Health Privacy

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to health privacy.

Featured Resources Latest News and Resources HIPAA COVID-19 Health Tech/Apps Healthcare Cybersecurity and Data Breaches Patient Privacy and Information Access

Featured Resources

Privacy as a competitive differentiator

This white paper provides a comprehensive framework for building and managing a health care privacy program based on the collective insights from in-house and external privacy counsel.
Read More

European Health
Data Space

It’s well understood the trans-Atlantic data relationship needs some healing and repair. Biotechnology Innovation Organization Senior Director of International Affairs Justin Pine, CIPP/US, writes that could come through the innovative biotechnology sector.
Read More

PSA about HIPAA Privacy Rule

COVID-19 has raised some key discussions on emerging privacy issues as well as created fresh debate around existing topics. One of those new debates centers on the HIPAA Privacy Rule. “Most of what you see is wrong,” Kirk Nahra, CIPP/US, writes as he dispels disinformation and re-establishes the proper framing of the rule.
Read More

Latest News and Resources

Kaspersky — Healthcare Report 2021

This report, published by Kaspersky, found telehealth calls have raised concerns over data security and privacy violations for doctors, nurses and patients. Read More

Save This

HHS guidance affirms HIPAA doesn't regulate vaccine questions

The U.S. Department for Health and Human Services published guidance to affirm the Health Information Privacy and Accountability Act Privacy Rule does not prohibit or regulate requests of information from individuals, covered entities and non-covered entities, including vaccination status. The guidance, "HIPAA, COVID-19 Vaccination, and the Workplace" states the HIPAA Privacy Rule only regulates how a covered entity may use or share an individual's protected health care data. Editor's note: IAPP... Read More

Save This

LinkedIn Live: 'Profiles in Privacy — A conversation with Patrice Ettinger'

Published: June 2021 Join IAPP President and CEO J. Trevor Hughes, CIPP, as he sits down with Pfizer Chief Privacy Officer Patrice Ettinger, CIPP/US, to discuss her career path and lessons learned along the way. To view this video on LinkedIn, click here. To access all IAPP LinkedIn Live videos, click here. Access the IAPP's LinkedIn profile here.... Read More

Save This

Pfizer CPO: 'You really feel the enormity of what we are doing'

IAPP CEO and President J. Trevor Hughes, CIPP, hosted Pfizer's Chief Privacy Officer Patrice Ettinger during the IAPP's "Profiles in Privacy" series June 17 on LinkedIn Live. The mission of multi-national biopharmaceutical company Pfizer is to deliver “breakthroughs that change patients’ lives.” Chief Privacy Officer Patrice Ettinger, CIPP/US, said she may never have understood that more than she has over the past 18 months. “In 2020, I and probably everybody else were able to relate to that i... Read More

Save This

Web Conference: The Future of HIPAA

Original broadcast date: May 24, 2021 The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were written in a period where health information was concentrated in the hands of traditional health care institutions such as doctors, hospitals and health plans. Almost two decades later, this is no longer the case. With revolutionary advances in technology, an increasing number of variety of organizations are generating and collecting sensitive health information largely outside the bounds of HIPAA. This panel discussed whether HIPAA is still up to the task of protecting health information. They investigated the supporting principles for any legislation that might modify how health information is treated and assess specific proposals for updating the current sector-specific framework. They also assessed the capacity of those proposals to better embrace the advantages and threats posed by recent changes to the health privacy landscape. Read More

Save This

	Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly (IAPP, April 2021)
	GDPR basics: DPOs explained for digital health companies (Chino.io, May 2021)
	Web Conference: Pandemics, Panic and Privacy: Lessons Learnt this Year (IAPP, April 2021)
	The status quo of health data inferences (IAPP, March 2021)
	Web Conference: Employee Health Data Collection Guidelines & Vaccination-Tracking Best Practices (IAPP, March 2021)
	Web Conference: Monitoring Employees’ Health & Activities Outside Work in Germany, Poland and UK (IAPP, February 2021)
	Web Conference: Leveraging Location Data for Public Health and COVID-19 Response Efforts (IAPP, February 2021)
	Privacy in the Wake of COVID-19, Part 2: Privacy Challenges as the Pandemic Continues (IAPP, January 2021)
	Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing (IAPP, May 2020)
	Web Conference: Big Data, Artificial Intelligence and Discrimination in Health Care and Beyond (IAPP, August 2019)
	Web Conference: Health Information Privacy and Security Trends (IAPP, June 2018)

View More Resources

HIPAA

In 1996 the U.S. Congress passed the Health Insurance Portability and Accountability Act to create national standards for electronic health care transactions and unique health identifiers, among other purposes. Recognizing the increased risk to data in an electronic format, HIPAA required the Secretary of the U.S. Department of Health and Human Services to develop regulations ensuring the privacy and security of certain health information.

