Health data privacy is governed by more than just HIPAA. Just like tech, this legal area of health-data privacy and data access is undergoing rapid growth and development, so it is essential for your business to stay up to date. Below is a summary of the most relevant state, federal, and international data privacy laws and regulations which affect health tech businesses in the U.S.
FEDERAL LAWS & REGULATIONS—these apply to businesses located anywhere in the U.S.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA only applies to very specific holders of health data—covered entities (“CEs”) and their business associates (“BAs”)— and to a very specific type of data—protected health information ( “PHI”). For more on HIPAA, check out Elevation’s HIPAA Refresher blog series.
The main tenets of HIPAA are that PHI cannot be shared without patient consent (the Privacy Rule), and that certain physical, administrative, and technical safeguards must be implemented in order to protect PHI (the Security Rule).
Health Information Technology for Economic and Clinical Health Act (HITECH)
HITECH was signed into law in 2009 with the goal of promoting and expanding the adoption and meaningful use of health information technology—specifically, electronic health records (“EHRs”)—by health care providers. HITECH increased PHI protections to assure patients more confidence in the security and transmission of their PHI.
HITECH also expanded HIPAA requirements to BAs in a legally enforceable way. Prior to HITECH, only CEs could be penalized by the government for HIPAA violations. Today, the government can sanction CEs and BAs alike for HIPAA violations. Current HITECH regulations have now morphed into CMS’s Promoting Interoperability Programs
CMS Interoperability and Patient Access Final Rule
This is a relatively new rule, now coming from CMS’ Promoting Interoperability Program offices, took effect in 2020 and became enforceable this year. The central takeaway from this rule is that all CMS-regulated payers must now implement and maintain a HL7 Fast Healthcare Interoperability Resources (“FHIR”) standard API. The FHIR framework provides a means for representing and sharing health information among clinicians and organizations regardless of the ways local EHRs represent or store the data.
Importantly, as its name suggests, this rule also requires or encourages different types of entities to allow patients to have electronic access to some of their personal information. For example, health plans must make certain data available to patients such as adjudicated claims, encounters with capitated providers, and some clinical data.
21st Century Cures Act/Information Blocking
This rule works in conjunction with CMS’s Interoperability Rule to promote effective and appropriate health-related communications. Certain entities are required to share electronic health information (“EHI”—which is broader than PHI) for a variety of patient care purposes. Interfering with this exchange is called information blocking. Your company can still be deemed a “data blocker” even if your activities are not directly involved with patient treatment. The information blocking rule has a list of exceptions, such as infeasibility and preventing harm, but they are generally pretty narrow in order to encourage as much appropriate EHI sharing as possible.
INTERNATIONAL LAW—this applies to many U.S. companies that have even one customer or consumer in the EU.
General Data Protection Regulation (GDPR)
The GDPR was enacted in 2016 and has revolutionized data privacy by imposing specific, stringent obligations on businesses (e.g. data protection by design) and endowing all EU residents with certain rights and privileges (e.g. right to access personal data). It has quickly become an international “gold standard,” inspiring several U.S. states to consider or pass similar laws. Several U.S. Congress members are currently proposing U.S. national-level versions of the GDPR.
GDPR is a transparency-centered law that empowers consumers with brand new rights to their own data—this means any data, not just health data. The rule includes the right for consumers to erase or correct their information. Consumers can also restrict the processing or sale of their data. It also imposes strict security and compliance standards on businesses, enforceable by government fines and consumer lawsuits.
GDPR may apply to your business if you have even just one customer who is (or becomes) an EU resident. It’s vital for tech companies in particular to be informed about this law, as their “products” are generally quite portable and companies can incur fines or be subject to consumer lawsuits.
STATE LAWS—may apply to businesses headquartered in those states, businesses with operations in those states, and/or businesses with consumers who are residents of those states.
State-level “mini-GDPRs” and “mini-HIPAAs”
In the U.S., the federal government sets minimum legal standards across the country. States may then choose to raise the minimum legal standard within that state by passing their own laws. Many states have chosen to do this with HIPAA-covered health data privacy laws.
For example, Illinois has a Biometric Information Privacy Act (BIPA), which covers the collection, use, and retention of biometric identifiers such as retina scans, iris scans, fingerprints, and voiceprints, as well as any information based on an individual’s biometric identifier that can be used to identify that individual. Among other things, BIPA requires companies to provide individuals with notice and to obtain their written consent before collecting their biometric data.
While the federal government has not (yet) enacted a national law or standard in a certain area, many states choose to pass their own laws to ensure certain standards are being met within their geograpgic boundaries or with regard to their residents. This is currently happening with data privacy in the U.S.—in the absence of a specific federal law, several states have begun to implement certain provisions of the GDPR.
The most notable (and the first in the nation) are likely California’s two companion laws, the California Consumer Privacy Act (CCPA) and the Virginia Privacy Rights Act (CPRA). Although many people consider these to add up to a state-level GDPR, the threshold for businesses to become subject to these laws is higher than GDPR. For example, the CCPA and CPRA apply only to businesses in California that have a gross annual revenue over $25 million; buy, receive, or sell the personal information of at least 50,000 California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents’ personal information.
This is just a high-level overview of the main data privacy rules governing U.S. health tech companies, and it may have already changed since you began reading this blog post. While other legal areas may trail decades behind the pace of reality, new data privacy laws and regulations are evolving quickly. Generally speaking, protections are becoming greater for individuals while businesses are seeing additional burdens and obligations. Let Elevation help take some of that extra weight off your shoulders—we can help you determine which laws apply to your business and help you implement necessary changes to achieve compliance!