The prospects for new federal privacy and cybersecurity legislation are improving as the Biden administration takes office, although few observers expect action on the issue before the COVID-19 pandemic is brought under control.
It’s unclear whether or how any such new legislation would affect HIPAA, or whether any HIPAA revisions would be included. But far-reaching cybersecurity and privacy legislation, if ultimately approved, likely would affect health care entities significantly even if HIPAA itself remains mostly untouched.
SolarWinds Hack May Spur Bills
A handful of federal lawmakers have taken the lead over the last two years on possible legislation, including Sens. Kirsten Gillibrand, D-N.Y., Sherrod Brown, D-Ohio, Maria Cantwell, D-Wash., and Roger Wicker, R-Miss., according to a report from the Brookings Institute.[1] In addition, the House Committee on Energy and Commerce has issued bipartisan draft legislation that could be used as a starting point.
David Harlow, chief compliance officer, Insulet Corporation, told RPP that he does not expect early action on broad federal privacy legislation from the Biden administration, but added, “reinvigoration of the federal cybersecurity infrastructure must be an immediate priority, particularly in light of the SolarWinds Orion exploit” involved in the hacking of multiple federal agencies.
In fact, when the SolarWinds hack was revealed in late 2020, then-President-Elect Joe Biden said that cybersecurity would be a top priority of his administration.[2] “We will make dealing with this breach a top priority from the moment we take office,” Biden said in a statement. “We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks.”
However, playing defense—even playing it well—isn’t enough, Biden said. “We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,” he said. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”
Harlow said he believes California will lead the way in state efforts to legislate on privacy issues. “In the absence of federal privacy legislation, the CPRA [California Privacy Rights Act] may well become a de facto national standard,” he said. “New York and Washington are states that were active in the last legislative session and are likely to be active in the new year as well.”
Ultimately, however, changes will be needed to HIPAA in order to protect health privacy in the way consumers believe is necessary, Harlow said. “The very definition of PHI [protected health information] is a threat to the security of what many of us consider to be personal health-related information,” he said. “Because of the origin story of HIPAA, the definition of PHI is very narrow, compared to the way many of us think about health data colloquially. We consider data collected and shared by our wearables, digital health apps, smart devices, etc., to be worthy of the same protection as any electronic health record.”
For example, current law protects data from wearables if the device was given to a patient by a health care provider, but doesn’t protect that same type of data if the patient purchased the device and uploaded the data to an app, Harlow said. “That makes no sense at all to most people, and the expectation that such data should be protected may lead to behavior that may be risky from a cybersecurity perspective,” he added.