Health Privacy


Health Privacy Topic Page

Navigate by Topic

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to health privacy.

Featured Resources

Washington’s My Health, My Data Act

This article provides a breakdown of Washington’s new health data act.
Read More

Privacy tech in health care and medical research

This LinkedIn Live explains the benefits and tools available for better privacy and IP protection while supporting trust and collaboration in health care and medical research.
Read More

Privacy Resources for Digital Health Data

This infographic provides resources, frameworks and guidance organizations can consider when increasing protections for products and services that collect, use and/or sell digital health data.
Read More


HIPAA News and Resources

HIPAA Privacy and Security for Beginners

This article by Kirk Nahra, CIPP/US, of Wiley Rein offers an overview of the Health Insurance Portability and Accountability Act from its inception. The article outlines the goals of the law, highlighting the principles found in the HIPAA privacy and security rules. Click To View ... Read More

Health Insurance Portability and Accountability Act, The

A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations. Link to text of law: Th... Read More

Who Does HIPAA Apply To?

This article, published by Compliance Junction, provides guidance on the application of the Health Insurance Portability and Accountability Act, with a focus on business associates, hybrid entities and preemption by state laws. Read More

Covered Entity Guidance

This guidance from the Centers for Medicare & Medicaid Services helps determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA. Click To View ... Read More

Guide to Privacy and Security of Electronic Health Information

The intent of the guide from the U.S. Office of the National Coordinator for Health Information Technology is to help healthcare providers―especially HIPAA covered entities and Medicare Eligible Professionals from smaller organizations ―better understand how to integrate federal health information privacy and security requirements into their practices. Click To View ... Read More

Why the Fifth Circuit HIPAA case doesn't mean 'game over' for HHS data security enforcement

Last January, in University of Texas M.D. Anderson Cancer Center v. HHS, 985 F.3d 472, the Fifth Circuit Court of Appeals cast a pretty big shadow of doubt over data security enforcement by the Department of Health and Human Services. But it's not game over for HHS Health Insurance Portability and Accountability Act enforcement. Of the court's four rationales, one seems clearly wrong (although it highlights an important issue), one seems right, the third appears to require more care by HHS when ... Read More

Unpacking the proposed HIPAA Privacy Rule modifications

Only a month into 2021, and U.S. privacy professionals are already trying to keep up with fast-moving legislative developments and other privacy initiatives. The whirlwind of action spans across the privacy space, including some potential movement in the health care industry on the Health Insurance Portability and Accountability Act.  The U.S. Department of Health and Human Services' Office for Civil Rights announced Dec. 10, 2020, that a Notice of Proposed Rulemaking was drafted to modify prov... Read More

Understanding HIPAA's security rule for telemedicine apps

The rapid growth in telehealth has predictably spawned the development of a variety of new software solutions to serve the needs of both doctors and patients. While the field is wide open for application developers, the area of telemedicine also presents some unique data privacy and security challenges. Of course, the principles of privacy by design tell us that data privacy concerns should be integrated into the entire design process, but this imperative becomes all the more important and chall... Read More

AMA HIPAA Guidance and Toolkit

The American Medical Association published this toolkit aiming to help physicians review and update their HIPAA policies and procedures. This web page includes a toolkit including a breakdown of the revised rule,FAQs, a sample notice of privacy practices and a sample business associate agreement. Read More

Social Media Rules for HIPAA

This article from Compliance Junction advises health care organizations on developing social media policies in order to abide by the U.S. Health Insurance Portability and Accountability Act and cultivate a social media presence. Read More

HHS notice on telehealth penalties raises privacy concerns

The U.S. government just eased the path for doctors and nurses to do video chats with patients by lifting privacy and security compliance penalties and enforcement action against health care providers. The Office for Civil Rights at the U.S Department of Health and Human Services Tuesday said it will allow health care providers to use technology, such as Apple FaceTime, Facebook Messenger video chat or other video platforms, to communicate with patients. But, while federal response to the COVID... Read More

Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption

We would understand if health care organizations have been ignoring the California Consumer Privacy Act of 2018. The act was signed June 28, just before the July 4 holiday, most privacy pros have a GDPR hangover, and there’s a HIPAA exemption, so who cares — right? Dear readers: It is our unfortunate duty to inform you that this act will significantly impact health care organizations. In a nutshell, the California Consumer Privacy Act requires “businesses” involved in the “processing” of “pers... Read More

HIPAA Audit Program Protocol

The U.S. Office for Civil Rights HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. The protocol covers Privacy Rule requirements for notice of privacy practices for PHI, rights to request privacy protection for PHI, access of individuals to PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI, accounting of disclosures and requirements for the Breach Notification Rule. Read More

