Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health data or conditions, and direct-to-consumer genetic testing services, among other technologies. Specifically, the legislation would direct the HHS Secretary to issue regulations relating to the privacy and security of health-related consumer devices, services, applications, and software. These new regulations will also cover a new category of personal health data that is otherwise not protected health information under HIPAA.

The Protecting Personal Data Health Act is particularly notable for three reasons. First, this bill would incorporate consumer rights concepts from the EU General Data Protection Regulation (“GDPR”), such as an individual’s right to delete and amend her health data, as well as a right to access a copy of personal health data, at the U.S. federal level. Second, the bill does not contemplate situations where entities are required to retain personal health data under other regulations (though the bill includes an exception for entities covered under the Health Insurance Portability and Accountability Act). Third, the bill requires that HHS establish a national health task force to provide reports to Congress, and at the same time, this bill specifies that any other federal agency guidance or published resources to help protect personal health data must be consistent with HHS Secretary’s rules under this bill, to the degree practicable, which may reflect an expansion of HHS’s authority to set rules and standards for health data previously regulated by other federal agencies (such as the Federal Trade Commission (“FTC”)).

The bill would require HHS, in consultation with the FTC and other relevant stakeholders, to promulgate regulations that “strengthen privacy and security protections for consumers’ personal health data” collected, processed, analyzed, or used by health-related consumer devices, services, applications, and software.

The HHS regulations must address:

  • differences in the nature and sensitivity of data collected or stored by different devices, applications, services, and software;
  • the “appropriate uniform standards for consent” for handling of genetic, biometric, and personal health data as well as appropriate exceptions;
  • minimum security standards;
  • the appropriate standard for de-identification of personal health data, and
  • limits on collection, use, and disclosure of data to those “directly relevant and necessary to accomplish a specific purpose.”

In addition, the bill would require the new HHS regulations to provide individuals with the right to delete and amend their personal health data, to the extent practicable. It also directs HHS to consider developing standards for obtaining user consent to data sharing.

In addition, the Act would create a National Task Force on Health Data Protection to study health data. The Task Force would be required to:

  • evaluate the long-term effectiveness of de-identification techniques for genetic and biometric data;
  • evaluate the development of security standards, including encryption standards and transfer protocols;
  • offer input for cybersecurity and privacy risks of devices;
  • provide advice for the dissemination of resources to educate consumers about genetics and direct-to-consumer genetic testing, and
  • submit a report to Congress no later than one year after the bill’s enactment.

A companion bill has not yet been introduced in the House of Representatives. California is also considering a bill that would expand California’s health privacy law to include any information in possession of or derived from a digital health feedback system, which is broadly defined to include sensors, devices, and internet platforms connected to those sensors or devices that receive information about an individual.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Wade Ackerman Wade Ackerman

Through more than a decade of experience in private practice and positions within the FDA and on the Hill, Wade Ackerman has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. Mr. Ackerman advises clients on FDA…

Through more than a decade of experience in private practice and positions within the FDA and on the Hill, Wade Ackerman has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. Mr. Ackerman advises clients on FDA regulatory matters across a range of sectors, including drugs and biologics, cosmetics, medical devices and diagnostics, and digital health products and services associated with drugs and traditional devices. He serves as one of the leaders of Covington’s multidisciplinary Digital Health Initiative, which brings together the firm’s considerable resources across the broad array of legal, regulatory, commercial, and policy issues relating to the development and marketing of digital health technologies.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.