The Impact of the ADPPA Privacy Act on Healthcare

All actors in the health and wellness ecosystem should follow developments in the United States Data Privacy and Protection Act (ADPPA). If implemented, ADPPA would be a milestone in the privacy and security regulations of personal information, including health information. ADPPA would have a significant impact on entities that currently collect, process, and transmit health information but are not subject to HIPAA.

Our colleagues Cynthia Larose and Christian Fjeld have provided a full summary of the discussion bill here.

The privacy and security of health information in the United States is governed by a number of overlapping state and federal laws, which are enforced by government authorities. If HIPAA is primarily enforced by the HHS Office for Civil Rights, it would be enforced by the ADPPA FTC and state attorneys general. Because it only applies to HIPAA-covered entities (health plans and health care providers involved in HIPAA-covered electronic transactions) and their business partners, some entities that collect, process, and disclose health information are not subject to HIPAA and are often excluded. state privacy laws that also apply to providers and insurance. Whether or not HIPAAs are currently regulated, companies that collect health information want to pay special attention to the following aspects of the ADPPA draft.


The invoice applies to entities that collect, process, or transfer “covered data”. “Covered data” means “information that identifies or connects or is sensibly linked to a person or device,” “derivative data,” and “unique identifiers,” which would include permanent digital markers such as cookies and IP addresses. These entities are called “covered entities” under the ADPPA (according to the HIPAA the same term is used much more closely because the nomenclature can be confusing).

The bill also defines “covered sensitive data” that includes “information that describes or shows past, present, or future physical health, mental health, disability, diagnosis, or a person’s health treatment” and genetic information. .

Companies also want to follow the definition of “big data holder”. The draft provides the following definition of work: “a covered entity that has had gross annual income in the last calendar year (A). [$250,000,000] or more; [and] (B) collect, process or transfer: (i) covered data from more than 5,000,000 people or devices that identify or link one or more persons or are meaningfully connected; [or] (ii) over sensitive sensitive data [100,000] persons or devices that identify one or more persons or devices or are connected or sensibly connected. . ”. Whether the $ 250 million figure is interspersed and whether “and” is interspersed with “and” or “becomes” will have a significant impact on the number of entities that collect health information that is considered “large data receivers”.

Permission requirements for sensitive sensitive data

Under the ADPPA, a covered entity may not collect or process sensitive covered data, including health information, or transfer such data to a third party without the “express consent” of the recipient of the data. By law, a specific, informed, and ambiguous consent is required for an action or practice of the entity covered by “expressly affirmative consent”. When a covered entity requests permission to collect, process, or transfer covered sensitive data, it must meet specific request requirements, including distinguishing between actions required to fulfill a person’s request and acts for another purpose.

Priority and conservation

According to ADPPA, other covered entities that are subject to federal privacy laws, including HIPAA, are believed to comply with the privacy requirements of the data in those laws, but only if they meet ADPPA’s “related requirements”. data subject to this regulation. Similarly, Article 208 of the ADPPA, which sets out data security requirements for covered data, stipulates that entities that are subject to HIPAA and meet HIPAA information security requirements are subject to, but only subject to, ADPPA. With regard to the data received by HIPAA. Therefore, a covered entity or business member that does not comply with HIPAA may, under HIPAA and ADPPA, be subject to enforcement actions. And a covered entity or business member with undisclosed data that is not subject to HIPAA could also take enforcement action for violating ADPPA. The bill calls for the FTC to provide guidelines on the prevention landscape within one year of the entry into force of the ADPPA.

Although the ADPPA has an extensive state law prevention clause, it expressly distinguishes “health information, medical information, medical records, HIV status, or all state laws dealing with HIV testing” from prevention. Thus, the patch of state laws on medical and health privacy would remain the same. ADPPA would also largely override the comprehensive privacy laws established in recent years, but would be without prejudice to the private right of action over data breaches under the California Consumer Protection Act.

As ADPPA moves through Congress, we will continue to monitor how developments surrounding the bill and its acceptance may affect the healthcare industry.

© 1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC All rights reserved.National Law Review, Volume XII, No. 174

Leave a Comment