FTC: Draft Data Protection Bill Should Cover Health Information
March 19, 2015 in News
At a House subcommittee hearing on Wednesday, an Federal Trade Commission official raised concerns that draft legislation to develop a national standard for data breach notification and security does not include protections for consumer health information, Health Data Management reports (Slabodkin, Health Data Management, 3/19).
Draft Legislation Details
The Data Security and Breach Notification Act of 2015, introduced by House Energy and Commerce Committee Vice Chair Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would establish a national standard for the way companies protect consumers’ personal information and respond to data breaches (Gold et al., “Morning eHealth,” Politico, 3/19). Specifically, the draft bill would require entities that collect and store consumers’ personal information to keep such data secure and to notify individuals if the data are breached.
During a House Subcommittee on Commerce, Manufacturing and Trade hearing, FTC’s Bureau of Consumer Protection Director Jessica Rich said that the draft bill lacks protections for health information “even though misuse of this and other information can cause real harm, including economic harm, to consumers.”
Rich noted that hackers have monetary incentives to target individuals’ personal health data because the information can be sold to debt collectors and private investigators.
Further, Rich said that a breach of individuals’ personal health data could lead to them losing their jobs or other repercussions. She added that companies storing data on individuals’ physical and mental health should be responsible for keeping the information secure.
Rich explained that the draft bill could pre-empt some of the state data security and data breach laws that protect patients’ sensitive health information.
Despite Rich’s concerns, House subcommittee Chair Michael Burgess (R-Texas) recommended that Congress move forward with the draft legislation. He said, “Health care data [have] its own set of policy issues — where sharing data if done properly — could have tremendous public benefits and save lives. But there is law in this area — HIPAA — and taking on health care privacy and data in this bill would delay the consumer benefits that we can provide under this draft.”
However, Rich argued that some businesses that focus on consumer-generated and consumer-controlled health data might not be covered under HIPAA (Health Data Management, 3/19). She urged lawmakers to revise the bill to include protections for a broader set of data, including devices that collect information.
In addition, Rich pressed lawmakers to allow FTC rulemaking authority to create more specific protections for data security and breach notification (“Morning eHealth,” Politico, 3/19).