The Data Access Game

Efforts are afoot at the federal level to put individuals in the driver’s seat when it comes to collection, use and privacy of their own personal information.

Particularly in the health space, some of this could be a good thing for brokers and their employer clients. More generally, however, momentum and political heat around data security and privacy policies could put a damper on efforts to collect and share personal information, regardless of the business context.

First, the good news. We opined several months back on the long-standing battle between brokers/employers and carriers over access to health data. We ultimately concluded that the Health Insurance Portability and Accountability Act’s Privacy Rule and the Gramm-Leach-Bliley Act (GLBA) pretty much allow individuals to dictate who receives their information, health-related or otherwise. 

Recent action by the Trump administration could give a serious boost to consumer-centric data management and transparency in the healthcare field as well as standardization and interoperability between providers’ data systems (i.e., getting data systems to “speak the same language”), the need for which was discussed at length at last year’s Employee Benefits Leadership Forum and has been a topic of continuing conversations among The Council’s Council of Employee Benefits Executives Advisory Committee. 

In April, the administration released proposed rules that would require certain government healthcare programs and, notably, private issuers of qualified health plans on federally facilitated exchanges to, among other things:

• Implement open application programming interfaces (APIs), specifically using Fast Healthcare Interoperability Resources (FHIR) protocols, for technical, content and vocabulary standards (solving the “common language” issue) 

• Provide individuals with easy access (via smart phones, tablets, etc.) to their complete health data via those open APIs, including data on cost for approved and denied claims, provider encounters, enrollee cost-sharing, clinical notes, care team members, lab tests and results, medications, procedures, drug benefit data, and formularies

• When requested by a beneficiary, transmit the data described above to designated entities (an obligation that lasts while the individual is enrolled in the plan and for up to five years after disenrollment).

While not directly applicable to the full private market, the administration’s proposal represents a big first step toward transparency, interoperability between providers and other entities in the healthcare sector, and timely exchange of complete data sets between all parties. It clearly chips away at the current opaque, cumbersome system, and—consistent with HIPAA and GLBA—it centers on consumers’ consent to share their own information.

During a recent congressional hearing on the proposals, questions arose about implementation time frames, protecting patient privacy, and data security. But on a fundamental level, Republicans and Democrats seemed to recognize the need for and benefit of opening up the flow of health information. That alone suggests that these types of policy initiatives are not going away.

Data Privacy

And now the cautionary news. While improving access to health data may be getting some positive play in D.C. right now, data security and privacy issues are getting quite a bit of negative heat. Consequently, anyone looking to collect and utilize more individual data in their business operations, including brokers and employers, should be prepared for what policymakers roll out in this space.

Congress currently is grappling with what, if anything, it should do to keep up with comprehensive new data regimes like the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). And there is mounting pressure for them to do something. In fact, several members of the Federal Trade Commission recently testified before Congress and asked lawmakers to produce federal security and privacy standards (and not leave it to the regulatory process).

The California law is generally viewed as the most sweeping U.S. initiative to date in this area. It, similar to the Trump administration’s proposal on health data, stipulates that consumers must be able to access their information in a “readily usable format” and transfer it to designated third parties, but it also contains consumers’ right to be forgotten/deleted, to take their information with them to other service providers, and to opt out of the sale of personal information. 

“Personal information” under CCPA means:

“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

This pretty much runs the gamut of information, including, among several other categories, biometric information, geolocation data and employment-related data. Moreover, any inferences drawn from this information that would allow someone to discern consumer characteristics, preferences, behavior, etc., counts as “personal information” under the CCPA.

Although the CCPA technically applies only to California residents, it is a clear driving force behind federal discussions, because most companies will be left with a choice to either conform all of their data practices with the California law or treat Californians one way and all other consumers another.

For similar reasons, Congress cannot ignore the GDPR, which sweeps in non-EU controllers and processors of information when EU citizens are involved. That regime also includes robust consumer rights with respect to their own data, including rights to be forgotten and portability, and various notification rights.

All of a sudden, all collectors of personal information are facing the reality of a patchwork of highly complex, far-reaching, and costly data security and privacy requirements. And the federal government hasn’t even thrown its hat in the ring yet.

Then there is the PR element. Scandals like Facebook-Cambridge Analytica and rising concerns about eavesdropping by various smart home devices may—quite reasonably—cause individuals to be more apprehensive about sharing their personal data, even if they are technically permitted under the law to give it to whomever they designate. 

Given the momentum behind the aggressive EU and California approaches (and a desire by absolutely no one to have 50+ different data security standards), along with potential changes in consumer attitudes about how their data is used, all types of stakeholders are agitating for some standardized federal policy. The pressure is already on Congress to include robust consumer rights and strict standards for anyone who collects, holds, sells, and/or utilizes individuals’ data. 

Ultimately, while more health data still is a good thing for our industry and more of it may be coming your way, we can expect that the data will be carrying with it some significant new obligations and legal exposure.