[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3620 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
2d Session
S. 3620
To establish the Commission for the Comprehensive Study of Health Data
Use and Privacy Protection.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 9, 2022
Mr. Cassidy (for himself and Ms. Baldwin) introduced the following
bill; which was read twice and referred to the Committee on Health,
Education, Labor, and Pensions
_______________________________________________________________________
A BILL
To establish the Commission for the Comprehensive Study of Health Data
Use and Privacy Protection.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Health Data Use and Privacy
Commission Act''.
SEC. 2. FINDINGS; RULE OF CONSTRUCTION; SENSE OF CONGRESS.
(a) Findings.--Congress finds the following:
(1) The people of the United States are increasingly
concerned about their civil liberties and the confidentiality,
security, and use of their personal health information.
(2) Commercial entities are increasingly aware that
consumers expect them to adopt privacy policies and take
appropriate steps to protect consumers' personal health
information.
(3) Due to a lack of Federal guidelines and a range of
different State and local rules regarding privacy protection
for individually identifiable health information, there is a
growing concern about the confidentiality of personal health
information collected outside the context of health care
delivery, payment, and the practice of medicine generally.
(4) There is a need to ensure that accurate and timely
health information flows to meet the needs of patients, reduce
costs in the health care system, coordinate care, and improve
health care outcomes.
(5) Access to accurate and complete health information is
critical to ensure the equitable, safe, and effective delivery
of care, the development of novel treatments and cures, the
promotion of public health, and the refinement of health care
delivery.
(6) During the public health emergency with respect to
COVID-19 declared by the Secretary of Health and Human Services
under section 319 of the Public Health Service Act (42 U.S.C.
247d), some Federal and State privacy rules have been waived,
modified, or not enforced to help contain the pandemic. As a
result, the COVID-19 contagion has uncovered areas where
current State and Federal privacy rules may impede patient
care, public health management, and efforts to control the
pandemic. Moreover, the pandemic has spurred innovation
including the development of new technologies and technology
platforms that may not be covered by current regulatory
constructs.
(7) Privacy regulations promulgated under the Health
Insurance Portability and Accountability Act of 1996 (Public
Law 104-191) have provided clearly defined responsibilities and
enforcement for entities and business associates covered by
such regulations, however, the regulations should be assessed
to account for the evolution of emerging technologies, data and
data management tools, and the modernization of health care
delivery.
(8) New rules and policies from the Federal Government
encouraging the flow of health information to improve care and
patient access to their own health information, including the
rules promulgated under the 21st Century Cures Act (Public Law
114-255), raise the issue of protected health information
flowing to entities that are not subject to standardized
privacy protections, including the privacy regulations
promulgated under the Health Information Portability and
Accountability Act of 1996 (Public Law 104-191), the Health
Information Technology for Economic and Clinical Health Act
(Public Law 111-5) (including the amendments made by such Act),
and section 444 of the General Education Provisions Act (20
U.S.C. 1232g; commonly known as the ``Family Educational Rights
and Privacy Act of 1974'').
(9) Given the extensive proliferation of laws and proposals
concerning the privacy of health information in light of recent
changes in technology, applications, social media, and other
platforms, and the increasing generation, collection, use,
sharing, and selling of personal health information, a
coordinated and comprehensive review is necessary to evaluate
the effectiveness of existing protections of personal health
information compiled by the health care, insurance, financial
services, consumer electronics, advertising, technology, and
other industries.
(10) Use of the internet as a medium for commercial,
social, and health related activities will continue to grow,
and more data, including personal health information, will be
generated, exchanged, and used by an increasing number of
entities engaged in the digital marketplace.
(11) An increasing number of people of the United States
are using consumer health technologies, including wearable
technology, with about 20 percent of people of the United
States reporting using such technology in 2020, and generating
data about their personal health and well-being.
(12) The United States is the leading economic and social
force in the global information economy, and it is important
for the United States to continue that leadership. As countries
and governing bodies around the world continue to establish
privacy standards, these standards will directly affect the
United States.
(13) The shift from an industry-focused economy to an
information-focused economy calls for a swift reassessment of
the most effective ways to balance personal privacy against
information use for legitimate purposes, keeping in mind the
potential for unintended effects on technology and product
development, innovation, and medical research.
(b) Rule of Construction.--This Act shall not be construed to
prohibit the enactment of privacy legislation by Congress during the
existence of the Commission on Health Data Use and Privacy Protection
established under section 3.
(c) Sense of Congress.--It is the sense of Congress that--
(1) it is the responsibility of Congress to act to protect
the privacy of individuals, including individuals' medical
information, and to foster the improvement our Nation's health
care system; and
(2) further study by the Commission established under
section 3 should not be considered a prerequisite for further
consideration or enactment of health privacy or other related
privacy legislation by Congress.
