Uncategorized

Pending Federal Privacy Legislation: A Status Update

Vince Kuraitis
Deven McGraw

By DEVEN McGRAW and VINCE KURAITIS

This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

In our initial blog post of February 20th, “For Your Radar – Huge Implications for Healthcare in Pending Privacy Legislation,” we broadly discussed six key issues for healthcare stakeholders in the potential federal privacy and data protection legislation. We committed to future posts comparing and contrasting specific legislative proposals.  

What’s happened since then? 

Additional bills have been introduced and hearings have been held in both the House and the Senate.  The Federal Trade Commission (FTC) also hosted two days of hearings on the FTC’s Approach to Consumer Privacy.  

The buzz around federal privacy legislation continues, but as of yet there appear to be no proposals or bills that have emerged as the lead bills. 

In the meantime, the clock is ticking.  As we mentioned in our February 20th post, a significant catalyst for federal privacy legislation is the desire of companies covered by the California Consumer Privacy Act (CCPA) to have that broadly-applicable, stringent state law preempted by a more company-friendly federal law.  The CCPA, which sets stringent consent and other requirements for large companies, or companies collecting or monetizing large amounts of consumer data from California residents, goes into effect January 1, 2020 – less than six months from today.  

Is it possible for a legislative body to move quickly on such a controversial topic?  Again, California’s experience may be instructive. The CCPA was passed into law and signed on June 28, 2018, about a week after it was introduced. Lawmakers were in a rush in order to keep a popular and even stricter consumer privacy ballot initiative from being put before the California voters.  (The sponsors of the ballot initiative agreed to withdraw it if the CCPA were enacted by the June 28th deadline.). 

Tech companies held their noses and supported the legislation because changing legislation is easier than changing a ballot initiative adopted by the voters. However, this strategy is not fool-proof.  Although the CCPA has been successfully modified once to address some company concerns and to clarify confusing language, more recent attempts to amend it have failed (modification bills are still pending).  With the deadline fast approaching, and the prospect for further significant modifications to the CCPA looking less likely, the pressure on Congress is reaching a fever pitch.

But will Congress respond in time? California’s legislature is different in many ways from Congress (much more homogenous). Rep. Schakowsky, whose panel is leading privacy efforts in the House, recently said she’s not going to release her privacy proposal before the August recess, although she expects to mark up a bill before the end of the year. Nevertheless, we expect the pressure of time can be a significant motivator.  How much will tech companies be willing to concede in a federal bill in order to avoid having to comply with the CCPA?  

Despite the perceived lack of movement of current bills, the ticking clock on CCPA suggests this issue is quite live in Congress, albeit less visible to most of us.  It’s possible that the ultimate lead bill(s) are still under discussion and have yet to be introduced – although it is also likely the lead bills will incorporate provisions from bills and proposals already introduced or in the public domain).  So it’s still worth a deeper dive into what’s already on the table.

On the Roadmap page to this series, we list and categorize 23 Congressional bills introduced or pending that relate to privacy/data protection. We’ve labeled them either as “comprehensive” or “focused” (narrow) — although we’ll admit these classifications are imprecise.  Those bills we considered more comprehensive are those that cover a broad spectrum of companies and, in most cases, impose a comprehensive set of requirements on those companies. More “focused” (narrow) bills take on particular industry segments or particular data practices that are perceived to pose increased privacy risks. For good measure, we’ve also included some potentially relevant bills from 2018.

“Comprehensive” Privacy/Data Protection Bills

We count at least 7 comprehensive privacy bills introduced so far in 2019 (most recent listed first):

  • Senator Markey — S.1214
  • Senator Blackburn — S.1116
  • Representative Delbene — H.R. 2018
  • Senator Cortez Masto — S.583
  • Representative Rush — H.R. 1282
  • Senators Klobuchar/Kennedy — S.189
  • Senator Rubio — S.142

“Focused” Privacy/Data Protection Bills

We count at least 16 “focused” (narrow) privacy bills introduced/pending so far in 2019. Several of these bills are targeted at and/or could directly impact various types of health data:

  • Senators Klobuchar/Murkowski — S.1842:  “Protecting Personal Health Data Act”
  • Senator Hawley — S.1578: “Do Not Tract Act”
  • Senator Wyden — S.1108:  “Algorithmic Accountability Act of 2019”
  • Representative Rush — H.R. 2155:  “Genetic Privacy Act of 2019”
  • Senator Kennedy — S.806:  “Own Your Own Data Act”

The other focused bills deal with a wide range of subjects, e.g., protecting data at the border, combatting revenge porn, protecting airline passenger privacy, restricting facial recognition technology and others.

Why would legislators choose to introduce focused legislation vs. more comprehensive bills? There are a number of possible reasons:

  • Fewer committees to review bills. A more comprehensive bill will fall under the purview of a larger number of Congressional committees that will have jurisdiction to to review the legislation, which means a slower path for consideration
  • Fewer potential detractors. A more comprehensive bill is more likely to affect the interests of a greater number of stakeholders.
  • More politically expedient. Enacting legislation that is focused on just one or two particular privacy problems lets Congress take credit for a win (even if the impact in terms of improving privacy is much less). 

The Impact on Healthcare — Our Upcoming Analyses

How will healthcare be impacted?  In reviewing all of the privacy and data protection legislation that has been proposed to date, the privacy bills differ significantly in their approaches.  In the coming weeks we’ll provide separate blog posts discussing some of the most relevant aspects of pending comprehensive Congressional bills:

  •  What types of entities are covered
  •  What information is covered
  •  What rights are granted to consumers
  •  What are the obligations of entities covered by the law
  •  What are the penalties for failure to comply

We’ll cover the 7 comprehensive bills introduced in 2019 + 3 additional potentially relevant bills/drafts from 2018:

  • Senator Schatz — S. 3744 (2018)
  • Senator Wyden — discussion draft
  • Trump administration approach

We include the Trump Administration’s potential approach, as gleaned from the 2018 Department of Commerce National Telecommunications and Information Administration (NTIA) request for information (RFI) on “ways to advance consumer privacy while protecting prosperity and innovation.” This RFI has not resulted in an Administration bill but is an indication of future Administration direction on these issues.  

We’ll also provide separate updates on some of the most potentially impactful focused bills.

As noted above, some bills have broad coverage and could cover most entities in healthcare; others have more limited coverage or target only certain types of data collection activities, so the impact on healthcare is harder to predict.

Activity at the state level also has increased. The National Conference of State Legislatures notes that bills or bill drafts have been considered in at least 25 states.

We’ll keep you apprised!

Deven McGraw , JD, MPH, LLM (@healthprivacy) is the Chief Regulatory Officer at Ciitizen (and former official at OCR and ONC). She blogs at https://medium.com/@ciitizen

Vince Kuraitis, JD/MBA (@VinceKuraitis) is an independent healthcare strategy consultant with over 30 years’ experience across 150+ healthcare organizations.He blogs at e-CareManagement.com.