Health Privacy

Image

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to health privacy.

Featured Resources

Keynote: Implications of Dobbs decision

From Austin City Limits Live at the Moody Theater, this panel analyzes how the Supreme Court’s Dobbs decision affects the long-recognized United States’ constitutional right to privacy, the concept of bodily autonomy, and the connection between privacy, liberty, and equality.
Read More

Privacy as a competitive differentiator

This white paper provides a comprehensive framework for building and managing a health care privacy program based on the collective insights from in-house and external privacy counsel.
Read More

Defining health data: A major challenge

The American Data Privacy and Protection Act being considered by U.S. Congress is comprehensive and includes provisions for health data and “the difficulties of regulating health information that exists outside the health care system.” This article provides key takeaways on the proposal’s health data coverage and where potential pitfalls may lie.
Read More


Latest News and Resources

P.S.R. 2022 keynote: Roe v. Wade reversal a 'wake-up' across privacy spectrum

More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through. But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 confe... Read More

A view from DC: Considering what is defined as genetic data

Definitions can be messy, especially when they move from dictionaries to law books. Just look at the idea of genetic data and ponder this riddle: When is a medical test result genetic information? The National Institute of Standards and Technology definition of “genomic information” says it is limited to information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing. Privacy laws broaden the scope of covered data within such a functional definition — pe... Read More

Report: Digital health companies violate own privacy notices in marketing to patients

Forbes reports on a study finding digital health companies are sharing their users’ personal data with Facebook to better refine targeted advertising. The study followed users active in an online cancer support community using applications from five companies. Researchers found third-party ad trackers utilized by the companies followed the users online and were used to directly market to them. Doing so violated the privacy notices of three of the apps, per the study.Full Story... Read More

Roe v. Wade’s overturn: The impact on data protection and law enforcement

On June 24, the U.S. Supreme Court overturned Roe v. Wade, confirming the understanding contained in the draft decision leaked in early May. Roe v. Wade is a paradigmatic decision that secured the constitutional right to abortion in the country in 1973. After 49 years, it came to an end. The recent decision allows a number of U.S. states to adopt laws criminalizing abortion in a short time. It is thought that approximately half of the U.S. states will ban or severely restrict the practice. This... Read More

Report: License plate readers could be used to track women seeking abortions
(IAPP, July 2022)
Roe v. Wade reversal sends ripples through privacy world
(IAPP, June 2022)
German, Spanish regulators offer health care privacy guidelines
(IAPP, June 2022)
Commission proposal for a regulation on the European health data space
(IAPP, March 2022)
Web Conference: Building an Effective and Strategic Healthcare Privacy Program
(IAPP, January 2022)
Kaspersky — Healthcare Report 2021
(Kaspersky, December 2021)
HHS guidance affirms HIPAA doesn’t regulate vaccine questions
(IAPP, October 2021)
Pfizer CPO: ‘You really feel the enormity of what we are doing’
(IAPP, June 2021)
New U.K. health data strategy creates ‘secure,’ ‘privacy-preserving system’
(IAPP, June 2022)
European Health Data Space: Repairing the trans-Atlantic data relationship through biotech R & D
(IAPP, July 2021)
A public service announcement about the HIPAA Privacy Rule
(IAPP, June 2021)
LinkedIn Live: ‘Profiles in Privacy — A conversation with Patrice Ettinger’
(IAPP, June 2021)
Web Conference: The Future of HIPAA
(IAPP, May 2021)
Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly
(IAPP, April 2021)
GDPR basics: DPOs explained for digital health companies
(Chino.io, May 2021)
Web Conference: Pandemics, Panic and Privacy: Lessons Learnt this Year
(IAPP, April 2021)
The status quo of health data inferences
(IAPP, March 2021)
Web Conference: Employee Health Data Collection Guidelines & Vaccination-Tracking Best Practices
(IAPP, March 2021)
Web Conference: Monitoring Employees’ Health & Activities Outside Work in Germany, Poland and UK
(IAPP, February 2021)
Web Conference: Leveraging Location Data for Public Health and COVID-19 Response Efforts
(IAPP, February 2021)
Privacy in the Wake of COVID-19, Part 2: Privacy Challenges as the Pandemic Continues
(IAPP, January 2021)
Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing
(IAPP, May 2020)
Web Conference: Big Data, Artificial Intelligence and Discrimination in Health Care and Beyond
(IAPP, August 2019)
Web Conference: Health Information Privacy and Security Trends
(IAPP, June 2018)
View More Resources