SEC. 3. ESTABLISHMENT.
There is established a commission to be known as the ``Commission
on Health Data Use and Privacy Protection'' (referred to in this Act as
the ``Commission'').
SEC. 4. DUTIES OF COMMISSION.
(a) Study.--The Commission shall conduct a study of issues relating
to protection of individual privacy and the appropriate balance to be
achieved between protecting individual privacy and allowing and
advancing appropriate uses of personal health information, including
the following issues:
(1) The monitoring, collection, and distribution of
personal health information by Federal, State, and local
governments, such as the collection of information to combat
the spread of infectious diseases such as COVID-19, the threat
of substance use disorders involving opioids and other
substances, and other public health threats and benefits.
(2) Current efforts to address the access, exchange, and
use of personal health information by Federal and State
governments, individuals, or entities, including--
(A) existing statutes and regulations relating to
the protection of individual privacy, such as section
552a of title 5, United States Code (commonly known as
the ``Privacy Act of 1974''), section 552 of title 5,
United States Code (commonly known as the ``Freedom of
Information Act''), the Federal Trade Commission Act
(15 U.S.C. 42 et seq.), the Common Rule and other
applicable regulations promulgated under the Health
Information Portability and Accountability Act of 1996
(Public Law 104-191), the Health Information Technology
for Economic and Clinical Health Act (Public Law 111-5)
(including the amendments made by such Act), the 21st
Century Cures Act (Public Law 114-255) (including the
amendments made by such Act), and section 444 of the
General Education Provisions Act (20 U.S.C. 1232g;
commonly known as the ``Family Educational Rights and
Privacy Act of 1974'');
(B) relevant legislation pending before Congress
and State legislatures;
(C) privacy protection efforts undertaken by--
(i) the Federal Government;
(ii) State governments; or
(iii) foreign governments and international
governing bodies;
(D) privacy protection efforts undertaken by the
private sector, including any relevant recommendations,
frameworks, or proposals; and
(E) self-regulatory efforts initiated or proposed
by the private sector to respond to privacy issues.
(3) The differences and similarities between Federal,
State, and international rules for protecting the privacy of
health information and the degree to which such similarities or
differences create or address problems related to collecting,
sharing, and using health information to improve care and lower
costs, and any trade-offs related to patient privacy and
patient control over health information.
(4) The need for consistency in deidentification standards
for health data to avoid conflicting requirements that could
impede the improvement of health care through clinical trials,
technology development, public health surveillance, monitoring
of general health trends, and medical research.
(5) Technologies and data currently used for treatment,
payment, and health care operations, compared with technologies
used when the privacy regulations promulgated under section 264
of the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note) were first issued, including an
assessment of any gaps in the privacy protections under such
regulations resulting from data collection and use by non-
covered entities, taking into account recommendations of the
National Committee on Vital and Health Statistics and the
Office for the National Coordinator for Health Information
Technology.
(6) The monitoring, collection, and distribution of
personal information by individuals or entities, including
access to, and use of, personal health information and medical
records, and the ability to access and restrict the
information.
(7) Employer practices and policies with respect to the
health information of employees, including--
(A) the extent to which employers collect, use, or
disclose employee health information for marketing,
employment, or insurance underwriting purposes;
(B) what restrictions employers place on disclosure
or use of employee health information; and
(C) practices of employer medical departments with
respect to disclosing employee health information to
administrative or other personnel of the employer.
(8) Current enforcement of privacy laws and rules through
the Federal Trade Commission, the Office for Civil Rights of
the Department of Health and Human Services, the Civil Rights
Division of the Department of Justice, State agencies
(including State attorneys general), and private rights of
action. Such evaluation shall include an examination of
efficacy, recommendations, and advantages and disadvantages of
different enforcement mechanisms, and the potential for
consolidation of enforcement.
(9) Varying notices of privacy practices and whether such
practices are effective in informing consumers of their rights
and responsibilities, including, as appropriate, an assessment
of best practices.
(10) Varying statutory and regulatory employee training
requirements, including, as appropriate, an assessment of best
practices and whether harmonized training requirements may be
more effective in encouraging efficient and effective training
of employees in sound practices concerning personal health
data.
(11) Challenges and potential solutions to consent
requirements and processes, particularly related to medical
research.
(12) The degree to which personal health information is
sold with or without consent, and the uses of such information.
(b) Field Hearings.--The Commission may conduct field hearings in
the United States.
