How the bill would specifically affect different segments of the healthcare industry ermains hard to predict and would depend in large part how regulations were written to carry out the various provisions.
The chairs of the House and Senate commerce committees, Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.), unveiled a discussion draft Sunday. That signals the lawmakers are open to revisions before making a full push during what is likely to be a difficult year to pass anything.
Related: Are insurers using tech to automate claims denials?
According to a Senate Commerce Committee summary of the bill's healthcare provisions, health and medical information would be treated as "sensitive covered data" under the law. Such a definition carries a number of implications and would require companies to:
- Obtain affirmative consent from patients to transfer data to third parties;
- Evaluate potential harms from deploying algorithms in healthcare, such as whether they might be used to deny access to care;
- Allow consumers to opt out of algorithms that influence consequential healthcare decisions;
- Ensure strong data security commensurate to factors such as the sensitivity of the data in question;
- Designate privacy and data security officers to implement security programs, with heightened requirements for large data holders who would be held responsible for data breaches.
The legislation also would not allow companies to require people who suffer substantial harm to enter arbitration to seek relief.
Although the bill would establish national privacy standards, it mostly preserves state laws governing health and medical information, according to the Senate committee. Lawfully de-identified data are exempt for medical research under the bill.
The Federal Trade Commission would enforce the American Privacy Rights Act, while state attorneys general and individuals would be allowed to sue healthcare companies over data breaches.
The bill's full impact would be hard to gauge until regulations are drawn up in the aftermath of congressional approval. That could prove difficult in a healthcare system increasingly reliant on algorithms and artificial intelligence for a variety of functions such as prior authorizations and clinical support.
"They're not easy rules to set up, and the regulatory process will be long simply because people will bring up so many objections," said Leighton Ku, director of the George Washington University Center for Health Policy Research. "It will be hard to sort out."
Even where the bill seems clear in allowing people to opt out of the use of algorithms for consequential decisions, it could prove extremely difficult to disentangle a person's data from a program, Ku said.
"If it's already in the system from five years ago, I don't know how easy it is to get that out of the algorithm," Ku said. "Could you say, 'I want you to opt in for certain things, but not other things?' That, I suspect, will be kind of hard because the algorithms are being developed all the time by creative people who are thinking of new things to do."
The exceptions in the legislation could be broadly interpreted to exclude many health-related uses of data, said Krutika Amin, associate director of the KFF Program on the Affordable Care Act. "The permitted purposes seem to cover uses for [electronic medical records], for product or process improvement, for research, audits, and fraud prevention, etc.," she said.
The bill would require companies that hold significant amounts of data to maintain rigorous cybersecurity standards and to regularly update them to guard against the cyberattacks that beset the healthcare industry, such as the Change Healthcare hack.
Rodgers and Cantwell cast their measure as the best approach to dealing with privacy issues that are mushrooming as technology and interconnectedness rush ahead.
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said a joint news release from Rodgers and Cantwell. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress."
Senate Commerce Committee ranking member Ted Cruz (R-Texas) has raised concerns about national standards preempting some state laws, Politico Pro reported Monday. It is unknown whether Cruz would oppose the bill or if other lawmakers have similar objections.
Rodgers and Cantwell may encounter resistance from healthcare companies that oppose the measure's enforcement mechanisms. For instance, the hospital industry objected to a bill Sen. Mark Warner (D-Va.) introduced last month that would bar healthcare providers and third parties from federal aid after cyberattacks if they don't meet minimum security standards.
