The US data protection and privacy bill that is the focus of all of the current attention raises many complex issues. I want to focus on one detail of the bill. My basic purpose is to illustrate some of the difficulties of health information regulation that exist outside of the health care system.
The bill defines covered sensitive data as including “Any information that describes or reveals an individual’s past, present or future physical health, mental health, disability, diagnosis or medical treatment”. This definition of what we can call health data here seems quite broad and perhaps appropriately so. There is similar language in the Health Insurance Portability and Accountability Act. The HIPAA language expressly covers payment, but it is unclear whether ADPPA also covers payment data.
Given the Bill’s broad definition, what exactly is health data in practice? I offer some examples of problems that will arise. Pay attention to details. The question in each case is whether the consumer information is regulated health data under the ADPPA. For the purposes of discussion, assume that the merchant registers the consumer’s information.
- A consumer in a restaurant orders a sandwich on gluten-free bread. Health data? Is your answer different if the consumer informs the server of a gluten allergy and asks if there is a gluten-free option?
- A consumer buys gluten-free bread; yogurt that promises to help with digestive health; “heart-healthy” cereals; a bottle of aspirin; an over-the-counter supplement designed to help control tinnitus (ringing in the ears). These are just a few of the many non-prescription health-related items widely available.
- A consumer in a dietary supplement store buys creatine, an amino acid used to treat mitochondrial diseases and also for bodybuilding. The store may or may not know how the consumer will use the product.
- A consumer purchases reading glasses with 3X magnification. Another buys a large-print book. Another buys a book called “Eat To Beat Depression and Stress”.
- An overweight consumer on an airplane asks for a seat belt extender.
- A consumer presents proof of COVID-19 vaccination as a condition of entry into a store or theater.
- A consumer’s social media page reveals membership in an advocacy group for a named disease.
- A consumer’s social media posts reveal a medical condition with a 50% chance of inheritance. Is it consumer health information? The consumer’s children?
- A consumer tells an airline he has a broken leg and needs special treatment. Another consumer with flight anxiety brings an emotional support animal on the plane.
- A gym (or app or smartwatch or activity tracker) records a user’s information about a user’s workouts, steps, sleep patterns, or heart rate.
- A consumer books a hotel room designed for wheelchair users. Another consumer refuses a room on the thirteenth floor.
- A website monitors public and private messages to assess whether individuals show signs of mental instability, threatening behavior or suicidal thoughts.
- An automobile transportation service delivers a consumer to an address that is a hospital; a dialysis center; or a psychiatrist’s office.
- An office building asks an entering consumer for identification and copies the consumer’s driver’s license which indicates height, weight, need for vision correction and other medical conditions.
We can go on and on with these types of examples. The problem is that you often can’t tell what health information is without context. Almost any personal information can reveal something about health status in some context, where I live, what I ate for lunch, what I read, where I work, what kind of sneakers I wear, etc Additionally, the context may depend on whether the information is collected by observation, from a transaction, by disclosure by the data subject, from a third-party record, medical record, or audience.
HIPAA solves the context problem by defining covered entities as healthcare providers and health insurers. Therefore, health information is all personal information about an individual held by a covered entity. It doesn’t matter if the information is the patient’s diagnosis or the color of the patient’s car. Everything is equally protected by HIPAA. But, when HIPAA-protected information is transferred to someone outside of HIPAA, privacy rules do not follow the information and no privacy protections can apply. This approach has its flaws, but we absolutely know what regulated information is in the hands of HIPAA-covered entities. This is not the case with the ADPPA.
Not all ADPPA categories of sensitive information have the same need for context as health data. A credit card number is a credit card number in any context. Yet even that can be harder than you think. Are the last 12 digits of your 16 digit credit card regulated as a credit card number? If it’s a Visa card, the first four digits are the same for almost everyone. Is it important?
When a privacy law has different standards for different types of data, questions and issues arise at the boundaries between the categories. ADPPA leaves a lot of information to consumers with different levels of protection. A better solution might be to impose a higher and more consistent level of protection for all routinely processed personal information so that it is not so important whether a piece of data is “sensitive” or not.
Incidentally, the same problem identified here with health data arises with genetic information. You can know someone’s genetic information just by observation (gender, hair color, height, etc.), but you can also know the same information through genetic testing. Is it only genetic information under the bill, and how can you know that?
Finally, I end with an openly trick question about the bill. A consumer applies for a loan from a bank to pay for heart surgery. Is this health information in the hands of the Health Information Bank under ADPPA?
The answer is that the bank is not covered by the ADPPA because the bill exempts financial institutions regulated by the Gramm-Leach-Bliley Act. Yet GLB offers no meaningful privacy protections to consumers, so all consumer information, health or otherwise, held by banks is virtually unregulated for privacy. See my previous column on GLB. Banks use GLB as a shield against real privacy rules, and they succeed everywhere, laughing until… you get the idea.
In the meantime, this is an example of personal health data that has no privacy protections under the ADPPA.
Photo by Hush Naidoo on Unsplash