National or Local: How Should Privacy be Determined

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

The debate around privacy that had been forefront of mind for many prior to COVID-19 disrupting everything has not gone away. Instead, privacy has been simmering in the background, every so often be thrust into the spotlight during the course of the pandemic. The spotlight has shown because of the need for data around individuals infected with and/or exposed to the virus, research, data collection, and the rapid increase in the number of cyberattacks on organizations holding sensitive data. The short list of issues is just that though, a list of issues impacting privacy, not what is or could be done to enhance privacy.

The discussion around a solution had been gaining steam in early 2020, but lost the immediate attention of legislators and regulators. That does not mean proposals for movement have not occurred. Various bills floated around Congress only to be forgotten with the combination of the virus and an election year. States also toyed around with ideas, some of which seek to build upon the changes enacted in California.

The common element to many of the proposals is to create a more comprehensive scheme around privacy as opposed to an industry by industry approach (at least to the extent that even exists). The broader approach is premised upon the European Union’s General Data Protection Regulation and some privacy laws in Asia. The California Consumer Privacy Act falls into this vein by incorporating a broad definition of sensitive information.

A comprehensive approach to privacy that does not focus on one particular industry makes sense in a modern age where technology creates and collects ever increasing amounts of data while also breaking down old barriers between activities. Following an overly sectoral approach to privacy leaves too many opportunities for innovation to surpass and undermine the purpose or intent of a statute. That is certainly the line of complaint around HIPAA in asserting that many forms of digital health are not covered because of a direct to consumer approach. The arguably limited (or alternatively targeted) nature of HIPAA is not intended to apply to all healthcare data, but only healthcare data in certain circumstances. That was a justifiable approach when the law was enacted over two decades ago, but now healthcare data are created in a much wider array of circumstances, which means a lot of the data are left to be protected by less specific laws or regulations.

The newer privacy laws seek to remedy the limitations of HIPAA by framing privacy more around the entire person. Instead of attempting to define an industry, sensitive information relates to the individual regardless of the circumstances. The broad approach is appealing and then moves into carving out areas of strict compliance. The premise of full application, unless a condition is met does help establish more commonality. The issue of commonality is also addressed by not having a law only apply to healthcare, financial or some other sector. If all are put on the same footing, then all are playing by the same rules. A lot more nuance goes into the actual construction and application of the newer privacy laws, but the basic approach of one set of rules is arguably a fair way to boil it down.

Leaving aside the intricacies of what exactly to include in a new privacy law, a potentially even more fundamental question is whether a privacy law should be the result of federal or state action. States (lead by California) have taken the early lead. In the long run, initial actions by the states could be helpful as it fulfills the states as laboratories approach championed early in the United States’ history. While the states can serve as places of experimentation that may not be the best approach when it comes to something as fundamental as privacy.

Setting varying privacy rights and obligations on a state by state basis becomes quite complicated in an interconnected world where businesses are hardly ever doing business in just one location and individuals can move around with ease. In the current world where business often occurs everywhere and anywhere, the attendant compliance burden of different schemes in different states can easily dissuade businesses from expanding and creating confusion even for individuals. That is probably a not unlikely scenario.

A privacy scheme driven by the federal government probably represents the best way of setting a common system that applies to all individuals and businesses across all of the states. Federal law is able to set a baseline standard or even pre-empt state law completely in a particular field. For an area of such importance as privacy, one overarching system is appealing. One set of rules would come into place that apply to everyone. No patchwork approach would be needed, which would also prevent a predicted rush to a state with the least protections or creating disparities based on where individuals live.

Going back to the point that states have begun experimenting though, it means a federal approach would not have to start from square one. Instead, a federal approach can learn from and expand upon lessons learned at the state level. By advancing earlier efforts, the hopeful new legislation would be more mature and less likely to run into the same stumbling blocks that some of the early adopter states may have encountered.

A federal approach will not come without its own shortcomings or negatives, but no solution is ever perfect. Instead, care should be taken to craft the best possible outcome while recognizing practical impacts and limitations. Ultimately, privacy is an issue that cannot be ignored and delay will only make the situation more difficult to address as time goes on.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.