• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

White Paper on Privacy Issues in Proposed New National Medical Claims Database

September 30, 2019 By Peter Swire

Prof. Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and Senior Counsel at Alston & Bird, has published a new white paper on “Possible Privacy, Cybersecurity, and Data Breach issues in the Proposed National Medical Claims Database Under Section 303 of S. 1895.”

Senators Lamar Alexander (R-TN) and Patty Murray (D-WA), the Chair and Ranking Member of the Senate Committee on Health, Education, Labor & Pensions (HELP) introduced “The Lower Health Care Costs Act,” or Senate Bill 1895, on June 19, 2019.  The bill, as amended, was approved by the HELP Committee on a bi-partisan vote on June 26.  Titles I and II of the bill are entitled “Ending Surprise Medical Bills” and “Reducing the Prices of Prescription Drugs.”  Title III of the bill is entitled “Improving Transparency in Health Care,” and includes Section 303, titled “Designation of a Nongovernmental, Nonprofit Transparency Organization to Lower Americans’ Health Care Costs.”

This White Paper solely discusses Section 303. The White Paper discusses the four key stages of how data would flow in the proposed system:

1. Health insurance issuers and others who supply data to the Non-Profit created by the bill:

a. A first category of risk concerns what happens to individuals and their employers in the event of a data breach by the Non-Profit or a recipient of data from the Non-Profit.

b. There are other risks that arise as the issuers are required to send claims information to the Non-Profit. For instance, the bill does not appear to authorize data use agreements to protect the data, and may not provide appropriate technical input on how to transfer comprehensive claims data to the Non-Profit.

2.  Processing data within the Non-Profit:

a. The Non-Profit would be subject to HIPAA privacy, security, and breach rules, under new rules by the Secretary of HHS (“the Secretary”). The scope of the Secretary’s rulemaking authority is not clear, however, especially concerning whether HIPAA protections would apply to other entities that receive claims data from the Non-Profit.

3.  The Non-Profit exchanges data with business associates, who act on its behalf:

a. The Secretary’s rulemaking authority, on its face, does not appear to place the Non-Profit’s business associates under HIPAA. The same was true under the original HIPAA rules, but Congress in 2009 ensured that business associates would be subject to HIPAA requirements.

b. The bill authorizes a potentially large number of entities to access the claims database, including employers generally. As with business associates, it appears that employers and other authorized users would not be subject to the HIPAA Privacy and Security Rules, and HHS breach notice requirements.

4. Employers, researchers, and others who receive data from the Non-Profit:

a. The bill authorizes a potentially large number of entities to access the claims database, including employers generally. As with business associates, it appears that employers and other authorized users would not be subject to the HIPAA Privacy and Security Rules, and HHS breach notice requirements.

For each stage, the White Paper sets forth the relevant provisions in the current version of S. 1895, and then analyzes possible privacy, cybersecurity, and data breach issues that may arise.

After discussing the stages of data flow, the White Paper turns to a topic already addressed in considerable detail in the bill, the de-identification and possible re-identification of patients when information about their claims is provided to the Non-Profit, subject to rulemaking by the Secretary.  The White Paper summarizes risks of re-identification under the bill, and provides an Appendix to examine these issues in greater detail. The White Paper concludes with short observations on miscellaneous provisions in the current draft of the bill.

Filed Under: Health Privacy Tagged With: Health Information Security, HIPAA, Senate

About Peter Swire

Peter Swire is senior counsel on Alston & Bird's Privacy & Data Security Team. He has been a leading privacy and cyberlaw government official, academic and practitioner since the rise of the Internet in the 1990s.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • President Biden Issues Executive Order on America’s Supply Chains
  • Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.