HIPAA

In 1996 the U.S. Congress passed the Health Insurance Portability and Accountability Act to create national standards for electronic health care transactions and unique health identifiers, among other purposes. Recognizing the increased risk to data in an electronic format, HIPAA required the Secretary of the U.S. Department of Health and Human Services to develop regulations ensuring the privacy and security of certain health information.

Definitions (HIPAA)

HIPAA Privacy and Security for Beginners

This article by Kirk Nahra, CIPP/US, of Wiley Rein offers an overview of the Health Insurance Portability and Accountability Act from its inception. The article outlines the goals of the law, highlighting the principles found in the HIPAA privacy and security rules. Click To View ... Read More

Health Insurance Portability and Accountability Act, The

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations. Link to text of law: Th... Read More

Protected Health Information

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual. Acronym... Read More

Privacy Rule, The

Under HIPAA, this rule establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authoriza... Read More

Electronic Health Record

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their ac... Read More

Latest News and Resources (HIPAA)

Who Does HIPAA Apply To?

This article, published by Compliance Junction, provides guidance on the application of the Health Insurance Portability and Accountability Act, with a focus on business associates, hybrid entities and preemption by state laws. Read More

A public service announcement about the HIPAA Privacy Rule

HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert.  First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More

Web Conference: The Future of HIPAA

Original broadcast date: May 24, 2021  The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were written in a period where health information was concentrated in the hands of traditional health care institutions such as doctors, hospitals and health plans. Almost two decades later, this is no longer the case. With revolutionary advances in technology, an increasing number of variety of organizations are generating and collecting sensitive health information largely outside the bounds of HIPAA. This panel discussed whether HIPAA is still up to the task of protecting health information. They investigated the supporting principles for any legislation that might modify how health information is treated and assess specific proposals for updating the current sector-specific framework. They also assessed the capacity of those proposals to better embrace the advantages and threats posed by recent changes to the health privacy landscape. Read More

