The American Data Privacy and Protection Act Legislation (ADPPA) in Healthcare
In Congress, there’s bipartisan concern about Americans’ data privacy. A proposed federal law to address these concerns will likely affect how you handle patient data.
By now, almost everyone has heard of the General Data Protection Regulation (GDPR), which governs the collection and use of data in the European Union. You’ve definitely heard of HIPAA, a federal law for healthcare entities in the United States. But what’s the American Data Privacy and Protection Act (ADPPA)?
The ADPPA is a piece of legislation making its way through the U.S. Congress. In early March 2023, it was the subject of a hearing before the Innovation, Data, and Commerce Subcommittee of the House Committee on Energy and Commerce. The ADPPA has a long way to go in the legislative process, but it represents increasing concern about data privacy at all levels of government.
Currently, individual states impose a patchwork of data privacy and security laws. The ADPPA aims to create a national data privacy and security standard.
If passed, the ADPAA would apply to almost all data collectors, including healthcare practices that maintain data that identifies or could be linked together to identify an individual. It would also apply to “sensitive data,” which includes any information that describes or reveals the health, disability, or treatment status of any individual.
The crux of the legislation is to hold data collectors accountable for the wealth of data they amass. Many of the requirements of the ADPPA would allow data collectors to gather data only for a specific purpose and give the consumer rights to access, correct, and delete their collected data.
Implications for Healthcare Practices and Businesses
While it’s important to note that the ADPPA is not law, healthcare entities should follow the progress of the ADPPA through the legislative process. There are a few key provisions that could directly affect how your entity conducts business.
Data Minimization & Privacy Policies
The ADPPA would require that data collectors, including healthcare entities, minimize the amount of data they collect on individuals. The ADPPA would impose this requirement by limiting entities to collecting, processing, or transferring only the data that is reasonably necessary to achieve a specific, limited purpose.
To accomplish this, the ADPPA proposes to mandate that data collectors tell the individual what data they are collecting and for what purpose. This transparency should be reflected in the data collector’s privacy policy, which would need to be easily accessible to the individual. Further, any time the data collector might plan to change their privacy policy, they would need to notify all affected individuals before implementing the change. In addition, they would need to give individuals a reasonable opportunity to withdraw their consent from the data collection process.
Individual Data Ownership and Control, and the Right to Consent and Object
Another key focus of the legislation is individuals’ control over their own data, even after collection. Under the ADPPA, individuals would generally have access to their data, subject to some exceptions and should be given the name of any third party to whom their data has been transferred, with a description of why this transfer occurred. Moreover, individuals would have the right to consent or object to transfers. This provision may specifically come into play for healthcare providers who transfer patient information — including that not pertaining to healthcare — to various laboratories and health systems. Additionally, the ADPPA would grant patients the right to correct or delete their data, subject to certain exceptions.
Data Security
The ADPPA also proposes the imposition of data security and protection requirements on data collection entities. Generally speaking, the provider would need to establish, implement, and maintain reasonable administrative, technical, and physical data security practices and procedures to protect collected data against unauthorized access.
Larger data collectors would have specific requirements to fulfill regarding data security. Small businesses, however, would need to consider the size and complexity of their business, the nature and volume of the data, the sensitivity of the data, and the available tools to protect data.
If enacted, the Federal Trade Commission and state attorneys general would have the power to enforce the new law. Eventually, the ADPPA would allow individuals to bring civil actions for violations.
Difference between ADPPA and HIPAA
If a lot of this sounds familiar to you, it’s because HIPAA also addresses many of these issues. However, there is an important difference between the ADPPA and HIPAA.
The ADPPA proposes a national framework for the privacy protection of all data collected on individuals that could identify them or be linked together to identify them. HIPAA applies to a smaller subset of data: protected health information (PHI). It’s crucial to understand that while you may be in compliance with HIPAA, that does not guarantee compliance with the ADPPA (as drafted).
Although the ADPPA hasn’t yet been enacted, it’s wise to anticipate how your practice will evolve to comply with some version of the ADPPA. Training and implementation of new data privacy procedures will take time.
If you have questions about the wave of new data privacy requirements, HIPAA, or how they overlap, and you operate in one of the states where we practice, you can schedule a complimentary phone consultation with one of Jackson LLP’s healthcare attorneys. Click the button below to learn how we can help your healthcare practice avoid the stress of data breaches, privacy protection issues, and HIPAA compliance.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.