(c) Report.--
(1) In general.--Not later than 6 months after the
appointment of all members of the Commission--
(A) a majority of the members of the Commission
shall approve a report described in paragraph (2); and
(B) the Commission shall submit the approved report
to the Committee on Health, Education, Labor, and
Pensions of the Senate, the Committee on Energy and
Commerce of the House of Representatives, the Secretary
of Health and Human Services, and the President.
(2) Contents.--The report required under paragraph (1)
shall include a detailed statement of findings, conclusions,
and recommendations, including the following:
(A) Findings from the study conducted by the
Commission pursuant to section 4(a), including
potential threats posed to individual health privacy
and to legitimate business and policy interests.
(B) Analysis of purposes for which sharing of
health information is appropriate and beneficial to
consumers and the threat to health outcomes and costs
if privacy rules are too stringent.
(C) Analysis of the effectiveness of existing
statutes, regulations, private sector self-regulatory
efforts, technology advances, and market forces in
protecting individual health privacy.
(D) Recommendations on whether Federal legislation
is necessary, and if so, specific suggestions on
proposals to reform, streamline, harmonize, unify, or
augment current laws and regulations relating to
individual health privacy, including reforms or
additions to existing law related to enforcement,
preemption, consent, penalties for misuse,
transparency, and notice of privacy practices.
(E) Analysis of whether additional regulations may
impose costs or burdens, or cause unintended
consequences in other policy areas, such as security,
law enforcement, medical research, health care cost
containment, improved patient outcomes, public health,
or critical infrastructure protection, and whether such
costs or burdens are justified by the additional
regulations or benefits to privacy, including whether
such benefits may be achieved through less onerous
means.
(F) Cost analysis of legislative or regulatory
changes proposed in the report.
(G) Recommendations on non-legislative solutions to
individual health privacy concerns, including
education, market-based measures, industry best
practices, and new technologies.
(H) Review of the effectiveness and utility of
third-party statements of privacy principles and
private sector self-regulatory efforts, as well as
third-party certification or accreditation programs
meant to ensure compliance with privacy requirements.
(d) Additional Report.--Together with the report under subsection
(c), the Commission shall submit to Congress and the President any
additional report of dissenting opinions or minority views by a member
or members of the Commission.
(e) Interim Report.--The Commission may submit to Congress and the
President an interim report approved by a majority of the members of
the Commission.
SEC. 5. MEMBERSHIP.
(a) Number and Appointment.--The Commission shall--
(1) be composed of 17 members to be appointed by the
Comptroller General; and
(2) reflect the views of health providers, ancillary health
care workers, health care purchasers, health plans, health
technology developers, researchers, consumers, public health
experts, civil liberties experts, genomics experts, educators,
the consumer electronics industry, and relevant Federal
agencies, and other entities as the Secretary of Health and
Human Services determines appropriate.
(b) Terms.--Each member of the Commission shall be appointed for
the life of the Commission.
(c) Vacancies.--A vacancy in the Commission shall be filled in the
same manner in which the original appointment was made.
(d) Compensation; Travel Expenses.--Members of the Commission shall
serve without pay, but shall receive travel expenses, including per
diem in lieu of subsistence, in accordance with sections 5702 and 5703
of title 5, United States Code.
(e) Quorum.--A majority of the members of the Commission shall
constitute a quorum, but a lesser number may hold hearings.
(f) Meetings.--
(1) In general.--The Commission shall meet at the call of
the Chair or a majority of its members.
(2) Initial meeting.--Not later than 60 days after the date
of the enactment of this Act, the Commission shall hold its
initial meeting.
(3) Virtual or in-person meetings.--Meetings may be held in
person or virtually.
(g) Ethical Disclosure.--The Comptroller General shall establish a
system for public disclosure by members of the Commission of financial
and other potential conflicts of interest relating to such members.
Members of the Commission shall be treated as employees of Congress for
purposes of applying title I of the Ethics in Government Act of 1978 (5
U.S.C. App.).
SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS.
(a) Director.--
(1) In general.--Not earlier than 45 days after the date of
enactment of this Act, the Commission shall appoint a Director
of the Commissioner (referred to in this Act as the
``Director'') without regard to the provisions of title 5,
United States Code, governing appointments to the competitive
service.
(2) Pay.--The Director shall be paid at the rate payable
for level III of the Executive Schedule established under
section 5314 of title 5, United States Code.
(b) Staff.--The Director may appoint staff as the Director
determines appropriate.
(c) Applicability of Certain Civil Service Laws.--
(1) In general.--The staff of the Commission shall be
appointed without regard to the provisions of title 5, United
States Code, governing appointments in the competitive service.
(2) Pay.--The staff of the Commission shall be paid in
accordance with the provisions of chapter 51 and subchapter III
of chapter 53 of that title relating to classification and
General Schedule pay rates, but at rates not in excess of the
maximum rate for grade GS-15 of the General Schedule under
section 5332 of that title.
