Health Privacy

Health Privacy

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to health privacy.

Featured Resources

Privacy as a competitive differentiator

This white paper provides a comprehensive framework for building and managing a health care privacy program based on the collective insights from in-house and external privacy counsel.
Read More

European Health
Data Space

It’s well understood the trans-Atlantic data relationship needs some healing and repair. Biotechnology Innovation Organization Senior Director of International Affairs Justin Pine, CIPP/US, writes that could come through the innovative biotechnology sector.
Read More

PSA about HIPAA Privacy Rule

COVID-19 has raised some key discussions on emerging privacy issues as well as created fresh debate around existing topics. One of those new debates centers on the HIPAA Privacy Rule. “Most of what you see is wrong,” Kirk Nahra, CIPP/US, writes as he dispels disinformation and re-establishes the proper framing of the rule.
Read More

Latest News and Resources

New UK health data strategy creates ‘secure,’ ‘privacy-preserving system’

The U.K. Department of Health and Social Care published a new data strategy that improves patient access to records and control of their data, including simplified opt-out processes and improved data access. The strategy focuses on seven principles “to harness the data-driven power and innovation seen during the (COVID-19) pandemic to drive transformation in health and care, creating a secure and privacy-preserving system that delivers for both patients and professionals,” the department said.Fu... Read More

Commission proposal for a regulation on the European health data space

Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More

Web Conference: Building an Effective and Strategic Healthcare Privacy Program

Original broadcast date: 19 January 2022 This web conference is an in-depth, practical discussion regarding the build out of a healthcare privacy program. Panelists describe key privacy and related laws that are relevant to global healthcare organizations, core pillars of work to consider in building out a healthcare privacy program and discuss key recommendations based on these pillars that can help to make a privacy program a competitive differentiator.  Read More


In 1996 the U.S. Congress passed the Health Insurance Portability and Accountability Act to create national standards for electronic health care transactions and unique health identifiers, among other purposes. Recognizing the increased risk to data in an electronic format, HIPAA required the Secretary of the U.S. Department of Health and Human Services to develop regulations ensuring the privacy and security of certain health information.

Definitions (HIPAA)

HIPAA Privacy and Security for Beginners

This article by Kirk Nahra, CIPP/US, of Wiley Rein offers an overview of the Health Insurance Portability and Accountability Act from its inception. The article outlines the goals of the law, highlighting the principles found in the HIPAA privacy and security rules. Click To View ... Read More

Health Insurance Portability and Accountability Act, The

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations. Link to text of law: Th... Read More

Protected Health Information

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual. Acronym... Read More

Privacy Rule, The

Under HIPAA, this rule establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authoriza... Read More

Electronic Health Record

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their ac... Read More

Latest News and Resources (HIPAA)

Who Does HIPAA Apply To?

This article, published by Compliance Junction, provides guidance on the application of the Health Insurance Portability and Accountability Act, with a focus on business associates, hybrid entities and preemption by state laws. Read More

Prioritizing patient access rights under HIPAA

SC Media reports on patient access rights being a key enforcement priority of the Health Insurance Portability and Accountability Act for the Department of Health and Human Services. Former DHHS privacy official Deven McGraw said HIPAA Right of Access is “underutilized” and data can empower patients to make decisions about their care. “There are a lot of scenarios that providers are fearing. But there are definitely more positives to sharing,” she said.Full Story... Read More

A public service announcement about the HIPAA Privacy Rule

HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert.  First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More

Web Conference: The Future of HIPAA

Original broadcast date: May 24, 2021  The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were written in a period where health information was concentrated in the hands of traditional health care institutions such as doctors, hospitals and health plans. Almost two decades later, this is no longer the case. With revolutionary advances in technology, an increasing number of variety of organizations are generating and collecting sensitive health information largely outside the bounds of HIPAA. This panel discussed whether HIPAA is still up to the task of protecting health information. They investigated the supporting principles for any legislation that might modify how health information is treated and assess specific proposals for updating the current sector-specific framework. They also assessed the capacity of those proposals to better embrace the advantages and threats posed by recent changes to the health privacy landscape. Read More

