Before the Covid-19 pandemic, health data privacy wasn’t exactly a hot topic on Capitol Hill. By and large, lawmakers stuck to scolding tech giants like Google for getting their hands on patient data gathered by hospitals and smartphone apps.
But the digital tools being deployed to combat Covid-19 have thrust the issue into the spotlight, drawing fresh interest from federal lawmakers who have swiftly introduced several new bills aimed at protecting Americans’ health data related to the coronavirus.
While the issue is getting another look from lawmakers, it’s not clear whether a divided and distracted Congress will be able to reach a consensus on how best to regulate the vast amounts of data collected by digital contact tracing tools and other pandemic response efforts — or whether the bills are destined to fizzle before they ever come up for a vote.
Earlier this month, four Senate Republicans led by Roger Wicker of Mississippi introduced a bill that would create new standards for protecting such data. Last week, a group of Democrats led by Sen. Richard Blumenthal of Connecticut put forward a competing bill. Another group of Democrats led by Sen. Elizabeth Warren of Massachusetts introduced a contact-tracing bill last week that proposes a number of protections for how patient data is stored, anonymized, and shared.
All three bills focus on the type of health data that falls outside the scope of the federal privacy law known as HIPAA, which only applies to entities like hospitals and clinics and their business associates. The architects of the law, first passed in 1996 and amended slightly over the years, could not have imagined the current reality in which public health agencies are developing apps to track coronavirus patients and their contacts using technology built by Google and Apple.
Now, as the Covid-19 crisis has escalated the health privacy debate, lawmakers are trying to play catch-up. The Wicker and Blumenthal bills both try to fill the gaps not covered by HIPAA — but they do so differently, several data privacy experts told STAT. “Where they differ is how broad the protections are,” said Carmel Shachar, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School.
In general, the Democratic legislation would require more comprehensive, stricter privacy protections than the Republican bill, the experts said.
Among the key differences they named: The Democratic bill would apply to most private businesses as well as governments, with a few exceptions, while the Republican bill would only govern private entities. The Democratic bill would also cover health data collected by employers about their employees and would explicitly prohibit companies from selling, marketing, or profiting from people’s Covid-19 data — neither of which are included in the Republican bill. The Democratic bill would preserve existing state privacy laws, while the Republican bill would overrule any state-level legislation.
Whether the lawmakers play ball to come up with — and pass — a bipartisan solution could shape public life during the pandemic and beyond, the experts said.
Take one key difference between the bills: The Democratic legislation proposes a number of steps to protect against discrimination, such as a stipulation that people’s Covid-19 data can’t be used to prevent them from voting, while the Republican bill doesn’t explicitly address the issue.
“There are actually policy implications associated with these antidiscrimination provisions,” said Pollyanna Sanderson, policy counsel for the Future of Privacy Forum, a nonprofit Washington D.C. think tank that focuses on emerging consumer privacy issues.
For example, Sanderson said, such provisions could have implications for using data for the purposes of immunity passports, an idea that’s been proposed to help reopen society that would rely on documents to certify that someone has immunity to Covid-19. Anti-discrimination provisions could also block shops and restaurants from prohibiting someone from entering their establishment based on their Covid-19 status, Sanderson said.
There’s also a question of whether a Covid-19 privacy bill should apply to publicly available information, such as government records and internet content. The Democratic bill would protect it, while the Republican legislation would not. A bill that doesn’t regulate publicly available information could open the door to social media scraping that could be used to build facial recognition systems that could be used to track people’s movements in public places, Sanderson said.
The Covid-19 data privacy bills come after several legislative efforts to cement protections for private health information and consumer data as a whole. Last June, Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) introduced legislation calling for new protections for health data collected by smartphone apps, wearable devices such as Fitbits, and direct-to-consumer genetic testing companies. And last November, Senate Republicans and Democrats put forth dueling legislation that would regulate consumers’ online data.
Those bills encouraged privacy advocates, but they haven’t come close to becoming law. And they’re likely to be sidelined much longer as the pandemic response, the economic fallout, and the looming November election command lawmakers’ attention.
In just a few months, though, the pandemic has transformed America’s health data privacy debate. Concerns about menstrual period-tracking apps and hospital data-sharing deals between tech companies and hospitals have been replaced by conversation about the digital contact tracing tools and facial recognition technologies that are being developed in the Covid-19 response.
And the pandemic may be prompting people who would once have been wary about sharing their data to rethink that stance in the interest of public health.
“The pandemic has illustrated to people the usefulness that health data can have. I think beforehand it was easy to think: ‘OK, I don’t want my information out there,’” Shachar said.
Experts told STAT that despite the lack of bipartisan proposals so far, they see a plausible path forward for Covid-19 privacy legislation. They said it’s possible the protections could be tucked into another economic stimulus or pandemic relief bill or could be passed as standalone legislation.
Despite their differences, the competing Democratic and Republican bills are “similar enough in structure that something should be able to get through,” Shachar said.