II
116th CONGRESS
1st Session
S. 1842
IN THE SENATE OF THE UNITED STATES
June 13, 2019
Ms. Klobuchar (for herself and Ms. Murkowski) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions
A BILL
To protect the personal health data of all Americans.
Short title
This Act may be cited as the Protecting Personal Health Data Act
.
Findings
Congress finds as follows:
On July 19, 2016, the Department of Health and Human Services, acting through the Office of the National Coordinator for Health Information Technology and in coordination with the Office for Civil Rights of the Department of Health and Human Services and the Federal Trade Commission, issued a report to Congress entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA
(referred to in this section as the report
) about the need to enact modern protections for consumers’ personal health data.
The report states that [t]he wearable fitness trackers, social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act of 1996
.
The report states that entities not covered by the privacy protections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191), such as wearable fitness trackers and health-focused social media sites, engage in a variety of practices such as online advertising and marketing, commercial uses or sale of individual information, and behavioral tracking practices, all of which indicate information use that is likely broader than what individuals would anticipate
.
The report identifies key gaps that exist between HIPAA regulated entities and those not regulated by HIPAA
and recommends addressing those gaps in a way that protects consumers while leveling the playing field for innovators inside and outside of HIPAA
.
Definitions
In this Act:
Consumer devices, services, applications, and software
In general
Except as provided in subparagraph (C), the term consumer devices, services, applications, and software means devices, services, applications, and software—
that are primarily designed for or marketed to consumers; and
a substantial purpose or use of which is to collect or use personal health data.
Inclusion
The term consumer devices, services, applications, and software shall include, but is not limited to—
direct-to-consumer genetic testing services;
cloud-based or mobile technologies that are designed to collect individuals’ personal health data directly or indirectly with individuals’ consent, which could enable sharing of such information, such as wearable fitness trackers; and
internet-based social media sites which are primarily designed for, or marketed to, consumers to collect or use personal health data, including sites that share health conditions and experiences.
Exception
The term consumer devices, services, applications, and software shall not include—
products on which personal health data is derived solely from other information that is not personal health data, such as Global Positioning System data; or
products primarily designed for, or marketed to, covered entities and business associates (as defined for purposes of regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note)).
Direct-to-consumer genetic testing services
The term direct-to-consumer genetic testing service means a service, which may include a test that analyzes various aspects of an individual's genetic material, that enables a consumer to have access to their genetic information, or to information derived therefrom, without the need to have a health care provider or health insurance issuer participate in the process of gaining access.
National coordinator
The term National Coordinator means the National Coordinator for Health Information Technology at the Department of Health and Human Services.
Operator
The term operator means any person who operates any type of consumer devices, services, applications, and software or who provides consumer devices, services, applications, and software for the use of consumers and collects or maintains personal health data from or about the users of such consumer devices, services, applications, and software.
Personal health data
The term personal health data means any information, including genetic information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Secretary
The term Secretary means the Secretary of Health and Human Services.
Promulgation of regulations for operators of consumer devices, services, applications, and software
In general
Not later than 6 months after the date on which the report is submitted under section 5(d), the Secretary, in consultation with the Chairman of the Federal Trade Commission, the National Coordinator, relevant stakeholders, and heads of such other Federal agencies as the Secretary considers appropriate, shall promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.
Requirements
In general
The Secretary shall ensure that the regulations pursuant to subsection (a)—
account for differences in the nature and sensitivity of the data collected or stored on the consumer device, service, application, or software; and
include such definitions for relevant terms that are necessary to accomplish the goals of the regulations set forth in subsection (a).
Requirements of secretary
In the promulgation of regulations under subsection (a), the Secretary, to the extent practicable, shall—
consider the findings in the report issued by the Department of Health and Human Services to Congress entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA
, including findings regarding individuals’ access rights, re-use of data by third parties, security standards applicable to data holders and users, confusion or ambiguity regarding terminology related to privacy and security protections, and the adequacy of collection, use, and disclosure limitations;
consider other regulations and guidance issued by the Federal Trade Commission, and other regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), subtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.), Genetic Information Nondiscrimination Act (Public Law 110–233, 122 Stat. 881), the Common Rule as contained in part 46 of title 45, Code of Federal Regulations, and other related Acts;
consistent with paragraph (3), consider appropriate uniform standards for consent related to the handling of genetic data, biometric data, and personal health data;
consider exceptions to consent requirements under subparagraph (C) for purposes that may include law enforcement, academic research or research for the sole purpose of assessing health care utilization and outcomes, emergency medical treatment, or determining paternity;
consider appropriate minimum standards of security that may differ according to the nature and sensitivity of the data collected or stored on, or processed or transferred by, the consumer device, service, application, or software;
consider appropriate standards for the de-identification of personal health data;
consider appropriate limitations on the collection, use, or disclosure of personal health data to that which is directly relevant and necessary to accomplish a specified purpose;
consult with the National Coordinator, the Commissioner of Food and Drugs, and the Chairman of the Federal Trade Commission; and
provide for initial and ongoing outreach regarding regulations affecting industries, businesses, and individuals to ensure awareness of consumer privacy and security protections in the field of digital health technology.
