Please regulate us. That’s the message companies handling patient data are sending to Congress, fearing a patchwork of state rules that will put them at a global disadvantage.
Patient data privacy bills from both Republicans and Democrats have stalled in Congress heading into an election year and a possible impeachment fight. That makes businesses like Johnson and Johnson Inc. and Stryker Corp. uneasy as California readies its own rules letting patients decline the sale of their data and giving them the right to sue if their information is stolen due to company negligence.
Any legislation is looking rocky with the parties divided on the scope of any potential bill and how much it might mirror European data privacy protections. That has businesses preparing for a world where California is readying a 2020 ballot measure that would give consumers more control over collection of their health information.
That could catch up a new wave of companies that haven’t previously had to comply with laws like the Health Insurance Portability and Accountability Act.
Since California passed its law in 2018, at least seven more states including Massachusetts—home to companies such as Boston Scientific Corp. and Philips Healthcare—have explored similar bills.
Johnson and Johnson, Stryker, Amazon Inc., and other companies recently asked Congress to pass a federal data privacy law that would protect consumer information and ensure digital innovation. A single federal standard is preferable to each state setting its own requirements, they said.
At a Disadvantage
The absence of federal data protections makes it more difficult for U.S. companies to break into the European market, according to Michael Waters, a member of the tech transactions and data privacy practice at Polsinelli PC.
“The EU restricts the transfer of personal information into the U.S. from the EU. It can be done, but there are significant hoops organizations must jump through,” he said. “These restrictions are in part due to a belief in the EU that the U.S. does not have sufficient privacy laws in place.”
Under the European Union’s General Data Protection Regulation (GDPR), businesses must ensure any data received can’t be traced back to the individual.
That makes compliance a little clearer, according to Shane Nolan, senior vice president at IDA Ireland. IDA Ireland is an Irish government agency that attracts foreign direct investment to the country.
“In the EU, one standard covers all 27 countries and the regulations have a one-stop-shop provision, meaning a company can designate one country to be its lead regulation authority,” Nolan said.
Ireland, which is the second largest market in the world for medical devices, has drawn medtech companies because of support from the Irish government helping them comply and move throughout the EU. More than 300 U.S.-based medical device companies have plants in Ireland, including Abbott Laboratories, Stryker, and General Electric Healthcare Systems.
Sen. Marsha Blackburn (R-Tenn.), who introduced a privacy bill (S.1116) in April, told Bloomberg Law she doesn’t want any U.S. standard to mirror the GDPR because it stifles competition and is difficult to implement.
Blackburn’s bill would require communications and tech companies to provide a clear notice of their privacy policies and would allow users more choice over which personal data can be collected.
Federal Agency Standoff
Any federal privacy bill needs to clarify which agencies would take the lead on regulations. The Federal Trade Commission typically regulates data privacy and security within commercial companies—including device manufacturers—around deceptive and unfair trade practices. But the Department of Health and Human Services manages HIPAA, which covers medtech in some instances.
Multiple lawmakers, including Rep. Suzan DelBene (D-Wash.) and Blackburn, favor the FTC as the regulatory enforcer for its privacy laws without overstepping HIPAA standards already in place.
“My legislation does not preempt HIPAA, and the current structures regulating healthcare would remain. I believe my bill—and the FTC’s enforcement abilities—should serve as a supplement to HIPAA regulations, not replace them,” DelBene told Bloomberg Law.
DelBene introduced the Information Transparency and Data Control Act (H.R. 2013) in April.
“All these other collectors of health data, mostly not covered by HIPAA, for which device companies is one—there’s also social media, websites, and apps—so industries and advocates are going to say we should have a new law that covers you guys and the issue of who has jurisdiction just isn’t clear,” Deven McGraw, the chief regulatory officer for digital medical records platform Ciitizen, said.
HIPAA offers national rules to protect medical records and other personal health information, electronically or otherwise, but it only covers health plans, clearinghouses, and providers. Medtech companies aren’t covered by HIPAA unless they’re business associates of the covered entities.
However, a new federal law that takes the place of various state standards only works if it addresses competing federal requirements as well, said Linda A. Malek, a partner at Moses & Singer LLP and chair of the firm’s health care and privacy and cybersecurity practice groups.
Blackburn told Bloomberg Law that HIPAA also should be updated, which could happen before the end of the year.