A major shift may be coming to the regulation of health and wellness apps that have previously fallen out of the reach of the HIPAA Privacy and Security Rules.
Addressing the Issue of Unregulated Health Data
While HIPAA has long protected data held by providers, payors, and clearinghouses, companies offering consumer products like wearables and health-tracking apps have largely remained outside its scope. Senator Bill Cassidy, R-LA, is looking to close that gap. In early November, he introduced the Health Information Privacy Reform Act (HIPRA). This proposed legislation aims to expand HIPAA protections to cover consumer products and the AI tools rapidly being integrated into care models.
What Would HIPRA Mandate?
If passed, HIPRA would extend many HIPAA guidelines, putting new burdens on all providers handling sensitive health data.
The key requirements would include:
- Consumer Control: Companies would be required to grant consumers access to, and the ability to, delete their personal health information, which includes data like weight, blood pressure, and mental health conditions.
- HIPAA-Level Security and Breach Transparency: The legislation would apply HIPAA security and breach notification rules to app developers and other non-HIPAA entities. This includes the requirement to inform consumers of data breaches and notify individuals that their information is no longer protected by HIPAA once it is shared with a third party outside of the traditional healthcare system.
- AI Data Guardrails: The legislation would require HHS to define how the HIPAA minimum necessary standard applies to data used to train AI algorithms. It also requires the creation of new, unified national standards for de-identification to mitigate the potential risk of AI tools re-identifying previously de-identified information.
What This Means for HealthTech Companies
If HIPRA gains traction, it may be wise to take some steps to prepare. For executives of HealthTech, wellness, and AI companies, this may involve conducting a review of, and potentially redesigning, operational processes.
Here are some steps your company could take:
- Map All Consumer Health Data:
- Action: Immediately conduct a comprehensive audit to identify every piece of consumer health information your product collects (e.g., biometrics, logs, inputs).
- Why: You must know exactly what data you have to comply with consumer access and deletion rights.
- Establish Robust Consumer Data Rights Tools:
- Action: Consider implementing user-friendly mechanisms that allow individuals to easily access, download, and permanently delete their collected data, regardless of where it is stored (e.g., servers, cloud storage).
- Review and Tighten AI Data Sharing Practices:
- Action: Your legal and technical teams can work together to re-assess data sharing for AI training. Consider moving beyond standard de-identification and adopting the HIPAA minimum necessary standard for all data used in algorithms. You will need to monitor future HHS guidance on this standard's application to AI.
- Why: This is a key focus of the legislation and aims to prevent re-identification and misuse of information.
- Re-Evaluate Business Partnerships:
- Action: Review any agreements with third parties (e.g., advertisers, analytics providers) that involve the sharing or sale of consumer data. The increased protections and stricter definition of "minimum necessary" information may require you to restructure these relationships.
HIPRA may be viewed as a step toward addressing a long overlooked issue of privacy and security of health and wellness apps. If HIPRA, or a close version of it, is enacted then proactive compliance will be key to mitigating risk and maintaining market viability.