HIPAA - Covered Entities and Business Associates

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law passed to create national standards for electronic health care transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations — although there are important exceptions such as for ... Read More

'Neurorights' and the next flashpoint of medical privacy

Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections. Around the world, leading neuroscientists, neuroethicists, privacy advocates and legal minds are taking greater interest in brain data and its potential. Opinions vary widely on the long-term advancements in technology designed to measure... Read More

Digital transformation in the health care sector: Research and innovation as secondary use

Digital transformation is progressing in the health care sector, with electronic patient files, health apps, mobile health wearables, connected medical devices and even remote emergency doctors. Digital transformation generates large volumes of data, which offer a wide range of opportunities for research and innovation. When it comes to patient data, these opportunities may clash with the requirements under applicable data protection laws, particularly consent requirements. However, consent as l... Read More

Top takeaways from the FTC-GoodRx case: A chat with Kirk Nahra

In early February, the U.S. Federal Trade Commission published a proposed order that fines telehealth and discount prescription provider GoodRX $1.5 milllion. Though part of the case involves deception — one of two prongs under the FTC Act — the case also raises the first-of-its-kind use of the Health Breach Notification Rule. To help better understand the novel and complex issues embedded in the case, IAPP Editorial Director Jedidiah Bracy, CIPP, caught up with WilmerHale Partner Kirk Nahra, CI... Read More

A healthy dose of consent: Takeaways from the FTC’s GoodRx case

In what the U.S. Federal Trade Commission calls a "first-of-its-kind" enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness author... Read More

Privacy and neurodiversity: Helping diverse minds navigate the digital age

For better or worse, digital technologies have undeniably transformed many aspects of daily life. Experiences interacting with the digital world can be different for everyone, especially neurodiverse people. Many neurodiverse people reap its benefits by connecting with other like-minded people through online communities, accessing plentiful knowledge about topics of interest, and learning different strategies for navigating a world built around the needs of neurotypical people. At the same time,... Read More

FTC releases updated interactive health care app compliance tool

The U.S. Federal Trade Commission released an updated Mobile Health App Interactive Tool. The application, first developed in conjunction with the HHS' Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration, aims to help health care app developers determine if the app is compliant with federal laws and regulations. The interactive tool asks users questions about the app's functionality and the data it collects. It then ... Read More

OCR creates new guidance for HIPAA 'recognized security practices'

The U.S. Department of Health and Human Services’ Office for Civil Rights issued new guidance for “recognized security practices” for enforcing the Health Insurance Portability and Accountability Act, InfoSecurity reports. The guidance clarifies a 2021 rule added into the Health Information Technology for Economic and Clinical Health Act of 2009 which required OCR to evaluate “regulated entities’ implementation of ‘recognized security practices’" over the prior year “when the agency makes certai... Read More

P.S.R. 2022 keynote: Roe v. Wade reversal a 'wake-up' across privacy spectrum

More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through. But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 confe... Read More

Privacy and digital health data: The femtech challenge

The Dobbs v. Jackson Women's Health Supreme Court decision has raised the stakes for privacy protections of health data in the U.S. By the end of the year, the femtech market — that is, digital tools such as mobile applications related to women's health — is estimated to be a $51.6 billion global market, more than a third of the total valuation of digital health. While the repercussions of gaps in U.S. digital health data protections extend well beyond women's health, the post-Dobbs privacy conc... Read More

Keynote: Panel on the implications of the Supreme Court's Dobbs decision (IAPP Privacy. Security. Risk. 2022)

From Austin City Limits Live at the Moody Theater, this panel analyzes how the Supreme Court’s Dobbs decision affects the long-recognized United States’ constitutional right to privacy, the concept of bodily autonomy, and the connection between privacy, liberty, and equality. Moderated by The New Yorker staff writer and “Trick Mirror” author Jia Tolentino, the panel features U.S. Department of Health and Human Services Office for Civil Rights Director Melanie Fontes Rainer, Center for Democracy & Technology President and CEO Alexandra Reeve Givens, and Jill Morrison, executive director of the Women’s Law and Public Policy Fellowship Program, and the Leadership and Advocacy for Women in Africa Program. Read More

A view from DC: Considering what is defined as genetic data

Definitions can be messy, especially when they move from dictionaries to law books. Just look at the idea of genetic data and ponder this riddle: When is a medical test result genetic information? The National Institute of Standards and Technology definition of “genomic information” says it is limited to information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing. Privacy laws broaden the scope of covered data within such a functional definition — pe... Read More

