Existential challenges for healthcare data protection in the United States

Abstract

There are increasing threats to healthcare data protection in the United States. Most federal data privacy laws apply only to specific sectors, such as healthcare, education, communications, or financial services. In the absence of comprehensive data protection legislation there are multiple, sectoral approaches. These privacy laws are noticeably limited in their vertical scope, preferring downstream protections such as confidentiality, security, and breach notification. Hardly any US laws contain upstream requirements that minimize or otherwise limit data collection. The imminent “EU General Data Protection Regulation” (GDPR) is considerably more comprehensive. Horizontally, it applies to all sectors of the economy, all broadly defined “personal data,” and all who control or process data. Vertically, it applies protective standards throughout the lifespan of data. In the US, the primary federal law applying to healthcare data comprises of regulations known as the “HIPAA Privacy and Security Rules.” The HIPAA rules provide considerably weaker protection than the GDPR, although they are far stronger that the protections applicable to other commercial sectors in the US HIPAA has relatively narrow scope, essentially only applying to data held by traditional healthcare providers and applying only downstream protections; confidentiality, security, and breach notification. Notwithstanding its weaknesses, the HIPAA rules are quite detailed and generally well enforced. Thus, HIPAA has created expectations in patients that all their healthcare data are safe. This is no longer the case, either within the HIPAA “zone” or outside of it. First, traditional providers have almost completed their transition from paper to electronic health records, during which they swap the protections inherent in unconnected file rooms for far riskier computerized longitudinal databases. Second, multiple parties outside of healthcare view healthcare data by as having great value; “big data” brokers collect healthcare data or medically-inflected data for their predictive analytics products, while cybercriminals long since have recognized the profit in stealing health records. Third, consumer electronics companies continue to disrupt healthcare data markets (and data protection) by encouraging consumers to themselves collect and curate data from mobile health apps, wearable devices and the “internet of things.” These challenges to healthcare data protection highlight the fundamental flaws of domain-limited protections and over-reliance on a limited set of protective models. The former because disruptive businesses and technological innovations can make a nonsense of narrowly-defined sectoral protections. The latter because policymakers need a broader array of tools to combat modern challenges while reliance on downstream models intrinsically concedes the correctness of unregulated data collection. The outlook for US healthcare data protection is increasingly bleak. In the aftermath of the 2016 US election, it is quite likely that HIPAA rules will be enforced with less enthusiasm, encouraging an increase in data leaks from the health care system. Further, those victorious in the election are no friends of pro-privacy regulatory agencies and some of their data protection activities may be reined in. It is also extremely unlikely that comprehensive privacy legislation will be passed by the incoming administration. Yet, technological progress and consumer choice almost inevitably will result in increasing amounts of healthcare data being created and processed outside the HIPAA-protected zone. Not surprisingly therefore, healthcare data protection in the US faces a perilous future and one that increasingly will be at odds with the protections offered by its trading partners.