Prioritizing patient access rights under HIPAA
(IAPP, September 2021)
Guide to Privacy and Security of Electronic Health Information
(U.S. Office of the National Coordinator for Health Information Technology, August 2021)
Covered Entity Guidance
(Centers for Medicare & Medicaid Services, July 2021)
Who Can Sue for A HIPAA Violation?
(Compliance Junction, July 2021)
HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules
(Center for Medicare & Medicaid Services, May 2021)
Why the Fifth Circuit HIPAA case doesn’t mean ‘game over’ for HHS data security enforcement
(IAPP, March 2021)
HHS waives HIPAA penalties in Texas
(IAPP, February 2021)
HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
(U.S. Department of Health & Human Services Office for Civil Rights, January 2021)
Details on proposed changes to HIPAA’s Privacy Rule
(IAPP, December 2020)
Understanding HIPAA’s security rule for telemedicine apps
(IAPP, December 2020)
Doctor invokes HIPAA with Trump COVID-19 questions
(IAPP, October 2020)
HHS: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
(HHS, February 2020)
HHS issues $2.3M HIPAA fine over breach
(IAPP, September 2020)
ONC, OCR update HIPAA Risk Assessment Tool
(IAPP, September 2020)
COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic
(World Privacy Forum, September 2020)
5 investigations settled in HIPAA Right of Access Initiative
(IAPP, September 2020)
AMA HIPAA Guidance and Toolkit
(American Medical Association, September 2013)
Social Media Rules for HIPAA
(Compliance Junction, June 2020)
Perspectives on health data de-identification
(Khaled El Emam, June 2020)
State laws vs. HIPAA — what you need to know
(Abyde, June 2020)
Report: Providers’ HIPAA Right of Access compliance improving
(IAPP, May 2020)
HHS notice on telehealth penalties raises privacy concerns
(IAPP, March 2020)
HHS notice on telehealth penalties raises privacy concerns
(IAPP, March 2020)
Telehealth HIPAA waiver stirs privacy concerns
(IAPP, March 2020)
HHS announces HIPAA penalties waiver amidst COVID-19
(IAPP, March 2020)
The Solution to Overcoming Healthcare Compliance Challenges
(Securiti.ai, March 2020)
HIPAA Privacy Rule: Hybrid Entity Regulatory Reference Table
(The Network for Public Health Law, February 2020)
HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
(U.S. Department of Health & Human Services Office for Civil Rights, January 2021)
Health Information Technology for Economic and Clinical Health Act, The
(IAPP Glossary)
Report: 51% of US health providers lack HIPAA right-of-access compliance
(IAPP, November 2019)
Improving cybersecurity in the health care industry
(Health Care Industry Cybersecurity Task Force, August 2019)
Filling Health Care Security Staffing Gaps
(Health IT Security, August 2019)
HHS releases fact sheet on business associates’ liability under HIPAA
(IAPP, May 2019)
HHS revises some HIPAA fines, releases third-party app guidance
(IAPP, April 2019)
Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption
(IAPP, July 2018)
HIPAA Audit Program Protocol
(HHS, July 2018)
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
(U.S. National Institutes of Health, June 2018)
New York attorney general dips his toe into HIPAA’s murky waters
(IAPP, March 2018)
HIPAA – Covered Entities and Business Associates
(HHS, June 2017)
Sample Business Associate Agreement Provisions
(U.S. Department of Health and Human Services, June 2017)
HIPAA enforcement: A retrospective
(IAPP, March 2016)
Healthcare Breaches Under the Final Omnibus Rule
(IAPP, September 2013)
HIPAA Audit Toolkit
(Davis Wright Tremaine, August 2013)
View More Resources

COVID-19

EU plans to improve health data access

The European Commission plans to improve access to health data for patients, medical professionals, regulators and researchers to reduce unnecessary medical tests and prescriptions, Reuters reports. Under the proposal, data from patients’ health records and wellness applications would be combined and made accessible through free online databases under strict privacy rules. Patients cannot always access their health data electronically and hospitals often do not share data in its entirety with ot... Read More

Web Conference: Pandemics, Panic and Privacy: Lessons Learnt this Year

Original broadcast date: April 1, 2021  Is a pandemic reason enough to roll out surveillance? Our panel is ready to answer your burning questions regarding the impact COVID-19 is having on privacy. Join us to explore how health companies are processing sensitive data and how telemedicine is shaping the future. We will cover how businesses have handled additional sensitive data during this crisis (including article 9(h) and (g) of the GDPR) and debate what is safe and what is intrusive. This interactive session includes a travel industry test case and firsthand account from the insurance sector. We will analyze what impact COVID-19 has had on companies from a business, employment and cybersecurity perspective. Read More

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

Health Tech/Apps

Researchers uncover health app privacy issues

Multiple mobile health applications “share (user) information with a broad collection of advertisers,” according to an investigation conducted by The Washington Post. While data most apps share does not directly identify users, they typically use a sequence of numbers, or identifiers, linked to a user’s device, the investigation found. The app makers generally argued sharing a keyword search by a user is not equivalent to disclosing their health concerns. However, privacy advocates warned sellin... Read More

Study shows potential issues with fertility apps' privacy practices

The Verge reports analysis conducted by Mozilla researchers on 25 fertility and period-tracking applications showed potential issues with privacy notices, data collection and use practices, and user privacy protections. Mozilla *Privacy Not Included project lead Jen Caltrider said these app providers need to be "extra diligent when it comes to the privacy and security" but "too many are not." Inside Higher Ed reports on how colleges and universities are approaching students' reproductive heal... Read More