(d) Experts and Consultants.--The Director may procure temporary
and intermittent services under section 3109(b) of title 5, United
States Code.
(e) Staff of Federal Agencies.--
(1) In general.--Upon request of the Director, the head of
any Federal department or agency may detail, on a reimbursable
basis, any of the personnel of that department or agency to the
Commission to assist it in carrying out this Act.
(2) Notification.--Before making a request under this
subsection, the Director shall give notice of the request to
each member of the Commission.
SEC. 7. POWERS OF COMMISSION.
(a) Hearings and Sessions.--The Commission may, for the purpose of
carrying out this Act, hold hearings, sit and act at times and places,
take testimony, and receive evidence as the Commission considers
appropriate. The Commission may administer oaths or affirmations to
witnesses appearing before it.
(b) Powers of Members and Agents.--Any member or agent of the
Commission may, if authorized by the Commission, take any action which
the Commission is authorized to take by this section.
(c) Obtaining Official Information.--
(1) In general.--Except as provided in paragraph (2), if
the Chair of the Commission submits a request to a Federal
department or agency for information necessary to enable the
Commission to carry out this Act, the head of that department
or agency shall furnish that information to the Commission.
(2) Exception for national security.--If the head of the
department or agency determines that it is necessary to guard
such information from disclosure to protect the national
security interests of the United States, the head shall not
furnish that information to the Commission.
(d) Mails.--The Commission may use the United States mails in the
same manner and under the same conditions as other departments and
agencies of the United States.
(e) Administrative Support Services.--Upon the request of the
Director, the Administrator of General Services shall provide to the
Commission, on a reimbursable basis, the administrative support
services necessary for the Commission to carry out this Act.
(f) Gifts and Donations.--The Commission may accept, use, and
dispose of gifts or donations of services or property to carry out this
Act, but only to the extent or in the amounts provided in advance in
appropriation Acts.
(g) Contracts.--The Commission may contract with and compensate
persons and government agencies for supplies and services, without
regard to section 3709 of the Revised Statutes (41 U.S.C. 5).
(h) Subpoena Power.--
(1) In general.--The Commission may issue subpoenas
requiring the attendance and testimony of witnesses and the
production of any evidence relating to any matter that the
Commission is empowered to investigate by section 4. The
attendance of witnesses and the production of evidence may be
required by such subpoena from any place within the United
States and at any specified place of hearing within the United
States.
(2) Failure to obey a subpoena.--If a person refuses to
obey a subpoena issued under paragraph (1), the Commission may
apply to a United States district court for an order requiring
that person to appear before the Commission to give testimony,
produce evidence, or both, relating to the matter under
investigation. The application may be made within the judicial
district where the hearing is conducted or where that person is
found, resides, or transacts business. Any failure to obey the
order of the court may be punished by the court as civil
contempt.
(3) Service of subpoenas.--The subpoenas of the Commission
shall be served in the manner provided for subpoenas issued by
a United States district court under the Federal Rules of Civil
Procedure for the United States district courts.
(4) Service of process.--All process of any court to which
application is made under paragraph (2) may be served in the
judicial district in which the person required to be served
resides or may be found.
SEC. 8. TERMINATION.
The Commission shall terminate 30 days after submitting a report
under section 4(c).
SEC. 9. AUTHORIZATION OF APPROPRIATIONS.
(a) In General.--There are authorized to be appropriated to the
Commission such sums as may be necessary to carry out this Act.
(b) Availability.--Any sums appropriated pursuant to the
authorization in subsection (a) shall remain available until expended.
SEC. 10. BUDGET ACT COMPLIANCE.
Any new contract authority authorized by this Act shall be
effective only to the extent or in the amounts provided in advance in
appropriation Acts.
SEC. 11. PRIVACY PROTECTIONS.
(a) Destruction or Return of Information Required.--Upon the
conclusion of the matter or need for which individually identifiable
information was disclosed to the Commission, the Commission shall
either destroy the individually identifiable information or return it
to the person or entity from which it was obtained, unless the
individual that is the subject of the individually identifiable
information has authorized its disclosure.
(b) Disclosure of Information Prohibited.--The Commission--
(1) shall protect individually identifiable information
from improper use; and
(2) may not disclose such information to any person,
including Congress or the President, unless the individual that
is the subject of the information has authorized such a
disclosure.
(c) Proprietary Business Information and Financial Information.--
The Commission shall protect from improper use, and may not disclose to
any person, proprietary business information and proprietary financial
information that may be viewed or obtained by the Commission in the
course of carrying out its duties under this Act.
<all>