current law: health care big data kirk j. nahra wiley rein llp washington, d.c. 202.719.7335...

Current Law: Health Care Big Data

Kirk J. Nahra

Wiley Rein LLP

Washington, D.C.

202.719.7335

KNahra@wileyrein.com

@kirkjnahrawork

(Dec. 8, 2014)

The Problem

• HIPAA has never covered all health care data• Explosion in mobile apps, web sites, PHRs and

other areas have made the gaps much bigger• Health care entities are now using a broader

range of “non-health” data for health care purposes.

• So what kinds of protections are available for this “non-HIPAA” data?

Page 2

The FTC Act

• The FTC has broad authority in general to “prevent . . . unfair or deceptive acts or practices.”

• No regulations in this area• FTC has developed enforcement of data security

standards (although these are under challenge)• FTC has not to date undertaken broad “privacy”

enforcement in the healthcare area

Page 3

The FTC Act

• FTC clearly can take enforcement action against statements that are not true – e.g., privacy notices that mis-state what is being done with info.

• Is there an ability to go more broadly against “unfair” practices? What would those be?

Page 4

FCRA

• Regulates consumer reporting agencies (primarily) in connection with credit, employment and insurance.

• Consent required to report medical information for these purposes (with some disclosure for medical debts)

• Prohibitions on using medical information for credit purposes (except for debt issues)

Page 5

Problems today

• No clear “privacy” standards for FTC other than truly egregious behavior

• FCRA of important but very limited relevance

• State law is confusing, often outdated and seldom enforced

• Substantial open gaps in protections for data that is not clearly within the HIPAA structure

• Becoming harder to define what “healthcare data” is.

Page 6

Next Steps

• 3 Main Options• Something specific for this non-HIPAA health

care data• Something that covers all health care data (a

“general” HIPAA) – either through HIPAA or otherwise

• A broader overall privacy law (with or without a HIPAA carve-out)

Page 7

Questions?

For further information, contact: •Kirk J. Nahra

Wiley Rein LLP202.719.7335Knahra@wileyrein.com@kirkjnahrawork

•Subscribe (for free) to Privacy in Focus - http://www.wileyrein.com/publications.cfm?sp=newsletters

Page 8