US healthcare insurers have been operating under the auspices of the Health Insurance Portability and Accountability Act (HIPAA) since it was signed into law in 1996.
A lot of hard work has gone into HIPAA compliance, but the data privacy problem has just gotten larger. Approximately 143 million patient health records are thought to have been compromised in HIPAA breaches since 2009. That, combined with the recent wave of high profile personal data breaches – across several industries – has ignited international and national concern about improper use of personal data.
In May 2018, the EU adopted the General Data Protection Regulation (GDPR), a first of its kind law which enforces greater protections of EU citizen’s personal data by requiring specific data collection, protection, breach processes and protocols, such as the right for consumers to opt-out and have their records erased.
Following GDPR, some US States and cities have enacted domestic protections. California established the Consumer Privacy Act, which goes into effect January 1, 2020, while New York has proposed the SHIELD Act and the City of Chicago has also proposed a data privacy ordinance. More recently, several of the largest technology firms have lobbied Congress to introduce federal legislation to standardize this oncoming rush of state and local laws.