The Impact of the ADPPA Privacy Act in the Healthcare Industry

All players in the health and wellness ecosystem must monitor developments around the US Privacy and Data Protection Act (ADPPA). If adopted, the ADPPA will be a watershed in the regulation of the confidentiality and security of personal information, including health information. ADPPA would have a particularly large impact on entities that currently collect, process and transmit health information but are not subject to HIPAA.

Our colleagues Cynthia Larose and Christian Field provided a comprehensive summary of the draft bill for discussion here.

The confidentiality and security of health information in the United States is governed by a number of overlapping state and federal laws, and these laws are enforced by various government agencies. While HIPAA is implemented primarily by the HHS Civil Rights Office, ADPPA will be implemented by the FTC and Attorneys General. As HIPAA only applies to covered entities (health plans and healthcare providers involved in electronic transactions covered by HIPAA) and their business partners, a number of entities that collect, process and disclose health information are not subject to HIPAA. and often fall outside state medical privacy laws, which apply similarly to providers and insurers. Whether or not they are currently regulated by HIPAA, health information gathering companies may want to pay special attention to the following aspects of the ADPPA project.


The bill applies to entities that collect, process or transfer “covered data”. “Covered data” means “information that identifies or is related to or reasonably related to an individual or device”, which includes “extracted data” and “unique identifiers”, which will include persistent digital tags such as cookies and IP addresses. Such entities are referred to as ‘covered entities’ under the ADPPA (a nomenclature that may become confusing as the same term is used much more narrowly under the HIPAA).

The bill also defines “sensitive covered data” to include, inter alia, “any information that describes or discloses a person’s past, present or future physical health, mental health, disability, diagnosis or health treatment” and genetic information.

Companies will also want to follow the definition of “big data owner”. The draft law provides the following working definition: “covered person who in the last calendar year— (A) had annual gross income from [$250,000,000] or by; [and] (B) collected, processed or transferred— (i) the data covered of more than 5 000 000 persons or devices which identify or are connected or reasonably related to 1 or more persons; [or] (ii) sensitive data covered by more than [100,000] persons or devices that identify or are connected or reasonably connected to 1 or more persons. . Depending on whether the $ 250 million in parentheses is valid and whether the “and” in parentheses becomes “or” will have a huge impact on the number of health data collectors who are considered “large data holders”. “.

Consent requirements for sensitive covered data

Under the ADPPA, the data subject may not collect or process sensitive data covered, which include health information, or transfer such data to a third party without the “explicit consent of the data subject”. According to the law, “affirmative explicit consent” requires a specific, informed, unambiguous permission for action or practice from the person concerned. Where the person concerned requests consent to the collection, processing or transfer of sensitive covered data, he must meet specific request requirements, including distinguishing between actions necessary to comply with the individual’s request and actions for another purpose.

Prevention and preservation

Under the ADPPA, covered entities subject to certain other federal privacy laws, including the HIPAA, that comply with the data confidentiality requirements of those laws are considered to comply with the “related requirements” of the ADPPA, but only with respect to data that are subject to such provisions. Similarly, Section 208 of the ADPPA, which sets out the data security requirements for the data covered, provides that entities that are subject to HIPAA and meet the information security requirements of HIPAA are considered to comply with ADPPA, but only with respect to the data covered by HIPAA. Therefore, a covered legal entity or business partner that does not comply with HIPAA could potentially be subject to enforcement action under both HIPAA and ADPPA. A covered person or business partner who holds covered data that is not subject to HIPAA may also potentially be prosecuted for violating ADPPA. The bill requires the Federal Trade Commission to issue guidelines on the overtaking landscape within one year of the entry into force of the ADPPA.

Although the ADPPA contains a broad clause for anticipating state laws, it explicitly separates from prevention all state laws that “target health information, medical information, medical records, HIV status, or HIV testing.” In this way, stains from state laws relating to medical and health confidentiality will remain in place. The ADPPA will also go far ahead of the comprehensive state privacy laws passed in recent years, but will leave intact the private right to sue for data breaches under the California Consumer Protection Act.

As the ADPPA passes through Congress, we will continue to monitor developments around the bill and how its adoption could affect the healthcare industry.

© 1994-2022 Mintz, Levin, Kon, Ferris, Glowski and Popeo, PC All rights reserved.National Review of Law, Volume XII, Number 174

Leave a Comment