On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era”, which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.

The white paper describes the importance of health information, including the potential for such data to be used “to increase access to care, support research for new diagnostics and treatments, improve care quality and outcomes, and lower care costs.” At the same time, Senator Cassidy notes that health data faces higher risk of misuse than other types of data, which he believes necessitates changes to existing health privacy protections.

In short, Senator Cassidy calls on Congress to consider specific updates to the HIPAA framework, including with respect to the use of de-identified data for research, and to examine specific areas where he believes that the Department of Health and Human Services (“HHS”) Office for Civil Rights’ (“OCR”) guidance interpreting HIPAA has been insufficient. He also calls on Congress to pass a comprehensive data privacy law, noting that 13 states and 137 countries have passed data privacy frameworks, and consider federal minimum standards for health data that is not regulated by HIPAA. Further, Senator Cassidy calls for Congress to take steps to bring existing health privacy frameworks more in line with consumer expectations, including as it relates to the use of genetic data for research, focusing largely on direct-to-consumer companies.

Senator Cassidy’s white paper organizes the proposals into the following categories: (1) Updates to the Current HIPAA Framework, (2) Health Data in the HIPAA “Gray Area,” and (3) Data Outside of HIPAA. This is the first of a two-part series on Senator Cassidy’s white paper. Below, we discuss the proposed updates to the existing HIPAA framework proposed in Senator Cassidy’s white paper. The other two categories will be discussed in a forthcoming Part 2.

Updates to HIPAA Framework

Senator Cassidy’s white paper suggests that he believes major revisions to HIPAA could cause disruption in the broader health care industry, including upsetting decades of case law and disrupting patient care. Specifically, Senator Cassidy states that HIPAA has functioned as a “robust privacy framework for over 30 years,” noting that covered entities have been able to strike a good balance between protecting patient privacy and sharing patient information in certain appropriate circumstances. The white paper instead recommends “discrete updates and clarifications,” particularly due to the advent of new health technology and AI not contemplated by the existing framework. These proposals include:

  • Align Treatment of All Health Data. The white paper calls for a “full alignment of all health data within HIPAA.” For example, it discusses certain reforms made as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 that instruct HHS to increase harmonization between the regulations governing Part 2 records (related to substance use disorder medical history) with HIPAA to reduce the regulatory burden for entities that must comply with both frameworks. Senator Cassidy encourages Congress to continue in these alignment efforts. The white paper cautions against treating certain health data differently, pointing to the proposed updates to the HIPAA Privacy Rule to specifically limit certain sharing of reproductive health information for law enforcement purposes. The white paper states that treating certain health data differently could lead to “uncertainty and confusion” as well as “inappropriate withholding” of health information from providers that need it.
  • Patient Ownership of Health Data. The white paper calls on Congress to clarify “how patient information can and cannot be used for research.” While Senator Cassidy notes that data de-identified in accordance with HIPAA has been used for research purposes for over 20 years, which has helped create AI tools that can improve care and reduce disparities, the white paper specifically discusses the risk of re-identification stemming from AI tools and concerns over patient ownership and autonomy over the use of their health data. Senator Cassidy encourages Congress to “examine whether existing exemptions permitting de-identified data to be used for research should consider a patient’s ability to opt-in or opt-out of participation” and further calls for the examination of the risk of re-identification “to ensure that patient information for research can never be personally identified without express consent.” Senator Cassidy also calls for Congress to consider whether patients should have the right to be compensated for sharing their identifiable data, similar to how patients may be compensated for participation in clinical trials.
  • Other Proposals. The white paper also calls on Congress to direct HHS OCR to clarify how the “minimum necessary” standard within HIPAA aligns with other regulatory requirements (e.g., The21st Century Cures Act). Additionally, the white paper calls on Congress to define certain aspects of HIPAA’s right of access more clearly, especially certain aspects of the third-party directive as it relates to fees that are charged in response to these requests.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.