What is the Protecting

Personal Health Data Act?

Proposed legislation known as the Protecting Personal Health Data Act was introduced in June of 2019 by Senator Amy Klobuchar (D-Minn.). This legislation, co-sponsored by Senator Lisa Murkowski (R-Alaska), would place privacy restrictions on wearable devices, health applications, and DNA testing kits.

What Requirements Would the Protecting Personal Health Data Act Impose?

The Protecting Personal Health Data Act would create a national task force to evaluate cybersecurity risks and privacy concerns associated with consumer products that use or access protected health information (PHI).

These products, which measure health, biometric (i.e., body measurements and other calculations), and genetic information, include health and wellness apps, home DNA testing kits, and healthcare wearable devices.

Healthcare wearable devices are devices worn by the user, that can track a wearer’s vital signs, health and fitness-related data, and the wearer’s location. Examples of wearables include:

  • Activity trackers. Activity trackers include devices such as the Apple Watch and Fitbit, that offer step tracking and pedometer functions.
  • Continuous glucose monitors (CGMs). CGMs allow for continuous monitoring of blood glucose levels by taking readings at set intervals. For the CGM to operate, a small electrode is placed under the skin, and is held in place by an adhesive.   
  • Wearable heart rate monitors. Wearable heart rate monitors track a user’s heart rate.
  • Blood pressure monitors. Blood pressure monitors track user’s blood pressure.

The legislation would also give consumers the right to access and delete PHI that companies offering health, biometric, and genetic information measuring products, collect or use. As noted by Senator Klobuchar, while health tracking apps and home DNA testing kits allow for people to more easily monitor their own health, these products have also given companies access to personal, private data with limited government oversight.

There is limited government oversight of these devices, and the PHI companies collect or use from the devices, because HIPAA does not cover wearable health devices or health and wellness apps in any of its regulations, including the HIPAA Privacy Rule, and the HIPAA Security Rule. Furthermore, since the passage of HIPAA in 1996, no other federal laws designed to regulate these devices and their PHI have been passed. 

Who Supports This Legislation?

Consumer Reports, data protection groups, and data privacy groups, have all come out in support of the measure. Their argument is simple: Companies that collect the PHI measured by the devices should be subject to at least the same stringent patient data access rules as hospitals are subject to.

These groups have further argued that data security concerns are also posed by use of these devices; recent news reports have indicated that hackers can access wearables and wellness app data. This information can be sold on the dark web, and can also be shared with insurance companies or others.