Why health attorneys must not dismiss the revised Consumer Privacy Bill of Rights Act

Health lawyers should pay attention to a revised version of the Consumer Privacy Bill of Rights Act currently in the works, according to Indiana University law professor Nicolas Terry.

While a 2012 version exempted HIPAA-covered entities, since it was considered duplicative regulation, this new bill seeks to regulate data collection, Terry writes in a Health Affairs Blog post. HIPAA, he points out, is less focused on the collection of personal data than on its disclosure.

"It is a concept fundamentally at odds with current practices that maximize collection," he says. "Potentially, it may also clash with the ONC strategy of dramatically increasing data liquidity in order to promote interoperability."

The bill could have the greatest impact on those outside of HIPAA-regulated space, such as big data brokers and app developers, he says.

There would be a new regulator, too, rather than the Department of Health and Human Services Office of Civil Rights. Enforcement powers would be vested in the Federal Trade Commission and state attorneys general. Data minimization is long overdue in healthcare, Terry adds. 

Last summer, members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority. 

Brian E. Finch, a partner at Pillsbury Winthrop Shaw Pittman, and Brian T. Fox, a principal at PricewaterhouseCoopers recently advocated reducing the amount of stored data as a means to boost security.

In addition, the Health Information Trust Alliance last week released a new framework for de-identification of sensitive patient information as part of a risk-management strategy.

To learn more:
- check out the Health Affairs piece