Roe v. Wade’s overturn: The impact on data protection and law enforcement

On June 24, the U.S. Supreme Court overturned Roe v. Wade, confirming the understanding contained in the draft decision leaked in early May. Roe v. Wade is a paradigmatic decision that secured the constitutional right to abortion in the country in 1973. After 49 years, it came to an end. The recent decision allows a number of U.S. states to adopt laws criminalizing abortion in a short time. It is thought that approximately half of the U.S. states will ban or severely restrict the practice. This... Read More

Defining health data: A major challenge for any privacy law

The draft American Data Privacy and Protection Act that is the focus of current attention raises many complex issues. I want to focus on one detail from the bill. My basic objective is to illustrate some of the difficulties of regulating health information that exists outside the health care system. The bill defines sensitive covered data to include “Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatm... Read More

Roe v. Wade reversal sends ripples through privacy world

The U.S. Supreme Court's recent decision to overturn Roe v. Wade dealt a blow to women's rights with the constitutional right to an abortion nullified and individual state legislatures now ultimately in charge of deciding if, when and for what reason a woman is allowed to have the procedure. The 6-3 ruling from Supreme Court Justices was expected after a draft opinion leaked in May. The issue cuts largely at the heart of women's civil rights, but the privacy implications of the reversal are bei... Read More

Commission proposal for a regulation on the European health data space

Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More

Web Conference: Building an Effective and Strategic Healthcare Privacy Program

Original broadcast date: 19 January 2022 This web conference is an in-depth, practical discussion regarding the build out of a healthcare privacy program. Panelists describe key privacy and related laws that are relevant to global healthcare organizations, core pillars of work to consider in building out a healthcare privacy program and discuss key recommendations based on these pillars that can help to make a privacy program a competitive differentiator.  Read More

European Health Data Space: Repairing the trans-Atlantic data relationship through biotech R & D

That the trans-Atlantic data relationship needs some healing and repair is well-understood. The highly innovative biotechnology sector delivers breakthrough innovations that transform health care, promote public health and cure once incurable diseases. Perhaps a remedy to the trans-Atlantic data relationship is not beyond the sector's reach as well. Data flows between the United States and the European Union are critical for advancing biomedical research. Collaborations between researchers on b... Read More

A public service announcement about the HIPAA Privacy Rule

HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert.  First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More

Pfizer CPO: 'You really feel the enormity of what we are doing'

IAPP CEO and President J. Trevor Hughes, CIPP, hosted Pfizer's Chief Privacy Officer Patrice Ettinger during the IAPP's "Profiles in Privacy" series June 17 on LinkedIn Live. The mission of multi-national biopharmaceutical company Pfizer is to deliver “breakthroughs that change patients’ lives.” Chief Privacy Officer Patrice Ettinger, CIPP/US, said she may never have understood that more than she has over the past 18 months. “In 2020, I and probably everybody else were able to relate to that i... Read More

Web Conference: The Future of HIPAA

Original broadcast date: May 24, 2021  The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were written in a period where health information was concentrated in the hands of traditional health care institutions such as doctors, hospitals and health plans. Almost two decades later, this is no longer the case. With revolutionary advances in technology, an increasing number of variety of organizations are generating and collecting sensitive health information largely outside the bounds of HIPAA. This panel discussed whether HIPAA is still up to the task of protecting health information. They investigated the supporting principles for any legislation that might modify how health information is treated and assess specific proposals for updating the current sector-specific framework. They also assessed the capacity of those proposals to better embrace the advantages and threats posed by recent changes to the health privacy landscape. Read More

Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly

Original broadcast date: April 7, 2021  Despite a common misconception, privacy and healthcare research (including innovation) are not polarizing forces. Join privacy experts from the life sciences and healthcare field as they discuss how data is really used in research and development. You will hear their views on bridging the perceived gap between healthcare research and privacy, and how to apply those ideas to current challenges, such as innovating responses to COVID-19. The panel will also discuss types of research, what makes data use in drug development and medtech different from other industries, effective anonymization/deidentification, lawful data use and how to build public trust within the industry. Read More

The status quo of health data inferences

Who would have predicted a pandemic? And yet, it seems that somehow, we have learned to live with COVID-19. But have we also learned or reinforced "hidden" data-processing techniques?  Always relevant, but in the last year more than ever, is the discussion on data and privacy protection. EU data protection authorities agree personal data protection must be ensured even in these exceptional times, especially when it comes to the generally prohibited processing of health data (Article 9 of the EU... Read More

Privacy in the Wake of COVID-19

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More


Privacy in the Wake of COVID-19

The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More

The Recovery Phase: The Role of Tech and Impact of COVID-19 on Privacy

Original Broadcast Date: April 2021 This LinkedIn Live is part of the IAPP Global Privacy Summit Online 2021 web series. COVID-19 has accelerated the pace of digital transformation, and we are now living in an era that has been fundamentally transformed by technology. As society begins to cautiously emerge from the pandemic and strives to bring people back together safely, technology will continue to play a central role in how we build back our economy and collectively move from a completely v... Read More

