Data Security Bill May Leave Health Data at Risk

Register now

Draft congressional legislation to create a national standard on data security and breach notification does not address healthcare data, leaving consumer health information vulnerable, according to the Federal Trade Commission.

A draft bill, authored by House Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would require certain entities that collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security.

However, Jessica Rich, director of the Bureau of Consumer Protection at the FTC, told a House subcommittee on Wednesday that the draft Data Security and Breach Notification Act of 2015 does not cover certain types of consumer information such as health data “even though misuse of this and other information can cause real harm, including economic harm, to consumers."

Also See: Consumer Privacy, Security at Risk from Internet-Connected Health Devices

Rich warned lawmakers that “bad actors” have an economic incentive to target valuable health data for sale to debt collectors or private investigators. “Indeed, the Commission has seen instances where bad actors have hacked into company systems and stolen consumers’ personal information in order to extract payments for its return,” she testified.

According to Rich, a breach revealing that an individual attends counseling for addiction could result in real economic and physical harms, and revelations about an individual’s cancer treatment might cause them to lose a job or to receive calls from debt collectors.  She argued that companies collecting information about an individual’s physical or mental health condition should have a duty to provide reasonable security for this data.

The problem, Rich told the subcommittee, is that some of the state data security and data breach laws that protect this information would be preempted under the draft bill. In addition, she argued that the legal situation is complicated by the fact that businesses operating in the consumer generated and controlled health information space might not be covered by HIPAA and as a result not be subject to HIPAA’s data security protections.

Rep. Michael Burgess (R-Tex.), chairman of the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing, and Trade, said that while he hopes that the committee will have an opportunity in the future to look at the issue of healthcare data, that should not prevent Congress from moving forward with legislation.

“Healthcare data has its own set of policy issues—where sharing data if done properly—could have tremendous public benefits and save lives,” Burgess commented. “But there is law in this area—HIPAA—and taking on healthcare privacy and data in this bill would delay the consumer benefits that we can provide under this draft.”

Currently, there are 47 different state laws dealing with data breach notification and 12 state laws governing commercial data security, which “creates confusion for consumers looking for consistency and predictability in breach notices as well as complex compliance issues for businesses as they secure their systems after a breach,” according to a memo from the House Energy and Commerce Committee’s majority staff.

The draft bill would establish a single federal regime enforced by the FTC and subject to civil penalties. Further, state attorneys general would be authorized to “enjoin violations, compel compliance, or seek civil penalties” for violations of the Data Security and Breach Notification Act.

Text of the draft legislation is available here.

For reprint and licensing requests for this article, click here.