Legislation would strengthen privacy and security protections for data collected by health tracking devices and apps as well as DNA testing kits

WASHINGTON – U.S. Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) reintroduced legislation to protect consumers’ private health data. Home DNA testing kits and health data tracking apps have given companies access to unprecedented amounts of consumer health data, but current law does not adequately address the emerging privacy concerns presented by these new technologies. The Protecting Personal Health Data Act addresses these health privacy concerns by requiring the Secretary of Health and Human Services to promulgate regulations for new health technologies such as health apps, wearable devices, and direct-to-consumer genetic testing kits that are not regulated by existing laws.

“While it’s great that new technologies have made it easier for people to monitor their own health, it’s concerning that health tracking apps and home DNA testing kits have given companies access to private data with limited oversight,” Klobuchar said. “This legislation will ensure there are regulations in place to protect consumers as new products that collect personal health information continue to enter the market.”

“Health information is incredibly personal, and keeping it secure and private is pivotal. So as technology continues to rapidly evolve, our policies to protect Americans must as well. Senator Klobuchar and I have worked hard to make data privacy protections for all consumers a priority in Congress, and we continue that effort with the reintroduction of this legislation to ensure guidelines are created for security and privacy protections of modern health information. By enacting important modern protections for consumers’ personal health data, our bill puts the privacy of American consumers first,” Murkowski said.

The Washington Post reported that a pregnancy tracking app has been selling user data to employers, and another report revealed that health apps for users battling depression or trying to quit smoking are selling personal details they collect to third parties, like Google or Facebook, without user consent. A subsequent poll showed that users of these apps cared about privacy, but they also thought the digital trackers were too valuable to give up. Current laws such as the Health Insurance Portability and Accountability Act of 1996 were enacted by Congress when many of the wearable devices, apps, social media sites, and DNA testing companies collecting and sharing health data today did not exist. As science continues to drive technological innovation, we must not sacrifice privacy.

The Protecting Personal Health Data Act would:

  • Require the promulgation of regulations to help strengthen privacy and security protections for consumers’ personal health data.
  • Ensure that these regulations take into account:
    • Appropriate standards for consent that account for differences in sensitivity between genetic data, biometric data, and general personal health data, and that complement existing regulations and guidance; and
    • The ability of consumers to navigate their health data privacy options, and to access, amend, and delete a copy of the personal health data that companies collect or use.
  • Create a National Task Force on Health Data Protection that would evaluate and provide input to address cybersecurity risks and privacy concerns associated with consumer products that handle personal health data, and the development of security standards for consumer devices, services, applications, and software. The Task Force would also study the long-term effectiveness of de-identification methodologies for genetic and biometric data, and advise on the creation of resources to educate consumers about direct-to-consumer genetic testing.

Klobuchar has been a leader in the fight to protect consumers’ private information. In December, Klobuchar sent a letter to former Health and Human Services Secretary Alex Azar requesting information on steps the agency is taking to ensure wearable health devices safeguard health information in light of new health technology entering the market. Last Congress, Klobuchar joined Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), and Ed Markey (D-MA) in introducing the Consumer Online Privacy Rights Act, a comprehensive federal online privacy bill that would establish privacy rights, outlaw harmful and deceptive practices, and improve data security safeguards. Klobuchar also joined Senators Cantwell and Bill Cassidy (D-LA) in introducing the Exposure Notification Privacy Act, which would make participation in commercial online exposure notification systems regarding coronavirus exposure voluntary and give consumers control of their personal data by limiting the type of data that can be collected and how it can be used.