Definitions (HIPAA)

HIPAA Privacy and Security for Beginners

This article by Kirk Nahra, CIPP/US, of Wiley Rein offers an overview of the Health Insurance Portability and Accountability Act from its inception. The article outlines the goals of the law, highlighting the principles found in the HIPAA privacy and security rules. Click To View ... Read More

Save This

Health Insurance Portability and Accountability Act, The

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations. Link to text of law: Th... Read More

Protected Health Information

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by the Health Insurance Portability and Accountability Act or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of healthcare or payment for healthcare to that individual. Acronym... Read More

Privacy Rule, The

Under HIPAA, this rule establishes U.S. national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authoriza... Read More

Electronic Health Record

A computer record of an individual's medical file that may be shared across multiple healthcare settings. In some cases this sharing can occur by way of network-connected enterprise-wide information systems and other information networks or exchanges. EHRs may include a range of data including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight and billing information. Their ac... Read More

Latest News and Resources (HIPAA)

HHS Guidance: HIPAA, Civil Rights, and COVID-19

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) published this guidance page providing announcements, guidance, notifications and bulletins on civil rights laws and the HIPAA Privacy Rule during the COVID-19 outbreak. Read More

Save This

Prioritizing patient access rights under HIPAA

SC Media reports on patient access rights being a key enforcement priority of the Health Insurance Portability and Accountability Act for the Department of Health and Human Services. Former DHHS privacy official Deven McGraw said HIPAA Right of Access is “underutilized” and data can empower patients to make decisions about their care. “There are a lot of scenarios that providers are fearing. But there are definitely more positives to sharing,” she said.Full Story... Read More

Save This

Covered Entity Guidance

This guidance from the Centers for Medicare & Medicaid Services helps determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA. Click To View ... Read More

Save This

A public service announcement about the HIPAA Privacy Rule

HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert. First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More

