Health Data Privacy and Security Regulations: What's Next?Privacy Attorney Kirk Nahra Discusses Fed, State Efforts to Fill Regulatory Gaps
Gaps in federal regulations concerning the security and privacy of health data falling outside HIPAA's umbrella are getting filled to some extent by various state laws. But that's creating additional challenges, says privacy attorney Kirk Nahra of the law firm WilmerHale.
For instance, the California Consumer Privacy Act sometimes applies to health data not covered by HIPAA, "but the problem we're seeing in California, and other states that have loosely followed California, is that we now have a whole bunch of different rules for the same information, depending on who has it and what they're doing with it - and I think that's a problem," he says.
Now, Nahra says, the questions on a federal level include whether Congress might act specifically to address the privacy and security of non-HIPAA health data or whether it might consider a more general national privacy law that will have the effect of imposing some rules on non-HIPAA health data.
But the idea of potentially extending the HIPAA privacy and security rules to cover health data not currently falling under HIPAA - such as mobile health apps and wearable health device data - is much more challenging, Nahra says.
He says the main obstacles include the limited scope of the types of entities to which HIPAA applies as the law was written decades ago, including mostly hospitals, doctor, health insurers - "the mainstream core of the healthcare industry."
He says: "HIPAA is a set of rules that work great both for patients and industry … because it is targeted to what doctors, hospitals and insurers do. I don't think you can just extend that to what a mobile app or a wearable health device does."
While expanding HIPAA is quite difficult, he says, there should be "some principles" to address non-HIPAA covered data, he says.
In the interview (see audio link below photo), Nahra also discusses:
- Other critical considerations involving the privacy and security of health data falling outside of HIPAA;
- Congressional proposals to create a new committee to examine health data security and privacy regulatory gaps;
- Recent enforcement trends by state attorneys general and federal regulators involving health data privacy and security incidents.
Nahra is a partner with WilmerHale in Washington, D.C., where he co-chairs the global cybersecurity and privacy practice. He analyzes the requirements of privacy and security laws across the country and internationally, providing advice on data breach issues, enforcement actions, big data issues, contract negotiations, business strategy and overall privacy, data security and cybersecurity compliance.