HIPAA is the primary governance framework for managing health data privacy in the United States and continues to be the legal standard for safeguarding sharing and use of sensitive patient data. This section describes some of the basics of HIPAA.
What is HIPAA?
The primary governance framework to manage the privacy of U.S. healthcare data is The Health Insurance Portability and Accountability Act (HIPAA). HIPAA, which was passed in 1996 was designed to create a federal floor for the privacy and security of personal health information, which HIPAA defines as data that “includes the individual’s past, present, or future mental or physical condition, the provision of healthcare to an individual, and any past, present, or future payment for the provision of healthcare to the individual.”
HIPAA sets the standards for how entities covered by the law must transmit personal health information, which includes claims, enrollment, eligibility, payment, and coordination of benefits. The law defines “covered entitiesThe HIPAA privacy rule only applies to a select group of health-related organizations including health plans, health care clearinghouses, and certain health care providers. Health ... More” as qualified healthcare providers, healthcare clearinghouses, and health plans. HIPAA also requires covered entities to have clear contractual arrangements with any “business associatesA “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or p...” that manage their data to ensure that they follow HIPAA’s rules. Business Associates are contractors that help perform certain functions in the healthcare system, and are defined in the later sections of this Q&A. The key provisions of HIPAA, such as the security and privacy rules, are enforced by the HHS Office of Civil Rights (OCR), which can administer financial penalties for rule violations.
- The HIPAA Privacy RuleThe Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the HIPAA Pri...: Sets standards for individually identifiable health informationInformation that relates to: an individual’s physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for t... More and defines when and how use and disclosure of PHI is permitted. Those broad instances include release of data on behalf of the individual,
- for healthcare treatment or payment or operations giving an individual rights to their data. For example, a provider may use a patient’s data to improve its operations through assessment of quality of care and care coordination.
- to give the individual an opportunity to agree to or correct the data (in the case that a patient may want to amend or change a specific dimension of their EHR),
- for the public interest and benefit, and for limited research, public health, or health care operations purposes.
- The HIPAA Security RuleThe Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule oper...: Focuses on safeguarding electronic PHI (EPHI). It requires healthcare providers that create, receive, maintain, and transmit EPHI to institute measures to protect it from anticipated threats, hazards, and impermissible uses. The rule aims to ensure the confidentiality, integrity, and availability of EPHI.
What entities are covered by HIPAA?
- Covered Entities include qualified healthcare providers, healthcare clearinghouses, and health plans. Covered entities may include employer sponsored health plans, health maintenance organizations (HMOs), or government sponsored health plans like MedicareMedicare is the federal health insurance program for: people who are 65 or older, certain younger people with disabilities, people with End-Stage Renal Disease (permanent kidney fa... More and MedicaidMedicaid is a joint federal and state program that, together with the Children’s Health Insurance Program (CHIP), provides health coverage to over 72.5 million Americans, includi... More.
- Business associates include persons or businesses that perform certain functions on behalf of a covered entity, or provide services to a covered entity that involves the use or disclosure of a patient’s PHI. Business associates may include third party claims processors, attorneys for a healthcare provider, or consultants.
What data is covered by HIPAA?
While HIPAA and a patchwork of other laws seek to safeguard the privacy of personal health information, they only protect data collected by healthcare providers, healthcare plans, and healthcare clearinghouses. As a result they are not well designed to handle the many other kinds of health data produced and collected today including data collected by fitness trackers, genetic analyses, or other commercial processes and devices.
Depending on the entity, HIPAA may not cover:
- Genomic Data: The rapid rise of genomic data in personalized healthcare decision-making has been enabled by companies like 23andme, Ancestry.com, and MyHeritage. More widespread clinical genomicsGenomics is a more recent term that describes the study of all of a person's genes (the genome), including interactions of those genes with each other and with the person's environ... testing has also increased the availability of genetic data and the NIH now allows for researchers to share de-identifiedA record in which identifying information is removed. Under the HIPAA Privacy Rule, data are de-identified if either: an experienced expert determines that the risk that certain in... More clinical genomic data through secure databases and carefully regulates that data. However, privately held genetic data remains an issue. The largest four genomics companies alone had received DNA samples from more than 26 million consumers as of January 2019. Much of this data falls outside of the purview of HIPAA and is not regulated by research-driven data use arrangements that place limits on how clinical data is used and disclosed. The NIH has advanced several new measures to protect the privacy of patients in research instances, such as Certificates of Confidentiality. Despite that, there are specific risks with disclosure and confusion over the value of genomic data use and value.
- Consumer-Generated Data: Consumer-generated data is health-related data collected from products and devices used by consumers, including data from the Internet of Things, and social media data. Consumer-generated data may fall outside of the purview of HIPAA if it is collected by technology companies that are not covered entities, are not “business associates” of covered entities, and are not subject to clear guidelines from the FTC. Consumer-Generated data often lacks data minimizationthe goal of using the minimal amount of data for a particular purpose, may include location data, and may be managed by technology companies that are not HIPAA-certified.