Uniform standards
In the review of each of the areas described in paragraph (2)(C), the Secretary shall consider—
the development of standards for obtaining user consent based on how information will be shared to ensure that prior to the collection, analysis, use, or disclosure of consumers’ personal health data, an operator of a consumer device, service, application, or software specifies the uses of the personal health data and who will have access to the information;
the manner in which consent is obtained in a way that uses clear, concise, and well-organized language that is easily accessible, of reasonable length, at an appropriate level of readability, and clearly distinguishable from other matters;
a process to limit the transfer of personal health data to third parties and provide consumers with greater control over how their personal health data is used for marketing purposes;
secondary uses outside of the primary purpose of the service as initially indicated when consent was first obtained;
a process to permit a withdrawal of consent to ensure that a user is able to remove consent for the terms of service for use of the consumer device, service, application, or software, including the collection and use of personal health data as easily as the user is able to give such consent;
providing a right to access a copy of the personal health data that the operator has collected, analyzed, or used, free of charge and in an electronic and easily accessible format, including a list of each entity that received the personal health data from the operator, whether through sale or other means; and
providing a right to delete and amend personal health data, to the extent practicable, that the operator has collected, analyzed, or used.
Updates
The Secretary shall review and, if necessary, update the regulations promulgated under subsection (a) in accordance with the requirements under subsection (b).
Public availability
The Department of Health and Human Services shall make prominently available to the public on the Department’s internet website, clear and concise information about available resources related to the regulations promulgated under subsection (a) and all updates to such resources.
Consistency of resources published by Federal agencies
If a Federal agency publishes resources to help protect consumers’ personal health data, the head of such Federal agency, to the degree practicable, shall make such resources consistent with the regulations promulgated under subsection (a).
Other Federal privacy and security requirements
Nothing in this section shall be construed to supersede, alter, or otherwise affect any privacy and security requirements enforced by Federal agencies.
National task force on health data protection
Establishment
The Secretary, in consultation with the Chairman of the Federal Trade Commission, the National Coordinator, and relevant stakeholders, shall establish a task force, to be known as the National Task Force on Health Data Protection (referred to in this section as the Task Force
).
Duties
The Task Force shall—
study the long-term effectiveness of de-identification methodologies for genetic data and biometric data;
evaluate and provide input on the development of security standards, including encryption standards and transfer protocols, for consumer devices, services, applications, and software;
evaluate and provide input with respect to addressing cybersecurity risks and security concerns related to consumer devices, services, applications, and software;
evaluate and provide input with respect to the privacy concerns and protection standards related to consumer and employee health data;
review and advise on the need, if any, to update the report issued by the Department of Health and Human Services to Congress entitled Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA
; and
provide advice and consultation in the establishment and dissemination of resources to educate and advise consumers about the basics of genetics and direct-to-consumer genetic testing, and the risks, benefits, and limitations of such testing.
Members
The Secretary, in consultation with the Chairman of the Federal Trade Commission, the National Coordinator, and relevant stakeholders, shall appoint not more than 15 members to the Task Force. In appointing such members, the Secretary shall ensure that the total membership of the Task Force is an odd number and represents a diverse set of stakeholder perspectives.
Reporting
Not later than 1 year after the date of enactment of this Act, the Task Force shall prepare and submit to the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Health, Education, Labor, and Pensions of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Energy and Commerce of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Secretary, the Chairman of the Federal Trade Commission, and the Commissioner of Food and Drugs, a report on the findings of the Task Force.
Authorization of appropriations
There are authorized to be appropriated such sums as may be necessary to carry out this section.
Federal Advisory Committee Act
The Federal Advisory Committee Act (5 U.S.C. App.) shall apply to the Task Force.
Sunset
In general
The Task Force shall terminate on the date that is 5 years after the date of the first meeting of the Task Force.
Recommendation
Not later than the date that is one year prior to the termination of the Task Force under paragraph (1), the Secretary shall submit to Congress a recommendation on whether the Task Force should be extended.
