Illustration: Annelise Capossela/Axios
The new bipartisan data privacy bill could rock big segments of U.S. health care by creating national standards for handling sensitive patient data at a time when more states are enacting their own protections.
Why it matters: Though it doesn't generally dwell on medical applications, the American Privacy Rights Act could set up the kind of preemption fight that dogged past attempts to set privacy standards.
What's inside: The draft from Rep. Cathy McMorris Rodgers and Sen. Maria Cantwell states that covered entities who are already complying with HIPAA would be in compliance with the new law.
- But, not all companies who deal with health data are subject to HIPAA, meaning potentially big changes for non-HIPAA entities like health apps or wearable tech.
- The bill classifies health, genetic, biometric and geolocation information as "sensitive covered data," and instructs companies that they cannot collect or transfer this data to third parties without patients' consent.
- There are also strict retention policies on biometric and genetic information.
Consumers could sue for privacy violations of their data, while the bill also establishes a new privacy office within the Federal Trade Commission that would help enforce the new federal standards.
- The draft legislation also categorizes health and medical information as "sensitive covered data" and allows people to opt out of algorithms that make decisions about health care, among other things, per our Axios Pro Tech Policy colleagues Maria Curi and Ashley Gold.
- And it allows for lawfully de-identified data to still be used for medical research.
Between the lines: The legislation would provide more protections against sharing abortion-related data with third party entities — a growing source of concern since Roe v. Wade was overturned.
What they're saying: "The bill goes far," said Rachele Hendricks-Sturrup, research director of real-world evidence at the Duke-Margolis Institute for Health Policy, noting it covers data that can be used to infer or reveal one's physical or mental health status.
- But there's also a "large, highly unregulated data brokerage industry" that can "completely legally buy data on adults' and teenagers' prescriptions, mental health conditions, medical procedures, pregnancy statuses, and more," said Justin Sherman, CEO of Global Cyber Strategies, a D.C. research and advisory firm.
- Sherman added that while the bill adds data broker protections onto third party companies, it could go farther in restricting how data held by first-party mental health apps, telehealth services and social media apps can be shared or sold.
Yes, but: The bill is drawing scrutiny from lawmakers like Sen. Ted Cruz, who's concerned it could empower trial lawyers and strengthen Big Tech.
- The last major push to get a national data privacy bill passed came in 2022, when the American Data Privacy and Protection Act passed out of House Energy and Commerce but then ran afoul of the California congressional delegation, which said it wasn't as strong as their own state's privacy law.
What we're watching: Whether other states lodge similar concerns this time around. New Jersey just enacted a comprehensive privacy law, becoming the 13th state to do so.
What's next: The draft bill still needs to be formally introduced in both the Senate and the House.
- The House E&C Innovation, Data and Commerce on Wednesday holds a legislative hearing on the bill.
- McMorris Rodgers likely views it as another legacy item that she wants action on before she retires at the end of this session.