- Social Determinants of Health"the conditions in which people are born, grow, live, work and age that shape health. Social determinants of health include factors like socioeconomic status, education, neighborho... More Data: The social determinants of health (SDOH), including income, education, and housing, are a promising area of population data attracting increased interest from researchers, providers, and patients. For example, some research suggests that a person’s ZIP code is actually more predictive of adverse health outcomes than that person’s genetic code. Despite their value, the social determinants of health represent data points that are indirectly related to a person’s health and therefore fall outside of HIPAA. For example, while a person’s access to credit may be a major indicator of their ability to receive healthcare, this piece of information does not contain PII as defined by HIPAA. SDOH data may be used to redline or profile communities that are high risk.
See the “Data in Need of Special Protection” section of this website for more information about the specific risks posed by specific types of data.
How has COVID-19 changed key provisions of HIPAA?
On January 31, 2020, HHS Secretary Alex Azar declared a public health emergency under Section 319 of the Public Health Service Act which granted him permissions to adjust select HIPAA requirements. Although HIPAA’s Privacy Rule cannot be suspended during this public health emergency, certain provisions within HIPAA may be temporarily waived. This is part of the Project Bioshield Act of 2004, which establishes HHS authority during public health threats, and section 1135(b)(7) of the Social Security Act, which allows for provisions, like program preapproval or participation requirements, to be waived. In a March 2020 memo, HHS Secretary Azar waived the following provisions:
- Families Can Now Make Decisions About Loved Ones. HHS has granted a patient’s family members the option of reviewing that patient’s PHI or other relevant healthcare information from a physician or caregiver directly without that patient’s explicit consent.
- Hospital Patient Directories.In order to improve data sharing and information about patients who may have COVID-19, patients may no longer exclude themselves from hospital directories. This ensures that all hospitals are reporting up to date directories of patient data to the authorities.
- Suspending the Right to Notice of Privacy Practices. HHS has temporarily suspended individual’s Right to Notice of Privacy Practices that requires patients to receive “adequate notice of the uses and disclosures of protected health information that may be made by the covered entity” according to HIPAA’s 45 CFR 164.520. Covered entities no longer have the legal obligation to inform the patient of these practices.
- Patient Right to Request Privacy Restrictions. Provisions exist that allow patients to restrict the “uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations”, among other restrictions. This waiver enables covered entities to use patient data for purposes granted in HIPAA.
- Patient Right to Request Confidential Communications. Under HIPAA, patients are able to make requests to receive communications of their PHI in alternative locations or through alternative means. This waiver restricts that option so patients may not make special requests of their PHI.
How does HIPAA provide technical protections and anonymization for sensitive Health Data?
HIPAA outlines strategies to manage de-identification of sensitive PHI and sets technical requirements for covered entities that manage PHI. To ensure proper de-identification of data, HIPAA mandates that all entities that share PHI either utilize “Safe Harbor” guidelines or follow “expert determination” to remove Personally Identifiable Information"information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or lin... More (PII) from a patient’s PHI. HIPAA’s Safe Harbor outlines a comprehensive list of variables that must be removed from a person’s PHI including address, medical record numbers, email addresses, and other PII. Expert determination involves convening a panel of experts with statistical and scientific knowledge to evaluate the risks of re-identificationRe-identification is the process by which anonymized personal data is matched with its true owner. In order to protect the privacy interests of consumers, personal identifiers, suc... More from a person’s PHI. Moreover, HIPAA’s technical requirements ensure that covered entities institute protective measures and safeguards for their data management systems to prevent security breaches and other possible threats.
What can be improved?
- High Costs and Challenges with HITECHThe Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on Febru... Compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009, enforces the HIPAA Privacy Rule by mandating compliance audits of covered healthcare providers, clearinghouses, and plans. These audits evaluate a covered entity’s compliance with HIPAA, focusing on security risks, assets and devices, physical environment, and policies and practices that ensure patients can access their own data safely. These organizational-focused policies can cost thousands of dollars to implement and create barriers to entry for small companies working to manage sensitive PHI.
- Lack of Oversight for Non-Covered Entities. The lack of oversight for non-HIPAA entities leaves many organizations and companies that manage and use health data outside of the rules for de-identification and technical protections. For example, many workplace wellness programs (on-site employee focused fitness and nutrition programs) offered outside of health plans may not fall into the covered entities category for HIPAA. For more information on how HIPAA governs workplace wellness programs, visit the HIPAA website.
How do patients access their data under HIPAA?
HIPAA’s Right of Access ensures that patients may access their PHI from covered entities at any time. The Right of Access specifically states that a patient has the right to inspect or obtain a copy of their PHI in a designated record setA “designated record set” are records maintained by or for a covered entity and consist of: Medical records and billing records about individuals; Enrollment, payment, claims a... More. A designated record set is a group of health records that includes the medical and billing records about a patient, the enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan, and a set of records used to make decisions about a patient. The Right of Access is critical to patient advocacy groups and healthcare companies that rely on the right of access to ensure effective treatment plans for patients and members of healthcare plans.
