Following Julie Brill’s comments earlier this year about “consumer generated health data” where she clearly implied that the Federal Trade Commission is looking at how they regulate health data beyond HIPAA, Deven McGraw and Susan Ingargiola have now published an article related to California state legislation (AB 658) enacted earlier this year. Essentially this regulation expands HIPAA type protections to include “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information … in order to make the information available to an individual or a provider of healthcare at the request of the individual of a provider of healthcare, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment or management of a medical condition of the individual."
While this does not quite expand the definition to include the data included in your Fitbit device for example, theoretically if that device was linked to or was pulling data from a health care provider’s electronic medical record, then in that scenario it could now be covered in California.
With the FTC already taking enforcement action against health care companies using existing federal antitrust laws that protect against “unfair or deceptive acts or practices in or affecting commerce”, and with most states already carrying separate breach notification regulations, the trend we seem to be seeing is an expansion of protections.
With more and more sensitive health data now sitting outside the specific definition set by HIPAA, it is becoming clear that lawmakers are looking for new ways to provide enhanced protections for this data. FTC’s broadening of their scope added to newer regulations such as AB 658 means that any business managing or processing sensitive health data should be implementing sensible privacy and security practices regardless of whether HIPAA applies. Because increasingly that is no longer the principle measure.