Broad use of mental health apps generates privacy confusion

Mobile applications that help treat mental health issues have grown significantly since the start of the COVID-19 pandemic, Axios reports. Despite more access to treatment, many of the apps available vary on their privacy notices, leaving consumers uncertain on their health data privacy. According to the article, "fewer than half of 116 apps for depression surveyed had any privacy (notice)."Full Story... Read More

Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly

Original broadcast date: April 7, 2021  Despite a common misconception, privacy and healthcare research (including innovation) are not polarizing forces. Join privacy experts from the life sciences and healthcare field as they discuss how data is really used in research and development. You will hear their views on bridging the perceived gap between healthcare research and privacy, and how to apply those ideas to current challenges, such as innovating responses to COVID-19. The panel will also discuss types of research, what makes data use in drug development and medtech different from other industries, effective anonymization/deidentification, lawful data use and how to build public trust within the industry. Read More

Healthcare Cybersecurity and Data Breaches

LifeBridge Health settles data breach lawsuit for $9.5M

LifeBridge Health agreed to a $9.5 million settlement in a class-action lawsuit over a 2018 data breach that compromised personal data of more than 500,000 patients, HIPAA Journal reports. Under the settlement, an $800,000 fund will cover claims from class members who said their personal data was exposed to identity thieves and LifeBridge Health will allocate $7.9 million to security improvements, including data encryption and multifactor authentication.Full Story... Read More

Swedish DPA reports increase in health care cybersecurity attacks

In a report of personal data incidents received in 2021, Sweden’s data protection authority, Integritetsskyddsmyndigheten, noted a 26% increase in cybersecurity attacks on the health care sector. A total of 5,767 personal data incidents were reported in 2021, the IMY reported, primarily due to incorrect sending of letters, emails or text messages. The IMY said human error is behind six out of 10 incidents. Full Story... Read More

Patient Privacy and Information Access

P.S.R. 2022 keynote: Roe v. Wade reversal a 'wake-up' across privacy spectrum

More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through. But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 confe... Read More

Keynote: Panel on the implications of the Supreme Court's Dobbs decision (IAPP Privacy. Security. Risk. 2022)

From Austin City Limits Live at the Moody Theater, this panel analyzes how the Supreme Court’s Dobbs decision affects the long-recognized United States’ constitutional right to privacy, the concept of bodily autonomy, and the connection between privacy, liberty, and equality. Moderated by The New Yorker staff writer and “Trick Mirror” author Jia Tolentino, the panel features U.S. Department of Health and Human Services Office for Civil Rights Director Melanie Fontes Rainer, Center for Democracy & Technology President and CEO Alexandra Reeve Givens, and Jill Morrison, executive director of the Women’s Law and Public Policy Fellowship Program, and the Leadership and Advocacy for Women in Africa Program. Read More

Calif. governor signs 2 bills to protect health data of those obtaining abortions

Gov. Gavin Newsom, D-Calif., recently signed two bills into California law that protect individuals' abortion data, Health IT Security reports. Bill AB 1242 prohibits state law enforcement entities and corporations from fulfilling search warrant requests from out-of-state law enforcement investigating anyone obtaining a lawful abortion in California. The other bill, AB 2091, bars health care providers from "releasing medical information on an individual seeking abortion care in response to a sub... Read More

EU plans to improve health data access

The European Commission plans to improve access to health data for patients, medical professionals, regulators and researchers to reduce unnecessary medical tests and prescriptions, Reuters reports. Under the proposal, data from patients’ health records and wellness applications would be combined and made accessible through free online databases under strict privacy rules. Patients cannot always access their health data electronically and hospitals often do not share data in its entirety with ot... Read More

Web Conference: Employee Health Data Collection Guidelines & Vaccination-Tracking Best Practices

Original broadcast date: March 10, 2021  Is your company following the U.S. Occupational Safety and Health Administration’s recommendations or state guidelines? Do you have a handle on where your health data is being stored, and is it accessible and secure? Companies now have a surplus of health data, whether it’s COVID-19 test or vaccination statuses or general health questionnaire data collected from employees. What are the requirements around keeping this data or disclosing it to your employees? In this privacy education web conference, we will answer these questions to help you understand best practices around health data record-keeping to help you develop a plan now. Read More