Program in which they:
- Conduct risk assessments and implement risk management and control measures;
- Train employees for consumer privacy and data security;
- Conduct Vulnerability Testing;
- Assess and modernize data security, and
- Require any associates handling SPII on their behalf to do the same.
The CPPA adopts a broad definition of SPII that specifically includes “an individual’s first and last name or first initial and last name in combination with any information that relates to the individual’s past, present, or future physical or mental health or condition, or to the provision of healthcare to or diagnosis of the individual.”
This would cover mobile apps, fitness trackers, diet logs, and any of those that could potentially link a user account and health data.
The legislation does not introduce a new regulatory body, but leaves enforcement with the Attorney General of the United States, Federal Trade Commission, and state attorneys general. Civil penalties are limited to $16,500 times the number of individuals whose SPII is placed at risk, with a maximum of $5,000,000 unless the covered entity was willful and wanton or intentional in violating the CPPA.
Under this draft of the bill, the state attorneys general must provide notice to the Attorney General of the United States and the FTC. The Attorney General and FTC will have the right to stay the action until Federal actions are taken.
Importantly, preemption of state laws has been limited. The CPPA preempts all federal and state laws that are less stringent than the CPPA. As the slew of proposed legislation in late 2014 and early 2015 indicate, data privacy and security laws outside of the health and financial sectors are state by state hodgepodge of requirements. Some states have stringent data security laws, such as California, and others have none at all, such as Alabama.
Data Breach Notification
After a breach, Subtitle B requires a covered entity to notify any resident of the United States whose SPII has been or is reasonably believed to have been accessed or acquired:
- Third parties are obligated to notify covered entities;
- Only the covered entity must notify the residents affected;
- Service providers are obligated to notify covered entities; and
- A reasonable delay in notification is 30 days following the discovery of the breach unless the problem is exempted.
The CPPA builds in a Safe Harbor for reasonable determination that the SPII is for all intents and purposes unusable or unidentifiable using methodology accepted by experts in the information security field and there is not a reasonable likelihood the security breach has resulted in or will result in the misuse of data.
The covered entity also has to notify the FTC and the Credit Reporting Agencies if there are more than 5000 individuals’ information involved that can be used for financial fraud or identity theft and a Federal Government Entity (to be designated).
The penalties under the data breach notification requirements are limited in the same manner penalties in Subtitle A for lack compliance with the Consumer Privacy and Security Program requirements. Each lack of notice to an individual is a separate violation times $16,500.
Enforcement is retained again by the Attorney General of the United States, FTC, FCC and state attorneys general.
Where to next?
The CPPA has immense potential to protect health information that has been left floating by the various sector-based data privacy and security laws. Even if the CPPA does not make it through to become the law, the conversation on filling the gap for consumer data has started an especially important conversation for health data protection.
 The bill is cosponsored by Al Franken (Minn.), Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.), and Edward Markey (Mass.)
 MyFitnessPal, Fitocracy, Argus, MapMyFitness, Noom Coach, Allergy FT to name a few.
 More recently, Truste’s U.S. Consumer Confidence Index showed that 92% of US Internet users worry about their online privacy. Global Research Business Network (GRBN) reported 45% of U.S. respondents were highly concerned about safety of their personal data- and 74% of the data considered personal included healthcare data.