Covered Entity Guidance
(Centers for Medicare & Medicaid Services, July 2021)
Who Can Sue for A HIPAA Violation?
(Compliance Junction, July 2021)
HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules
(Center for Medicare & Medicaid Services, May 2021)
Why the Fifth Circuit HIPAA case doesn’t mean ‘game over’ for HHS data security enforcement
(IAPP, March 2021)
HHS waives HIPAA penalties in Texas
(IAPP, February 2021)
Unpacking the proposed HIPAA Privacy Rule modifications
(IAPP, January 2021)
HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
(U.S. Department of Health & Human Services Office for Civil Rights, January 2021)
Details on proposed changes to HIPAA’s Privacy Rule
(IAPP, December 2020)
Understanding HIPAA’s security rule for telemedicine apps
(IAPP, December 2020)
Doctor invokes HIPAA with Trump COVID-19 questions
(IAPP, October 2020)
HHS: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
(HHS, February 2020)
HHS issues $2.3M HIPAA fine over breach
(IAPP, September 2020)
ONC, OCR update HIPAA Risk Assessment Tool
(IAPP, September 2020)
COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic
(World Privacy Forum, September 2020)
5 investigations settled in HIPAA Right of Access Initiative
(IAPP, September 2020)
Social Media Rules for HIPAA
(Compliance Junction, June 2020)
Report: Providers’ HIPAA Right of Access compliance improving
(IAPP, May 2020)
HHS notice on telehealth penalties raises privacy concerns
(IAPP, March 2020)
HHS notice on telehealth penalties raises privacy concerns
(IAPP, March 2020)
Telehealth HIPAA waiver stirs privacy concerns
(IAPP, March 2020)
HHS announces HIPAA penalties waiver amidst COVID-19
(IAPP, March 2020)
The Solution to Overcoming Healthcare Compliance Challenges
(, March 2020)
HIPAA Privacy Rule: Hybrid Entity Regulatory Reference Table
(The Network for Public Health Law, February 2020)
HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
(U.S. Department of Health & Human Services Office for Civil Rights, January 2021)
Health Information Technology for Economic and Clinical Health Act, The
(IAPP Glossary)
Report: 51% of US health providers lack HIPAA right-of-access compliance
(IAPP, November 2019)
Improving cybersecurity in the health care industry
(Health Care Industry Cybersecurity Task Force, August 2019)
Filling Health Care Security Staffing Gaps
(Health IT Security, August 2019)
HHS releases fact sheet on business associates’ liability under HIPAA
(IAPP, May 2019)
HHS revises some HIPAA fines, releases third-party app guidance
(IAPP, April 2019)
Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption
(IAPP, July 2018)
HIPAA Audit Program Protocol
(HHS, July 2018)
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
(U.S. National Institutes of Health, June 2018)
New York attorney general dips his toe into HIPAA’s murky waters
(IAPP, March 2018)
HIPAA – Covered Entities and Business Associates
(HHS, June 2017)
Sample Business Associate Agreement Provisions
(U.S. Department of Health and Human Services, June 2017)
HIPAA enforcement: A retrospective
(IAPP, March 2016)
Guide to Privacy and Security of Electronic Health Information
(U.S. Office of the National Coordinator for Health Information Technology, June 2015)
AMA HIPAA Guidance and Toolkit
(American Medical Association, September 2013)
Healthcare Breaches Under the Final Omnibus Rule
(IAPP, September 2013)
HIPAA Audit Toolkit
(Davis Wright Tremaine, August 2013)
Perspectives on health data de-identification
(Khaled El Emam, January 2013)
Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
(The Office for Civil Rights, December 2012)
View More Resources


EU plans to improve health data access

The European Commission plans to improve access to health data for patients, medical professionals, regulators and researchers to reduce unnecessary medical tests and prescriptions, Reuters reports. Under the proposal, data from patients’ health records and wellness applications would be combined and made accessible through free online databases under strict privacy rules. Patients cannot always access their health data electronically and hospitals often do not share data in its entirety with ot... Read More

