Klobuchar is the author of the Protecting Personal Health Data Act which would protect consumers’ private health data not covered under existing privacy law

WASHINGTON – U.S. Senator Amy Klobuchar (D-MN) released this statement following reports from the Wall Street Journal that Google and Ascension are collaborating to share the personal health information of roughly 50 million Americans—including personally identifiable information, lab results, hospital records, and physician diagnoses—on Google’s cloud system. According to the reports, neither Ascension patients nor physicians were informed of the agreement before the data sharing program began, and already roughly 150 Google employees have access to this data. While Google claims that sharing the data is permitted under the Health Insurance Portability and Accountability Act (HIPAA), reporting in the Wall Street Journal indicates that the partnership has raised significant technological and ethical questions concerning the safeguarding of private health data. Under HIPAA, hospitals are allowed to share data with “business associates” as long as the information is used to “help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes.” However, Google has to date declined to comment on whether it would use this data for profit or to conduct independent research—both of which would potentially fall outside the scope of HIPAA protections.

“This collaboration isn’t the only one that raises serious privacy concerns. New technologies have made it easier for people to monitor their own health, but health tracking apps, wearable technology devices like Fitbits, and home DNA testing kits have also given companies access to your private health data with very few rules of the road in place regulating how it is collected and used. Congress should enact legislation I introduced with Senator Murkowski, the Protecting Personal Health Data Act, that would require the Department of Health and Human Services to work with the Federal Trade Commission and issue meaningful regulations that protect private health data not covered under existing privacy law. As science continues to drive technological innovation, we must not sacrifice privacy.”

Emerging technology makes is easier for people to monitor and control their own health information, but it has also given companies more access to personal and private health data with very few rules of the road in place. In June, Klobuchar and Senator Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act to protect consumers’ private health data not covered under existing privacy law. While recent reports have highlighted how home DNA testing kits and health data tracking apps have given companies access to unprecedented levels of consumer health data, current law does not adequately address the emerging privacy concerns presented by these new technologies. The Protecting Personal Health Data Act addresses these health privacy concerns by requiring the Secretary of Health and Human Services to promulgate regulations for new health technologies such as health apps, wearable devices like Fitbits, and direct-to-consumer genetic testing kits that are not regulated by existing laws.

Specifically, the Protecting Personal Health Data Act would:

  • Require the promulgation of regulations to help strengthen privacy and security protections for consumers’ personal health data. 
  • Ensure that these regulations take into account:
    • Appropriate standards for consent that account for differences in sensitivity between genetic data, biometric data, and general personal health data, and that complement existing regulations and guidance; and
    • The ability of consumers to navigate their heath data privacy options, and to access, amend, and delete a copy of the personal health data that companies collect or use.
  • Create a National Task Force on Health Data Protection that would evaluate and provide input to address cybersecurity risks and privacy concerns associated with consumer products that handle personal health data, and the development of security standards for consumer devices, services, applications, and software. The Task Force would also study the long-term effectiveness of de-identification methodologies for genetic and biometric data, and advise on the creation of resources to educate consumers about direct-to-consumer genetic testing.