Save This

Web Conference: The Future of HIPAA

Save This

	Who Can Sue for A HIPAA Violation? (Compliance Junction, July 2021)
	HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules (Center for Medicare & Medicaid Services, May 2021)
	Why the Fifth Circuit HIPAA case doesn’t mean ‘game over’ for HHS data security enforcement (IAPP, March 2021)
	HHS waives HIPAA penalties in Texas (IAPP, February 2021)
	Unpacking the proposed HIPAA Privacy Rule modifications (IAPP, January 2021)
	HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (U.S. Department of Health & Human Services Office for Civil Rights, January 2021)
	Details on proposed changes to HIPAA’s Privacy Rule (IAPP, December 2020)
	2016-2017 HIPAA Audits Industry Report (U.S. Department of Health and Human Services’ Office of Civil Rights, December 2020)
	Understanding HIPAA’s security rule for telemedicine apps (IAPP, December 2020)
	Doctor invokes HIPAA with Trump COVID-19 questions (IAPP, October 2020)
	HHS: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency (HHS, February 2020)
	HHS issues $2.3M HIPAA fine over breach (IAPP, September 2020)
	ONC, OCR update HIPAA Risk Assessment Tool (IAPP, September 2020)
	COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic (World Privacy Forum, September 2020)
	5 investigations settled in HIPAA Right of Access Initiative (IAPP, September 2020)
	Social Media Rules for HIPAA (Compliance Junction, June 2020)
	Report: Providers’ HIPAA Right of Access compliance improving (IAPP, May 2020)
	HHS notice on telehealth penalties raises privacy concerns (IAPP, March 2020)
	HHS notice on telehealth penalties raises privacy concerns (IAPP, March 2020)
	Telehealth HIPAA waiver stirs privacy concerns (IAPP, March 2020)
	HHS announces HIPAA penalties waiver amidst COVID-19 (IAPP, March 2020)
	The Solution to Overcoming Healthcare Compliance Challenges (Securiti.ai, March 2020)
	HIPAA Privacy Rule: Hybrid Entity Regulatory Reference Table (The Network for Public Health Law, February 2020)
	HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (U.S. Department of Health & Human Services Office for Civil Rights, January 2021)
	Health Information Technology for Economic and Clinical Health Act, The (IAPP Glossary)
	Report: 51% of US health providers lack HIPAA right-of-access compliance (IAPP, November 2019)
	Improving cybersecurity in the health care industry (Health Care Industry Cybersecurity Task Force, August 2019)
	Filling Health Care Security Staffing Gaps (Health IT Security, August 2019)
	HHS releases fact sheet on business associates’ liability under HIPAA (IAPP, May 2019)
	HHS revises some HIPAA fines, releases third-party app guidance (IAPP, April 2019)
	Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption (IAPP, July 2018)
	HIPAA Audit Program Protocol (HHS, July 2018)
	Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (U.S. National Institutes of Health, June 2018)
	New York attorney general dips his toe into HIPAA’s murky waters (IAPP, March 2018)
	HIPAA – Covered Entities and Business Associates (HHS, June 2017)
	HIPAA enforcement: A retrospective (IAPP, March 2016)
	Guide to Privacy and Security of Electronic Health Information (U.S. Office of the National Coordinator for Health Information Technology, June 2015)
	AMA HIPAA Guidance and Toolkit (American Medical Association, September 2013)
	Sample Business Associate Agreement Provisions (U.S. Department of Health and Human Services, September 2013)
	Healthcare Breaches Under the Final Omnibus Rule (IAPP, September 2013)
	HIPAA Audit Toolkit (Davis Wright Tremaine, August 2013)
	Perspectives on health data de-identification (Khaled El Emam, January 2013)
	HIPAA Sample Business Associate Agreement Provisions (U.S. Department of Health & Human Services, January 2013)
	Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (The Office for Civil Rights, December 2012)

View More Resources

COVID-19

Pfizer CPO: 'You really feel the enormity of what we are doing'

Save This

Web Conference: Pandemics, Panic and Privacy: Lessons Learnt this Year

Original broadcast date: April 1, 2021 Is a pandemic reason enough to roll out surveillance? Our panel is ready to answer your burning questions regarding the impact COVID-19 is having on privacy. Join us to explore how health companies are processing sensitive data and how telemedicine is shaping the future. We will cover how businesses have handled additional sensitive data during this crisis (including article 9(h) and (g) of the GDPR) and debate what is safe and what is intrusive. This interactive session includes a travel industry test case and firsthand account from the insurance sector. We will analyze what impact COVID-19 has had on companies from a business, employment and cybersecurity perspective. Read More

Save This

Privacy in the Wake of COVID-19, Part 2: Privacy Challenges as the Pandemic Continues

The findings presented in this report are the result of a collaborative research project between the IAPP and EY studying the effects of the COVID-19 pandemic on privacy teams around the world. Read More

Save This

COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic

This report from the World Privacy Forum sets out the facts surrounding the U.S. Department of Health and Human Services' adjustments to Health Insurance Portability and Accountability Act privacy and security rules due to the COVID-19 pandemic, identifies the issues, and proposes a road map for change. Read More

Save This

Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

Save This

	HHS Guidance: HIPAA, Civil Rights, and COVID-19 (HHS, September 2021)
	HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (HHS, February 2020)
	HHS: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency (HHS, February 2020)
	HHS notice on telehealth penalties raises privacy concerns (IAPP, March 2020)
	Telehealth HIPAA waiver stirs privacy concernsTelehealth HIPAA waiver stirs privacy concerns (IAPP, March 2020)
	HHS announces HIPAA penalties waiver amidst COVID-19 (IAPP, March 2020)

View More Resources

Health Tech/Apps

Kaspersky — Healthcare Report 2021

This report, published by Kaspersky, found telehealth calls have raised concerns over data security and privacy violations for doctors, nurses and patients. Read More