Web Conference: Pandemics, Panic and Privacy: Lessons Learnt this Year

Original broadcast date: April 1, 2021  Is a pandemic reason enough to roll out surveillance? Our panel is ready to answer your burning questions regarding the impact COVID-19 is having on privacy. Join us to explore how health companies are processing sensitive data and how telemedicine is shaping the future. We will cover how businesses have handled additional sensitive data during this crisis (including article 9(h) and (g) of the GDPR) and debate what is safe and what is intrusive. This interactive session includes a travel industry test case and firsthand account from the insurance sector. We will analyze what impact COVID-19 has had on companies from a business, employment and cybersecurity perspective. Read More

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

Health Tech/Apps

Broad use of mental health apps generates privacy confusion

Mobile applications that help treat mental health issues have grown significantly since the start of the COVID-19 pandemic, Axios reports. Despite more access to treatment, many of the apps available vary on their privacy notices, leaving consumers uncertain on their health data privacy. According to the article, "fewer than half of 116 apps for depression surveyed had any privacy (notice)."Full Story... Read More

Researchers study tools to give therapists access to patient smartphone data

The Wall Street Journal reports researchers are designing applications that could give therapists access to data from patients’ smartphones in between sessions. The apps would use voice-analysis software and online-search behavior to help professionals assess and assist with patients’ conditions. While questions remain about how to ensure informed consent and safeguard users’ information, University of Washington Psychiatry and Behavioral Sciences Professor Dr. Patricia Areán said if patients en... Read More

Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly

Original broadcast date: April 7, 2021  Despite a common misconception, privacy and healthcare research (including innovation) are not polarizing forces. Join privacy experts from the life sciences and healthcare field as they discuss how data is really used in research and development. You will hear their views on bridging the perceived gap between healthcare research and privacy, and how to apply those ideas to current challenges, such as innovating responses to COVID-19. The panel will also discuss types of research, what makes data use in drug development and medtech different from other industries, effective anonymization/deidentification, lawful data use and how to build public trust within the industry. Read More

View More Resources

Healthcare Cybersecurity and Data Breaches

Swedish DPA reports increase in health care cybersecurity attacks

In a report of personal data incidents received in 2021, Sweden’s data protection authority, Integritetsskyddsmyndigheten, noted a 26% increase in cybersecurity attacks on the health care sector. A total of 5,767 personal data incidents were reported in 2021, the IMY reported, primarily due to incorrect sending of letters, emails or text messages. The IMY said human error is behind six out of 10 incidents. Full Story... Read More

Patient Privacy and Information Access

EU plans to improve health data access

The European Commission plans to improve access to health data for patients, medical professionals, regulators and researchers to reduce unnecessary medical tests and prescriptions, Reuters reports. Under the proposal, data from patients’ health records and wellness applications would be combined and made accessible through free online databases under strict privacy rules. Patients cannot always access their health data electronically and hospitals often do not share data in its entirety with ot... Read More

Web Conference: Employee Health Data Collection Guidelines & Vaccination-Tracking Best Practices

Original broadcast date: March 10, 2021  Is your company following the U.S. Occupational Safety and Health Administration’s recommendations or state guidelines? Do you have a handle on where your health data is being stored, and is it accessible and secure? Companies now have a surplus of health data, whether it’s COVID-19 test or vaccination statuses or general health questionnaire data collected from employees. What are the requirements around keeping this data or disclosing it to your employees? In this privacy education web conference, we will answer these questions to help you understand best practices around health data record-keeping to help you develop a plan now. Read More

Data De-identification and Anonymization of Individual Patient Data in Clinical Studies — A Model Approach

This paper from TransCelerate BioPharma Inc. considers how de-identification and anonymization techniques can be applied to individual patient data in order to fulfill transparency, disclosure and research requests while safeguarding the privacy of individuals (e.g., participants and company staff). This paper proposes which techniques to apply in order to conform to existing directives and regulatory guidance while balancing the utility of the de-identified data to the researcher. Click To Vie... Read More

Law Enforcement & National Security Access to Medical Records
(Center for Democracy & Technology, August 2013)
View More Resources