Governance & Risk Management , Healthcare , HIPAA/HITECH

Bill Would Ban Brokers From Selling Health, Location Data

Warren's Proposals Seek to Protect Consumers' Sensitive Information
Bill Would Ban Brokers From Selling Health, Location Data

Legislation introduced in the U.S. Senate last week proposes a ban on data brokers from selling or transferring sensitive health and location data.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

The Health and Location Data Protection Act, introduced on Wednesday by Sen. Elizabeth Warren, D-Mass., has the support of four additional lawmakers.

Backers frame the legislation as especially urgent amid an expected ruling from the Supreme Court overturning Roe v. Wade and a subsequent surge in restrictions against abortion in two dozen American states.

Location data gleaned from smartphones or information taken from a menstruation app could be used to "track and prosecute women across the U.S.," says Sen. Ron Wyden, D-Oregon.

Largely unregulated by federal law, data brokers collect personal data such as location data from "seemingly innocuous sources," including weather apps, without consumers' consent or knowledge, Warren says.

Sen. Elizabeth Warren, D-Mass.

The other co-sponsors of Warren's bill are Sens. Patty Murray, D-Wash.; Sheldon Whitehouse, D-R.I.; and Bernie Sanders, I-Vt.

Bill's Proposals

The Health and Location Data Protection Act proposes to:

  • Ban data brokers from selling or transferring location data and health data and require the Federal Trade Commission to write rules to implement the law within 180 days;
  • Empower the FTC, state attorneys general and private individuals to sue to enforce the bill's provisions and allow for legal remedies such as damages and injunctions;
  • Appropriate $1 billion in funding over the next decade to the FTC to carry out its work, including the enforcement of the legislation.

The bill defines "health data" as information that reveals any successful or unsuccessful attempt to obtain health services as well as data revealing health conditions, "including, but not limited to, pregnancy and miscarriage." It also includes the diagnosis or treatment of health conditions.

The bill contains an exemption for data authorized for sharing by an individual, with authorization subject to standards set by the HIPAA Privacy Rule.

Ongoing Controversy

Warren's bill addresses issues tackled by other proposed privacy bills but treats location and health data with greater urgency, health privacy experts tell Information Security Media Group.

"The current debate about a post-Dobbs world has increased pressure on these points and the risks of this data," says privacy attorney Kirk Nahra of the law firm WilmerHale about the Warren proposals.

Dobbs v. Jackson Women's Health Organization is a pending Supreme Court case brought by opponents of a Mississippi law banning most abortions after the first 15 weeks of pregnancy. A leaked draft majority opinion written by Justice Samuel Alito called the Roe decision "egregiously wrong from the start" and argued abortion is not a constitutionally protected right.

"This particular set of [data broker] concerns has some momentum behind them that could prompt aggressive action on this issue separate from a national privacy law," Nahra says.

Related Issues

The legislation likewise spotlights mounting concerns about health data residing outside the protections of HIPAA. Data originating outside clinical settings isn’t protected by the law despite the ability of apps to collect sensitive data such as early pregnancy or caloric intake.

A study of more than 20,000 health-related apps for Android devices published last year by the British Medical Journal found the vast majority contained code that could potentially collect user data.

Nonprofit investigative reporting organizations The Markup and Reveal last week reported findings that the social media giant Facebook is collecting abortion-related information about users.

The investigation alleges that Facebook collects "ultrasensitive personal data about abortion seekers" and enables "anti-abortion organizations to use that data as a tool to target and influence people online, in violation of its own policies and promises."

The social media giant gathers data through a tracking tool called the Meta Pixel that works whether or not a person is logged in to their Facebook account.

Facebook did not immediately respond to ISMG's request for comment on the investigation.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.