House to discuss national data privacy bill with implications for healthcare

The House Energy and Commerce Subcommittee on Innovation will hold a hearing Wednesday to discuss data privacy and the protection of kids online.

Among a slew of bills to be discussed is a draft data privacy bill unveiled last week that would regulate all sectors of the American economy, including healthcare. The legislation is sponsored by Energy and Commerce Chair Cathy McMorris Rodgers, R-Washington, and Sen. Maria Cantwell, D-Washington.

The bipartisan draft data privacy law, the American Privacy Rights Act (APRA), would give consumers the right to access, correct and delete personal data gathered and shared by companies. Entities subject to the Health Insurance Portability and Accountability Act (HIPAA) are generally exempt from the draft law but would need to comply with its data security provisions if passed. Also slated to be discussed at the hearing is the Kids Online Safety Act and the Algorithmic Accountability Act of 2023, among others. 

APRA would also give consumers more rights over their health information that falls outside of HIPAA’s purview, which could include search queries, interactions with chatbots, information recorded on fitness and mental health apps and trackers on health-related websites and telehealth platforms, one witness’s testimony says. It would also grant consumers a private right of action against companies that unlawfully transmit or collect covered data.

The witness statements submitted to the committee ahead of the hearing propose updates to APRA and relay concerns about uses of health data by insurers, big tech companies and social media platforms. 

The witnesses in Wednesday’s hearing will include former head of the Federal Trade Commission (FTC) Maureen Ohlhausen, now co-chair of the 21st Century Privacy Coalition. 

Ohlhausen’s testimony commends ARPA for designating FTC as the primary enforcer of consumer data privacy. The legislation gives FTC more enforcement tools, she says, such as allowing a civil monetary penalty for breaking the law and rulemaking authority to flesh out areas like data minimization rules, consumer controls over data and a centralized opt-out mechanism for data collection and transfer. 

Witnesses also commend the legislation for stipulating that algorithms used for “consequential decisions,” such as healthcare coverage by insurers, be subject to impact assessments and FTC oversight. 

Samir Jain, vice president of policy at the Center for Democracy and Technology, explains in his statement that algorithms present a privacy threat to consumers due to the massive amounts of data needed to train them. Generative AI presents even more threats to data privacy than algorithms because of how it scrapes data.

The Lawyers' Committee for Civil Rights Under Law, which will testify at the hearing, wants different requirements for developers and deployers of AI and quarterly reports to the FTC on outputs of the algorithms.

Witnesses disagreed on whether APRA should preempt state data privacy laws. As drafted, the law carves out the state data privacy laws of California and Virginia. While some commended the legislation for setting a national floor for data privacy, others said letting states pass stricter legislation on data privacy creates the same patchwork the national standard seeks to avoid. 

Kara Frederick, head of the technology policy center at the Heritage Foundation, will also testify before the committee. Her witness statement revolves around concerns of Big Tech companies collecting consumers’ personal information and the impact of social media on youth mental health.