With bipartisan sponsorship from Representatives Pallone (D-NJ) and McMorris Rodgers (R-WA) the American Data Privacy and Protection Act (ADPPA), which would create a comprehensive federal consumer privacy framework, was introduced on June 21, 2022. Like the GDPR in Europe, the legislation would apply to entities or persons that “collect, process, or transfer” information that identifies or is linked or reasonably linkable to individuals or devices and would aim to give consumers a degree of control over their data, including by requiring affirmative expressed consent for the use of “sensitive covered data”. In addition, the ADPPA would impose a variety of obligations, such as requiring robust data security practices and special protections for certain types of data, while also prohibiting the use of individuals’ data for discrimination. A Congressional Research Service overview of the bill can be found here.
The ADPPA would, if enacted, apply across all sectors of the economy and across all business sectors, including health care and research. Even as five US states have passed comprehensive consumer privacy legislation since 2018, the ADPPA represents the most serious attempt at national legislation in recent years; while it is highly unlikely to pass during the current Congress, we think it represents a template for privacy legislation that will be considered in 2023 and beyond, and thus important for ACRO to pay attention to.
A major issue in the ADPPA identified by ACRO is that the bill’s definition of “de-identified data” does not track the 20-year-old standard for the de-identification of health data promulgated under HIPAA (45 CFR § 164.514). This standard has not only effectively protected patient privacy, but it has facilitated the development of a vast ecosystem of important research using de-identified health data. And, meanwhile, health data de-identified under the HIPAA standard might well be considered identifiable “covered data” under the ADPPA as it is currently drafted.
To address the significant problems with the use of clinical trial and other health data that could occur under the ADPPA, ACRO—on its own, and in conjunction with other organizations, such as the Healthcare Leadership Council and the Healthcare Innovation Alliance—is pressing to amend the bill in order to ‘carve out’ from the definition of “covered data” health and related data that is already subject to regulatory oversight, including HIPAA, FDA and Common Rule regulations, as well as data de-identified under the HIPAA standard. This would prevent clinical trial and other health data used for research purposes from being subject not only to the current regulatory framework, but also to the overlapping and potentially conflicting requirements of the ADPPA. ACRO is meeting with Democratic and Republican staff to highlight our concern regarding the ADPPA’s potential to interfere with research using health data and to press for solutions to the problem.
Again, while the ADPPA is unlikely to pass the US Congress this year, ACRO is committed to ‘fixing’ the ways in which this bill, or successor legislation in a future Congress, might interfere with a biomedical and data research enterprise that is highly regulated already, and which does an extraordinarily good job of protecting individual privacy and medical confidentiality. We will keep you informed about the progress of the ADPPA, and ACRO’s efforts on behalf of the clinical development industry.