Prof. Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and Senior Counsel at Alston & Bird, has published a new white paper on “Possible Privacy, Cybersecurity, and Data Breach issues in the Proposed National Medical Claims Database Under Section 303 of S. 1895.”
Senators Lamar Alexander (R-TN) and Patty Murray (D-WA), the Chair and Ranking Member of the Senate Committee on Health, Education, Labor & Pensions (HELP) introduced “The Lower Health Care Costs Act,” or Senate Bill 1895, on June 19, 2019. The bill, as amended, was approved by the HELP Committee on a bi-partisan vote on June 26. Titles I and II of the bill are entitled “Ending Surprise Medical Bills” and “Reducing the Prices of Prescription Drugs.” Title III of the bill is entitled “Improving Transparency in Health Care,” and includes Section 303, titled “Designation of a Nongovernmental, Nonprofit Transparency Organization to Lower Americans’ Health Care Costs.”
This White Paper solely discusses Section 303. The White Paper discusses the four key stages of how data would flow in the proposed system:
1. Health insurance issuers and others who supply data to the Non-Profit created by the bill:
a. A first category of risk concerns what happens to individuals and their employers in the event of a data breach by the Non-Profit or a recipient of data from the Non-Profit.
b. There are other risks that arise as the issuers are required to send claims information to the Non-Profit. For instance, the bill does not appear to authorize data use agreements to protect the data, and may not provide appropriate technical input on how to transfer comprehensive claims data to the Non-Profit.
2. Processing data within the Non-Profit:
a. The Non-Profit would be subject to HIPAA privacy, security, and breach rules, under new rules by the Secretary of HHS (“the Secretary”). The scope of the Secretary’s rulemaking authority is not clear, however, especially concerning whether HIPAA protections would apply to other entities that receive claims data from the Non-Profit.
3. The Non-Profit exchanges data with business associates, who act on its behalf:
a. The Secretary’s rulemaking authority, on its face, does not appear to place the Non-Profit’s business associates under HIPAA. The same was true under the original HIPAA rules, but Congress in 2009 ensured that business associates would be subject to HIPAA requirements.
b. The bill authorizes a potentially large number of entities to access the claims database, including employers generally. As with business associates, it appears that employers and other authorized users would not be subject to the HIPAA Privacy and Security Rules, and HHS breach notice requirements.
4. Employers, researchers, and others who receive data from the Non-Profit:
a. The bill authorizes a potentially large number of entities to access the claims database, including employers generally. As with business associates, it appears that employers and other authorized users would not be subject to the HIPAA Privacy and Security Rules, and HHS breach notice requirements.
For each stage, the White Paper sets forth the relevant provisions in the current version of S. 1895, and then analyzes possible privacy, cybersecurity, and data breach issues that may arise.
After discussing the stages of data flow, the White Paper turns to a topic already addressed in considerable detail in the bill, the de-identification and possible re-identification of patients when information about their claims is provided to the Non-Profit, subject to rulemaking by the Secretary. The White Paper summarizes risks of re-identification under the bill, and provides an Appendix to examine these issues in greater detail. The White Paper concludes with short observations on miscellaneous provisions in the current draft of the bill.