The Information Technology and Innovation Fund (ITIF), a prominent independent, nonpartisan think tank, has recommended a repeal of a number of U.S. privacy regulations, including HIPAA. ITIF has recommended that HIPAA, which it views as part of an ineffective patchwork of U.S. privacy regulations, should be replaced with new federal privacy laws.
What New Federal Privacy Laws Does ITIF Recommend?
ITIF has called for a series of changes to current federal privacy laws. ITIF recommendations call for the following new federal privacy laws:
- Federal privacy laws should be amended, by creating new data protection rules. These rules would be based on the type of data and the entity collecting it, so as to enable consumers to make more informed decisions around their data. The rules would also establish clear consumer rights. In ITIF’s view, the rules should address concrete consumer harms, rather than hypothetical ones.
- Congress should minimize compliance costs, while improving enforcement and promoting international interoperability cooperation among nations as to enforcement of data protection rules.
- Legislation should be enacted that directs the executive branch to vocally and forcefully advocate for the new U.S. approach to data privacy abroad.
- According to ITIF, such legislation should direct the US to do this through bilateral agreements, such as those established in the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act is a 2018 law that created additional safeguards for cloud content; under the CLOUD Act, cloud service providers may challenge requests for cloud content that conflict with another country’s laws or national interests.
Is your organization secure? Find out now with our HIPAA compliance checklist.
ITIF’s view on HIPAA boils down to this: HIPAA can either be left alone, or it can be updated. In ITIF’s view, neither option is feasible. Leaving HIPAA unamended would ensure doctor-patient confidentiality is protected, but would not account for the data security concerns posed by health apps. On the other hand, updating the HIPAA Security Rule to more tightly regulate health apps would, in ITIF’s view, stifle innovation.
In ITIF’s view, therefore, HIPAA and the patchwork of regulations across the U.S. should be replaced with a single, unified framework (through adoption of new federal privacy laws) that extends across all industries, that gives some industries greater data privacy protections than others. According to ITIF, Congress should create a single set of protections for sensitive data in certain instances, like health and financial services, while creating less burdens of rules for those industries that fall out of HIPAA traditionally, such as apps.