Please note that log in for BLAW products will be unavailable for scheduled maintenance on Sunday, February 5th from approximately 4 AM to 5 AM EST.
Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Busy Privacy Agenda for 2020 Has Health Companies on Edge

Dec. 31, 2019, 10:27 AM

Health technology companies face stricter privacy rules and risk steeper fines in 2020 as they navigate a ream of new state and federal rules to protect patient privacy.

With congressional updates to the Health Insurance Portability and Accountability Act looking unlikely, the Department of Health and Human Services plans to spend 2020 working on rules tackling privacy issues such as cybersecurity and patients’ right to their data.

Ensuring those rules work in concert as states also set their own standards will be critical to keeping patient data secure when sharing it moving forward, according to health tech advocates.

For example, rules allowing patients to have free access to their health data can conflict with HIPAA or state laws to protect privacy, Mari Savickis, vice president of federal affairs at the College of Healthcare Information Management Executives (CHIME), said.

“So, as a result, there might be an under-sharing of information because people are afraid of HIPAA violations, but there could be oversharing because you don’t want to be a data blocker. There are pieces that were not well ironed out,” she said.

New Rules, New Complications

An HHS health technology proposed rule would allow patients free access to their health information and prevent providers and health tech vendors from improperly exchanging or withholding the data. It was panned by the health industry over confusing definitions and conflicts with current health privacy laws.

For example, hospitals, doctors, IT developers, and other data exchange channels could refuse to share the data if it would cause physical harm or if it would violate the patient’s privacy. However, proving that exemption could be difficult and run the risk of costly penalties.

The HHS’ Office of the National Coordinator for Health Information Technology had wanted the rules finalized by the end of 2019, but the White House is still considering industry feedback.

“It’s a good thing that they’re still taking meetings because that means they’re listening to stakeholder input,” Savickis said.

The rules will have far-reaching consequences as health information technology evolves, and it’s important to get the standards right, she said.

States Step Up

Complicating the picture, several states have moved forward with their own privacy standards when it became clear Congress is unlikely to act immediately.

At least eight states have readied their own patient protections since data privacy bills from both Republicans and Democrats stalled in Congress. That means 2020 will be the year the health-care industry grapples with a patchwork of state-by-state rules rather than the single national standard they begged Congress for.

“It’s a real concern because all of the state frameworks are going to be slightly different, and that’s going to make complying a nightmare for businesses. It’ll wind up making data less secure,” Colin Zick, the co-chair of the healthcare and privacy group at Foley Hoag LLP in Boston, said.

Companies that handle health data in California will have to comply with three laws in 2020—HIPAA, the California Confidentiality of Medical Information Act, and the newest privacy provisions under the California Consumer Privacy Act, which take effect Jan. 1, Kirk J. Nahra, a privacy and cybersecurity partner at WilmerHale in Washington, D.C., said.

“The fact that there are three frameworks for what is often the same data is creating lots of business problems, compliance challenges, and difficulties for the health care system and for patients,” Nahra said.

California’s newest privacy rule allows patients to decline the sale of their data and gives them the right to sue if their information is stolen due to company negligence. That could catch up a new wave of companies that haven’t previously had to comply with laws such as HIPAA, which only covers data collected by health-care providers, health plans, and clearinghouse billing systems in the industry.

California is also readying a 2020 ballot measure that would give consumers more control over collection of their health information. Attorney General Xavier Becerra (D) Dec. 17 approved Californians for Consumer Privacy’s effort to gather the 623,212 signatures required to get it before voters.

New York also hopes to pass a new law with privacy requirements that the industry says go further than California’s.

The Empire State’s privacy legislation (S.5642) is broader than California’s and includes a wide-ranging definition of privacy risk and what exemptions it allows are unclear, according to Nora L. Schmitt, an associate of the healthcare and privacy & cybersecurity practices at Moses & Singer LLP in New York.

“If passed in its current form, the New York Privacy Act would be a game-changer,” Schmitt said. “It would likely be the most stringent data privacy law in the country and would have huge implications for the industry.”

The measure currently sits in the New York Senate’s Consumer Protection Committee.

Calls for Clarity

The increasingly tangled regulatory landscape has the medical industry calling for clarity, putting pressure on the HHS to issue its upcoming health privacy rules quickly.

“I do think it’s something that will be top of mind within the next two years and I think we’ll see some actual drafts within the next two years,” Brennan Mason, chief marketing officer of Bridge Connector LLC, a health IT company, said. “But at some point reform has to come soon because HIPAA was written without any of the context of all the ways we engage with patients now.”

The last significant upgrade to HIPAA was in 2013, highlighting when breaches of protected health data should be reported to HHS’ Office for Civil Rights, patient data access, and how HIPAA can be extended to business associates of the three covered entities.

The OCR saw a significant rise in HIPAA cases under investigation affecting 500 or more people in 2019. For example, more than 200 hacking and IT cases are under investigation among providers this year compared to roughly 160 total cases in all of 2018, according to OCR data.

For now, the medical industry has to figure out how it will navigate all the regulations coming.

“There needs to be more talk nationally about the way that we as consumers give away our data freely and maybe not fully understanding what the implications are when that happens,” Savickis said. “Health IT has a lot of anxiety around the notion that patients aren’t fully in sync with what’s happening with their health information, so privacy will absolutely be a big thing to pay attention to in 2020.”

To contact the reporter on this story: Ayanna Alexander in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Andrew Childers at