Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health data or conditions, and direct-to-consumer genetic testing services, among other technologies.  Specifically, the legislation would direct the HHS Secretary to issue regulations relating to the privacy and security of health-related consumer devices, services, applications, and software. These new regulations will also cover a new category of personal health data that is otherwise not protected health information under HIPAA.

The Protecting Personal Data Health Act is particularly notable for three reasons.  First, this bill would incorporate consumer rights concepts from the EU General Data Protection Regulation (“GDPR”), such as an individual’s right to delete and amend her health data, as well as a right to access a copy of personal health data, at the U.S. federal level.  Second, the bill does not contemplate situations where entities are required to retain personal health data under other regulations (though the bill includes an exception for entities covered under the Health Insurance Portability and Accountability Act). Third, the bill requires that HHS establish a national health task force to provide reports to Congress, and at the same time, this bill specifies that any other federal agency guidance or published resources to help protect personal health data must be consistent with HHS Secretary’s rules under this bill, to the degree practicable, which may reflect an expansion of HHS’s authority to set rules and standards for health data previously regulated by other federal agencies (such as the Federal Trade Commission (“FTC”)).

The bill would require HHS, in consultation with the FTC and other relevant stakeholders, to promulgate regulations that “strengthen privacy and security protections for consumers’ personal health data” collected, processed, analyzed, or used by  health-related consumer devices, services, applications, and software.

The HHS regulations must address:

  • differences in the nature and sensitivity of data collected or stored by different devices, applications, services, and software;
  • the “appropriate uniform standards for consent” for handling of genetic, biometric, and personal health data as well as appropriate exceptions;
  • minimum security standards;
  • the appropriate standard for de-identification of personal health data, and
  • limits on collection, use, and disclosure of data to those “directly relevant and necessary to accomplish a specific purpose.”

In addition, the bill would require the new HHS regulations to provide individuals with the right to delete and amend their personal health data, to the extent practicable.  It also directs HHS to consider developing standards for obtaining user consent to data sharing.

The Act would also create a National Task Force on Health Data Protection to study health data.  The Task Force would be required to:

  • evaluate the long-term effectiveness of de-identification techniques for genetic and biometric data;
  • evaluate the development of security standards, including encryption standards and transfer protocols;
  • offer input for cybersecurity and privacy risks of devices;
  • provide advice for the dissemination of resources to educate consumers about genetics and direct-to-consumer genetic testing, and
  • submit a report to Congress no later than one year after the bill’s enactment.

A companion bill has not yet been introduced in the House of Representatives.  California is also considering a bill that would expand California’s health privacy law to include any information in possession of or derived from a digital health feedback system, which is broadly defined to include sensors, devices, and internet platforms connected to those sensors or devices that receive information about an individual.

Photo of Wade Ackerman Wade Ackerman

Wade Ackerman advises companies and trade associations on complex and novel FDA regulatory issues that require coordinated legal, regulatory, and public policy strategies.

Through more than 19 years of experience in private practice and positions within the FDA and on Capitol Hill, Wade…

Wade Ackerman advises companies and trade associations on complex and novel FDA regulatory issues that require coordinated legal, regulatory, and public policy strategies.

Through more than 19 years of experience in private practice and positions within the FDA and on Capitol Hill, Wade has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. He co-leads Covington’s multidisciplinary Digital Health Initiative, which brings together the firm’s considerable global resources to advise life sciences and health technology clients harnessing the power of information technology and data to create new and cutting-edge innovations to improve health and achieve better outcomes for patients.

Until June 2016, Wade served as Senior FDA Counsel to the U.S. Senate Health Education, Labor & Pensions (HELP) Committee Ranking Member Patty Murray (D-WA) and, prior to that, Chairman Tom Harkin (D-IA). While at the HELP Committee, Wade was involved in all major FDA legislative initiatives, oversight hearings, and other Senate HELP Committee activities concerning the FDA and the Federal Food, Drug, and Cosmetic Act. From January 2015 through June 2016, he helped negotiate many of the FDA-related provisions in the 21st Century Cures Act, which included reforms to FDA’s review and approval of new drugs, devices, combination products, and digital health software. He also worked closely with the FDA and other stakeholders as Congress examined legislative reforms in other key areas, including diagnostics and laboratory developed tests, cosmetics, and over-the-counter drugs.

Before taking his Senate role, Wade served for more than five years as Associate Chief Counsel within the FDA’s Office of Chief Counsel. He was responsible for providing legal advice to the FDA’s Center for Drug Evaluation and Research (CDER) and the Office of Commissioner (OC) on a wide range of issues. While at FDA, he also helped to develop and implement the Food and Drug Administration Safety and Innovation Act (FDASIA) of 2012 and the Drug Quality and Security Act (DQSA) of 2013—both significant reforms to FDA’s regulatory authorities.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the…

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. Her practice includes partnering with clients on the design of new products and services, drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of Artificial Intelligence and Internet of Things technologies.

Jayne routinely represents clients in privacy and consumer protection enforcement actions brought by the Federal Trade Commission and state attorneys general, including related to data privacy and advertising topics. She also helps clients articulate their perspectives through the rulemaking processes led by state regulators and privacy agencies.

As part of her practice, Jayne advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.