Privacy Laws Stifling Medical Innovation, Lawmakers Say

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Alex Ruoff

March 22 — Federal health privacy laws are hindering innovation on medical technology, House lawmakers said March 22.

Lawmakers called federal health privacy laws “old and unclear” and in need of updating. These laws are enforced inconsistently across federal agencies and are preventing health-care organizations from sharing health data with their patients and each other, they said.

“Right now, the sheer number of federal agencies and often conflicting rules one must navigate to invest in this space, chills investment and entrepreneurship,” Rep. Will Hurd (R-Texas), chairman of the House Oversight and Government Reform Subcommittee on Information Technology, said during a March 22 hearing.

Lawmakers asked officials from the Department of Health and Human Services and the Federal Trade Commission how federal laws could be altered to improve consumer privacy and technology innovation. An FTC official asked for new authorities for her agency to fine companies that lose consumer data.

In addition, Karen DeSalvo, the national coordinator for health IT, asked lawmakers to grant her agency more money and the authority to investigate instances of data blocking, or purposefully preventing health-care providers from sharing patient records.

Members of the House for years have been debating ways to modernize the country's long-standing, central privacy law, the Health Insurance Portability and Accountability Act, to ensure health-care organizations can make better use of innovative health technologies .

However, the effort has gained little traction despite complaints from technology groups and lawmakers.

Hurd was among a bipartisan group of lawmakers who earlier in March asked HHS Secretary Sylvia Mathews Burwell to clarify how the HIPAA applies to mobile health apps.

The lawmakers said doctors want to communicate with their patients via text messages or through mobile apps but are often reluctant to do so out of fear of running afoul of federal health privacy laws .

FTC Request

The FTC wants the power to fine companies that compromise Americans' privacy, Jessica Rich, director of the agency's Bureau of Consumer Protection, said at the hearing.

The FTC wants the authority to seek civil penalties for “all data security and breach notice violations,” Rich said. The expanded authority would allow the FTC to better protect consumer privacy and fill the gaps between existing federal privacy laws, she said.

Currently, the FTC can only fine companies that compromise children's privacy or violate the Fair Credit Reporting Act, which ensures the accuracy and fairness of consumer credit bureaus. Rich also said the FTC should have the authority to bring cases against nonprofits.

A number of companies, namely mobile app developers, collect health-related data but aren't health-care providers and are therefore not subject to HIPAA, Rich said.

The FTC can also investigate any company that gets hacked under the FTC Act and can bring legal action against companies that fail to adequately protect consumer data, Rich told Bloomberg BNA March 22. However, the agency can only ask companies to improve their security protocols.

“We think civil penalties would add to our ability to encourage companies to better protect people's privacy,” Rich told Bloomberg BNA.

Issues With HIPAA

Federal health privacy laws have hindered some efforts to link the electronic health records of different health systems, a major policy goal of the HHS, Jim DeGraw, a partner with the San Francisco office of the law firm Ropes & Gray, told Bloomberg BNA.

Efforts to combine record systems to support research projects or improve care coordination among providers in a particular area often run into practical problems created by federal privacy laws, DeGraw said. For example, health-care provider and payer organizations often can't determine if every patient whose record they hold has consented to have it shared with another party, a requirement of HIPAA, he said.

But DeGraw said he believes technology companies and health-care organizations are already changing their practices to sidestep any privacy issues. He said companies are increasingly deploying advanced security measures meant to protect consumers' privacy to avoid scrutiny from regulators in the first place.

“Careful companies are going to take a broader perspective and just make sure they protect the data no matter what,” DeGraw said.

To contact the reporter on this story: Alex Ruoff in Washington at

To contact the editor responsible for this story: Patty Logan at

For More Information

More information on the hearing is at

Request Health Care on Bloomberg Law