What can be improved?
- Patients Can’t Always Access Their Data from Covered Entities. Although the Right of Access provides legal access to a patient’s PHI, this rule is not always followed by covered entities. A 2018 assessment of US Hospital compliance with regulations for patients’ access to their PHI found that nearly half of the 83 hospitals in the study did not comply with the patient’s request to obtain their medical records.
- Patients lack access to data created through their smartphone and other devices. Health data is increasingly generated from an individual’s smartphone, wearable, or voice assistant. These devices are manufactured by companies that do not fall under FDA or HIPAA guidelines. Patients may face difficulties in accessing this data since company privacy policies do not need to comply with HIPAA’s Right of Access.
- Researchers and patients alike face challenges with merging data. As the volume and variety of health data increases, consumers, companies, and providers are increasingly seeking to merge and aggregate data from different sources. This data may come from HIPAA-covered entities in the form of EHRs or claims data as well as from entities that are not covered by HIPAA in the form of social determinants or genomics data from home kits. The Security Rule dictates that data outside of HIPAA, such as housing or nutrition data, becomes subject to HIPAA rules when a HIPAA covered entity obtains it. But this rule is often unclear to patients, especially when social determinant data is gathered at the population rather than clinical level. This same issue applies to researchers that gather data from companies like Facebook or Google.
How can patients consent to share their data?
Covered entities are allowed to release data for routine reasons like treatment, payment, and healthcare operations. Under the Right to an Accounting of Disclosures section of HIPAA, patients are entitled to request information about when and why their healthcare records were shared for permitted purposes. Patients have more control over how their data is used for marketing communications, research, and other purposes. In these cases, covered entities must receive written consent from patients before sharing data. Additionally, HIPAA aims to ensure that research subjects must grant informed consent for use of their data and be aware of how their health data will be used. Programs like the HHS All of Us Research program and the Million Veteran Program of the Department of Veterans Affairs are precision medicineMedical care designed to optimize efficiency or therapeutic benefit for particular groups of patients, especially by using genetic or molecular profiling. - Oxford English Dictiona... More initiatives that rely strongly on a patient’s willingness to provide their data for research purposes.
What can be improved?
- Patients are limited in what they can disclose. The HITECH requirement to include Treatment, Payment, and Healthcare Operations (TPO) in the Accounting of Disclosures section of HIPAA has not been implemented yet by the OCR. As a result, patients are not able to see when covered entities may have used sensitive patient PHI for one of these specific uses.
- Current definitions of Research are unclear. HIPAA defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Federal regulation 45 CFR Part 46 provides the framework for informed consent as an ethical principle of human subjects research. However, research is being increasingly carried out in settings that generate data outside the rules required of HIPAA-covered entities. Pharmaceutical clinical trials data, for example, falls outside of HIPAA and may not be appropriately regulated.
- Lack of consistent opt-in rules for patients. Varying types of sensitive health data, such as mental health or drug addiction information, has created a fragmented approach to what data is shareable and what data is protected. Moreover, patient opt-in and opt-out rules vary widely by state and across healthcare providers for health information exchange. For example, Florida, Nevada, California, New York, Vermont, Rhode Island, and Massachusetts maintain opt-in policies that require patient consent to share data with a qualified Health Information Exchange, but many other states have no such policies.
How does HIPAA protect the appropriate use of data?
As written and implemented, HIPAA aims to reduce discrimination where possible and minimize the amount of data collected by covered entities. This “Privacy by Design” approach encourages organizations to think about the possible adverse effects of using sensitive data during the initial design phases of a health-related application or program. HIPAA has effective non-discrimination measures, minimizes the amount of patient data gathered, and requires regular privacy impact assessments. These three measures are critical to encouraging the appropriate use of data.
What can be improved?
- HIPAA should regulate how de-identified data can be used and disclosed.There is the growing possibility that deidentified data, when combined with other big data (such as retail purchases or location information), could be employed by insurance companies to restrict coverage or raise premiums for certain communities. Additionally, the risk of re-identification suggests that de-identified data shared with third parties could be used to discriminate against individuals.
- HIPAA does not govern entities that gather and share consumer-generated data. An exercise tracker handed out by your doctor or health insurance company is governed by HIPAA, but when you buy it in a department store, HIPAA does not apply. The FTC has taken a more active role in safeguarding consumer-generated health data through its health breach notification rule. Despite this advancement, the rule applies only during breaches and primarily to vendors of personal health records or related entities rather than companies that manage health-related mobile applications and wearables.
- HIPAA has unclear definitions of incidental and secondary use. HIPAA permits certain incidental uses and disclosures that may occur as a by-product of another, permissible use of data. They are allowed as long as the covered entity has instituted a reasonable set of technical, administrative, and physical safeguards. However, poor definitions of incidental and secondary use can create confusion and hinder accountability for inappropriate uses of health data.