Save This

Researchers study tools to give therapists access to patient smartphone data

The Wall Street Journal reports researchers are designing applications that could give therapists access to data from patients’ smartphones in between sessions. The apps would use voice-analysis software and online-search behavior to help professionals assess and assist with patients’ conditions. While questions remain about how to ensure informed consent and safeguard users’ information, University of Washington Psychiatry and Behavioral Sciences Professor Dr. Patricia Areán said if patients en... Read More

Save This

Important FTC Rules for Health Apps Outside of HIPAA

This guide from Holland & Knight highlights the recent FTC policy statement signaling its move towards using its enforcement tools where sensitive health information may be compromised, and provisions from both the Health Breach Notification Rule and the policy statement to be aware of. Read More

Save This

Zoom releases mobile browser beta of heath care platform

Zoom launched the iOS mobile browser beta release of its Zoom for Healthcare platform, ZDNet reports. The platform, compliant with the Health Insurance Portability and Accountability Act, offers videoconferencing services for patients on Apple devices to connect with health care providers. Zoom anticipates offering the service on other operating systems and adding new options, like virtual waiting rooms where patients can receive chats from health care providers.Full Story... Read More

Save This

Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly

Original broadcast date: April 7, 2021 Despite a common misconception, privacy and healthcare research (including innovation) are not polarizing forces. Join privacy experts from the life sciences and healthcare field as they discuss how data is really used in research and development. You will hear their views on bridging the perceived gap between healthcare research and privacy, and how to apply those ideas to current challenges, such as innovating responses to COVID-19. The panel will also discuss types of research, what makes data use in drug development and medtech different from other industries, effective anonymization/deidentification, lawful data use and how to build public trust within the industry. Read More

Save This

Healthcare Cybersecurity and Data Breaches

What To Do When Faced With a Privacy Breach: Guidelines for the Health Sector

This paper issued by the Information and Privacy Commissioner of Ontario aims to provide guidance in accordance with The Personal Health Information Protection Act, 2004 to health information custodians when they are faced with a privacy breach. Read More

Save This

Ponemon Annual Benchmark Study on Privacy & Security of Healthcare Data

This Ponemon Institute study represents findings from healthcare organizations and business associates, as to how often they experience data breaches, the resources they have to prevent and respond to breaches, and their ability to keep patient data safe. Click To View (PDF) ... Read More

Save This

Best Practices for a Healthcare Data Breach: What You Don’t Know Will Cost You

This guidance by Experian addresses the unique challenges that come with responding to a breach involving healthcare data. Read More

Save This

Patient Privacy and Information Access

Web Conference: Employee Health Data Collection Guidelines & Vaccination-Tracking Best Practices

Original broadcast date: March 10, 2021 Is your company following the U.S. Occupational Safety and Health Administration’s recommendations or state guidelines? Do you have a handle on where your health data is being stored, and is it accessible and secure? Companies now have a surplus of health data, whether it’s COVID-19 test or vaccination statuses or general health questionnaire data collected from employees. What are the requirements around keeping this data or disclosing it to your employees? In this privacy education web conference, we will answer these questions to help you understand best practices around health data record-keeping to help you develop a plan now. Read More

Save This

Use of Electronic Health Record Data in Clinical Investigations

This guidance document, published by the U.S. Department of Health and Human Services, is intended to assist sponsors, clinical investigators, contract research organizations, institutional review boards, and other interested parties on the use of electronic health record data in FDA-regulated clinical investigations. Read More

Save This

Data De-identification and Anonymization of Individual Patient Data in Clinical Studies — A Model Approach

This paper from TransCelerate BioPharma Inc. considers how de-identification and anonymization techniques can be applied to individual patient data in order to fulfill transparency, disclosure and research requests while safeguarding the privacy of individuals (e.g., participants and company staff). This paper proposes which techniques to apply in order to conform to existing directives and regulatory guidance while balancing the utility of the de-identified data to the researcher. Click To Vie... Read More

Save This

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

The purpose of this report, published by the U.S. Department of Health and Human Services, serves to display the development of practical and understandable cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations. Click To View (PDF) ... Read More

Save This

Law Enforcement & National Security Access to Medical Records

This Center for Democracy & Technology Policy Post explains how government access to identifiable health information is addressed by the PATRIOT Act, the HIPAA Privacy Rule, as well as the statutes and regulations protecting the confidentiality of patient information that is held by federally funded substance abuse treatment facilities and programs. Read More

Save This