Sens. John Kerry (D-Mass.) and John McCain (R.-Ariz.) have introduced a commercial privacy bill to protect consumers against the unauthorized collection, use, and dissemination of their personal information. While the bill mentions personal health information, it's not clear how it might affect health data exchange.
The bipartisan bill--the Commercial Privacy Bill of Rights Act of 2011--would create a framework for data use that "does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing," McCain said in a statement.
Specifically, the collectors of personal information must provide notice to individuals that their data is being collected and must explain why. Consumers must be given the opportunity to opt out of this data aggregation in most cases. In the case of "sensitively personally identifiable information"--including personal health information--consumers must give their consent (opt in) for their information to be included in a database.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already governs the dissemination of personal health information by healthcare providers, insurers, and other HIPAA-covered entities. Patients must give their consent to allow any release of information for marketing purposes, although providers caring for the same patient may exchange patient data for treatment reasons. It's in this area that the commercial privacy act could potentially conflict with HIPAA.
The Kerry-McCain legislation could be enforced by either the Federal Trade Commission or the state attorneys general. The bill allows some safe harbors to be created, but only if the protections for consumers remain as rigorous as those specified in the measure.