Blog Post 3 min read

Beyond HIPAA: The Health Data Use and Privacy Commission Act

By Nina Terenzi, Apr. 20, 2022
Share this article

For more than 25 years, the Health Insurance Portability and Accountability Act (HIPAA) has set the standard for governing the electronic exchange, privacy, and security of health information. HIPAA’s goal is to protect all interactions between patients and doctors, and it extends to all healthcare providers and their defined business associates. But HIPAA was enacted in 1996—more than a quarter century ago, and 11 years before the first iPhone was released on the consumer market.

Though pioneering in its time, HIPAA no longer protects health data that is recorded or transmitted using modern and emerging technologies such as cell phones, smart watches, or eyeglasses, leaving this highly sensitive data routinely exposed to risk. In February 2022, the Health Data Use and Privacy Commission Act—jointly led by U.S. Senators Tammy Baldwin (D-WI) and Dr. Bill Cassidy (R-LA)—was introduced to launch the modernization of these outdated privacy laws and regulations.

This new bipartisan legislation calls for the creation of a health and privacy commission (Commission) that will conduct research and make recommendations on how to modernize the current health data privacy laws. Its goal will be to establish new standards for protecting patient privacy while allowing health care professionals access to the technologies and communication tools they need to provide the best standard of care.

Widely supported by trade associations across the medical, insurance, and life sciences industries, the new Commission will:

  • Conduct research into and compare current health data practices among the health care, insurance, financial services, consumer electronics, advertising, and other sectors
  • Review the existing health data protections at both the federal and state levels
  • Provide recommendations on whether and what type of new legislation may be required
  • Submit a report with recommendations to Congress and the President six months after its final member has been appointed

The Commission is specifically tasked with drawing conclusions and making recommendations regarding

  • Current threats to individual health privacy and legitimate business and policy interests
  • How well existing statutes, regulations, private-sector best practices, technology, and market forces are protecting individual health data today
  • When the purpose for sharing health data is appropriate and beneficial to the consumers
  • The potential level of threat to health outcomes and costs if privacy rules are too stringent
  • Whether and what type of federal legislation is required to reform or augment current laws and regulations related to individual health privacy—including enforcement and penalties for misuse, transparency, and communication of privacy practices
  • Analysis of potential costs, burdens, or unintended consequences that new regulations might create in other policy areas
  • Recommendations around whether those costs, burdens, and unintentional consequences are justified by the privacy benefits they enable, or whether those benefits might be achieved by other, less burdensome means
  • A cost-benefit analysis of acting on recommendations that may emerge from the report
  • Recommendations on non-legislative solutions to privacy concerns rooted in education, market forces, and technology
  • Review of private sector self-regulation processes, including privacy policies and third-party programs meant to ensure compliance with privacy requirements.

Eastern Insurance will continue to monitor the evolution of health privacy laws and the work of the new Commission and will be sharing findings as they emerge. As always, our goal is to provide information and analysis that helps our customers understand how evolving government rules and regulations, as well as market forces, may affect their business. If you’d like to talk to someone about your policy today, contact us at

Share this article