Web Conference: The Uncertainty of OSHA & CMS Regulations – What You Need to Know Today

Original broadcast date: 30 November 2021 As OSHA and CMS released their COVID-19 Vaccination regulations for businesses, with it came a great deal of uncertainty. As these regulations are challenged, evolve, and come to fruition, we want to be a source of information for you so that you can understand and comply when the time comes. In this web conference panelists will discuss what they know about the OSHA ETS and CMS regulations and how you can start preparing today. Read More

Vaccine credential systems: Considerations for US employers

Amidst the shifting employment landscape created by COVID-19, employers requiring employees to disclose their vaccination status has become a hot — yet murky — topic rife with privacy-related risks. Vaccination requirements are expected to soon “become dominant in the workplace” due to President Joe Biden’s recent COVID-19 Action Plan. Some employers will be required to impose vaccine mandates for their employees; some will be required to ensure their employees are either vaccinated or tested we... Read More

Technology, data, trust play key role in COVID-19 response

As the COVID-19 pandemic has unfolded over the past year, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill said there has been an unparalleled digital transformation. The company’s collaboration platforms, like Microsoft Teams, saw “enormous growth” of 160% to 170%, Brill said, as those who could shifted to working online. “What that meant was we had technology much more in our lives, in terms of how we were working, how we were socializing, how we were engaging with o... Read More

Google and Apple’s joint COVID-19 Exposure Notifications System shows privacy is important to consumers and marketers

Over the past few months, millions received the option to receive "Exposure Notifications " through Apple or Google. The technology took off: millions of individuals downloaded applications or opted-in to exposure notifications. The Bluetooth Low Energy technology that powers the system, the privacy-by-design of the system and the increase in privacy-centric marketing demonstrate how the COVID-19 pandemic has increased awareness of potential privacy harms while providing a roadmap for the rollou... Read More

COVID-19, privacy, and school recordings

At the beginning of each school year, there are many papers to be signed. I agree I have (1) read the student handbook, (2) health forms, (3) appropriate use of technology at school, (4) photos of my children for promotional purposes, and so on. Then, this year out of the blue, a new consent shows up — a consent to record classes for operational purposes — and if I don’t sign it, it will significantly impact my child’s education. Wait … what?  This doesn’t sound right. What exactly are opera... Read More

Secure health care messaging in the era of COVID-19

Business and health care data are the new “honeypot,” an attractive and lucrative source of revenue to the modern hacker. A report from IBM in July 2020 reported that the average cost of a health care breach was $7.13 million per breach, noting “compromised employee accounts were the most expensive root cause, and that 80% of these incidents resulted in the exposure of customers' personally identifiable information.”  The COVID-19 pandemic has exposed how unprepared many health care providers w... Read More

GPA COVID-19 Response Task Force aims to protect data subjects 'now more than ever'

While the COVID-19 pandemic has necessitated using data to analyze and map its origins and spread, Philippines National Privacy Commissioner and Chairman Raymund Liboro said “our data subjects need us now more than ever.” During the pandemic, data privacy professionals play an important role in protecting data, fostering privacy rights, and earning and maintaining the trust of those they serve, Liboro recently told fellow privacy commissioners, privacy officers in the corporate sector and membe... Read More

Infographic: COVID-19 Testing and Health Monitoring

Published: April 2020Click To View (PDF) The IAPP created an infographic outlining the privacy-related questions surrounding COVID-19 testing and health monitoring. As economies reopen, the scope and scale of health data collection, use and sharing will only increase. Employers and businesses are conducting testing, temperature checks and health screenings. This data collection raises novel privacy issues because of its scale, the non-traditional methods and reasons for its collection, and th... Read More

Additional News and Resources

Filling the void? The 2023 state privacy laws and consumer health data

Over decades, observers have witnessed the emergence of a void within U.S. privacy law with respect to the protection of health information. Due to limitations in the scope of the Health Insurance Portability and Accountability Act, a broad array of health data, such as that collected by mobile devices, apps or wearable fitness trackers, has remained mostly outside the law’s reach. Indeed, privacy expert James Dempsey has even estimated "the majority of health-related data" may fall outside of H... Read More

Flo’s Khan: Building a better future for female health is a 'privilege'

When her parents' careers as doctors took her family to Saudi Arabia when she was 5 years old, Sue Khan would join her mom during her work as a general practitioner — watching as patients, especially women from neighboring Yemen, would seek treatment without understanding their bodies. "It was not uncommon for women to seek treatment for pain related to their periods or even pregnancy without knowing much about their reproductive health. It became apparent to me at a young age how important cle... Read More