Senate Commerce Committee Chair, Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair, Cathy McMorris Rodgers (R-WA-05) recently introduced bicameral, bipartisan data privacy legislation, called the “American Privacy Rights Act”. This 53-page legislation would be the most significant data privacy reform in nearly three decades and would give Americans more control of what data is collected on them and limit how that data can be shared.

Today, data privacy is primarily governed by a patchwork of state laws. Currently, 15 states have general data privacy laws on their books (and if federal privacy legislation were not passed, this number would continue to grow). This has posed challenges to consumers and corporations alike, as it is challenging for consumers to remain aware of their privacy rights or for corporations to comply with privacy laws when every state has a different privacy law on their books and new state laws are passed by the month. The proliferation of artificial intelligence (AI) has added new urgency to the need for more robust data protection laws.

Since protecting consumer privacy has long been a bipartisan issue, Congress is once again attempting to create a federal privacy framework. Many other countries have passed national privacy laws.

This bill establishes consumer data privacy rights at the national level and sets standards for data security. It does this by giving consumers the right to access, correct, delete, and export their personal data. It also would give consumers the right to opt out of targeted advertising and unauthorized data transfers. In many situations, the bill gives the Federal Trade Commission (FTC), state attorneys general, and consumers the right to sue when they believe their privacy has been violated.

The law would apply primarily to “big businesses” that are subject to the FTC’s authority, common carriers (entities that transport persons or goods for a fee), and nonprofits. It excludes small businesses that:

  • Have less than $40 million in annual revenue
  • Process covered data of less than 200,000 individuals, and
  • Do not earn revenue from the transfer of covered data to third parties.

For purposes of this bill, covered data is defined as any information that “identifies or is linked or reasonably linkable to an individual, including in combination with other information.” The legislation would require stronger data minimization requirements (i.e., companies should only collect data for “necessary and limited purposes”). The bill also prohibits companies from transferring sensitive covered data to third parties without the consumer’s “affirmative express consent”. The bill also gives consumers the power to opt out of their data being used for AI training algorithms.

Impact on RCM Companies and Medical Practices

The new draft bill would not preempt any laws that protect medical information or medical records. Laws such as HIPAA would remain unchanged by this bill. This means that any provider group would continue to comply with the HIPAA Privacy and Security Rules, rather than this new piece of legislation (if signed into law). Any vendors of HIPAA covered entities (providers, plans, and clearinghouses) will still be considered Business Associates under HIPAA, and thus will continue to comply with HIPAA for handling PHI, rather than new legislation.

This law would still impact companies and medical practices for data that is not HIPAA-protected.

This bill still has a long way to go before it is signed into law. To advance in Congress, it first needs support from relevant Committees in both congressional chambers. The initial reception from certain key members of these Committees suggests there is not strong enthusiasm for the current version of the bill. Most notably, Senate Commerce Committee Ranking Member Ted Cruz (R-TX) made clear that, while he generally supports some sort of federal privacy legislation, he believes the private rights of action (an individual’s ability to sue) in the bill expand too far.

We therefore expect there to be many changes during legislative markups on this bill (including modifications to how health data is treated by the bill).

Another headwind is Congress’ limited appetite to pass major legislation before the 2024 election. Time could run out in this Congress for such a major piece of legislation to advance. With Chair McMorris-Rodgers not seeking reelection, this bill would need a new House champion in the new Congress.

If the bill successfully passes both chambers and is signed by the President, it would go into effect 180 days thereafter.

ADVOCATE will share additional information with clients and friends as it becomes available on this and other Federal Health Policies.

Kirk Reinitz, President