On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era”, which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.

The white paper describes the importance of health information, including the potential for such data to be used “to increase access to care, support research for new diagnostics and treatments, improve care quality and outcomes, and lower care costs.” At the same time, Senator Cassidy notes that health data faces higher risk of misuse than other types of data, which he believes necessitates changes to existing health privacy protections.

In short, Senator Cassidy calls on Congress to consider specific updates to the HIPAA framework, including with respect to the use of de-identified data for research, and to examine specific areas where he believes that the Department of Health and Human Services (“HHS”) Office for Civil Rights’ (“OCR”) guidance interpreting HIPAA has been insufficient. He also calls on Congress to pass a comprehensive data privacy law, noting that 13 states and 137 countries have passed data privacy frameworks, and consider federal minimum standards for health data that is not regulated by HIPAA. Further, Senator Cassidy calls for Congress to take steps to bring existing health privacy frameworks more in line with consumer expectations, including as it relates to the use of genetic data for research, focusing largely on direct-to-consumer companies.

Senator Cassidy’s white paper organizes the proposals into the following categories: (1) Updates to the Current HIPAA Framework, (2) Health Data in the HIPAA “Gray Area,” and (3) Data Outside of HIPAA. This is the first of a two-part series on Senator Cassidy’s white paper. Below, we discuss the proposed updates to the existing HIPAA framework proposed in Senator Cassidy’s white paper. The other two categories will be discussed in a forthcoming Part 2.

Updates to HIPAA Framework

Senator Cassidy’s white paper suggests that he believes major revisions to HIPAA could cause disruption in the broader health care industry, including upsetting decades of case law and disrupting patient care. Specifically, Senator Cassidy states that HIPAA has functioned as a “robust privacy framework for over 30 years,” noting that covered entities have been able to strike a good balance between protecting patient privacy and sharing patient information in certain appropriate circumstances. The white paper instead recommends “discrete updates and clarifications,” particularly due to the advent of new health technology and AI not contemplated by the existing framework. These proposals include:

  • Align Treatment of All Health Data. The white paper calls for a “full alignment of all health data within HIPAA.” For example, it discusses certain reforms made as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 that instruct HHS to increase harmonization between the regulations governing Part 2 records (related to substance use disorder medical history) with HIPAA to reduce the regulatory burden for entities that must comply with both frameworks. Senator Cassidy encourages Congress to continue in these alignment efforts. The white paper cautions against treating certain health data differently, pointing to the proposed updates to the HIPAA Privacy Rule to specifically limit certain sharing of reproductive health information for law enforcement purposes. The white paper states that treating certain health data differently could lead to “uncertainty and confusion” as well as “inappropriate withholding” of health information from providers that need it.
  • Patient Ownership of Health Data. The white paper calls on Congress to clarify “how patient information can and cannot be used for research.” While Senator Cassidy notes that data de-identified in accordance with HIPAA has been used for research purposes for over 20 years, which has helped create AI tools that can improve care and reduce disparities, the white paper specifically discusses the risk of re-identification stemming from AI tools and concerns over patient ownership and autonomy over the use of their health data. Senator Cassidy encourages Congress to “examine whether existing exemptions permitting de-identified data to be used for research should consider a patient’s ability to opt-in or opt-out of participation” and further calls for the examination of the risk of re-identification “to ensure that patient information for research can never be personally identified without express consent.” Senator Cassidy also calls for Congress to consider whether patients should have the right to be compensated for sharing their identifiable data, similar to how patients may be compensated for participation in clinical trials.
  • Other Proposals. The white paper also calls on Congress to direct HHS OCR to clarify how the “minimum necessary” standard within HIPAA aligns with other regulatory requirements (e.g., The21st Century Cures Act). Additionally, the white paper calls on Congress to define certain aspects of HIPAA’s right of access more clearly, especially certain aspects of the third-party directive as it relates to fees that are charged in response to these requests.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.

Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.