How does HIPAA cover patient data?

HIPAA is the primary governance framework for managing health data privacy in the United States and continues to be the legal standard for safeguarding sharing and use of sensitive patient data. This section describes some of the basics of HIPAA.

  • Covered Entities include qualified healthcare providers, healthcare clearinghouses, and health plans. Covered entities may include employer sponsored health plans, health maintenance organizations (HMOs), or government sponsored health plans like Medicare and Medicaid.
  • Business associates include persons or businesses that perform certain functions on behalf of a covered entity, or provide services to a covered entity that involves the use or disclosure of a patient’s PHI. Business associates may include third party claims processors, attorneys for a healthcare provider, or consultants.

While HIPAA and a patchwork of other laws seek to safeguard the privacy of personal health information, they only protect data collected by healthcare providers, healthcare plans, and healthcare clearinghouses. As a result they are not well designed to handle the many other kinds of health data produced and collected today including data collected by fitness trackers, genetic analyses, or other commercial processes and devices.

Depending on the entity, HIPAA may not cover:

  • Genomic Data: The rapid rise of genomic data in personalized healthcare decision-making has been enabled by companies like 23andme, Ancestry.com, and MyHeritage. More widespread clinical genomics testing has also increased the availability of genetic data and the NIH now allows for researchers to share de-identified clinical genomic data through secure databases and carefully regulates that data. However, privately held genetic data remains an issue. The largest four genomics companies alone had received DNA samples from more than 26 million consumers as of January 2019. Much of this data falls outside of the purview of HIPAA and is not regulated by research-driven data use arrangements that place limits on how clinical data is used and disclosed. The NIH has advanced several new measures to protect the privacy of patients in research instances, such as Certificates of Confidentiality. Despite that, there are specific risks with disclosure and confusion over the value of genomic data use and value.
  • Consumer-Generated Data: Consumer-generated data is health-related data collected from products and devices used by consumers, including data from the Internet of Things, and social media data. Consumer-generated data may fall outside of the purview of HIPAA if it is collected by technology companies that are not covered entities, are not “business associates” of covered entities, and are not subject to clear guidelines from the FTC. Consumer-Generated data often lacks data minimization, may include location data, and may be managed by technology companies that are not HIPAA-certified.
  • Social Determinants of Health Data: The social determinants of health (SDOH), including income, education, and housing, are a promising area of population data attracting increased interest from researchers, providers, and patients. For example, some research suggests that a person’s ZIP code is actually more predictive of adverse health outcomes than that person’s genetic code. Despite their value, the social determinants of health represent data points that are indirectly related to a person’s health and therefore fall outside of HIPAA. For example, while a person’s access to credit may be a major indicator of their ability to receive healthcare, this piece of information does not contain PII as defined by HIPAA. SDOH data may be used to redline or profile communities that are high risk.

See the “Data in Need of Special Protection” section of this website for more information about the specific risks posed by specific types of data. 

On January 31, 2020, HHS Secretary Alex Azar declared a public health emergency under Section 319 of the Public Health Service Act which granted him permissions to adjust select HIPAA requirements. Although HIPAA’s Privacy Rule cannot be suspended during this public health emergency, certain provisions within HIPAA may be temporarily waived. This is part of the Project Bioshield Act of 2004, which establishes HHS authority during public health threats, and section 1135(b)(7) of the Social Security Act, which allows for provisions, like program preapproval or participation requirements, to be waived. In a March 2020 memo, HHS Secretary Azar waived the following provisions:

  • Families Can Now Make Decisions About Loved Ones. HHS has granted a patient’s family members the option of reviewing that patient’s PHI or other relevant healthcare information from a physician or caregiver directly without that patient’s explicit consent.
  • Hospital Patient Directories.In order to improve data sharing and information about patients who may have COVID-19, patients may no longer exclude themselves from hospital directories. This ensures that all hospitals are reporting up to date directories of patient data to the authorities.
  • Suspending the Right to Notice of Privacy Practices. HHS has temporarily suspended  individual’s Right to Notice of Privacy Practices that requires patients to receive “adequate notice of the uses and disclosures of protected health information that may be made by the covered entity” according to HIPAA’s 45 CFR 164.520. Covered entities no longer have the legal obligation to inform the patient of these practices.
  • Patient Right to Request Privacy Restrictions. Provisions exist that allow patients to restrict the “uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations”, among other restrictions. This waiver enables covered entities to use patient data for purposes granted in HIPAA.
  • Patient Right to Request Confidential Communications. Under HIPAA, patients are able to make requests to receive communications of their PHI in alternative locations or through alternative means. This waiver restricts that option so patients may not make special requests of their PHI.

HIPAA outlines strategies to manage de-identification of sensitive PHI and sets technical requirements for covered entities that manage PHI. To ensure proper de-identification of data, HIPAA mandates that all entities that share PHI either utilize “Safe Harbor” guidelines or follow “expert determination” to remove Personally Identifiable Information (PII) from a patient’s PHI. HIPAA’s Safe Harbor outlines a comprehensive list of variables that must be removed from a person’s PHI including address, medical record numbers, email addresses, and other PII. Expert determination involves convening a panel of experts with statistical and scientific knowledge to evaluate the risks of re-identification from a person’s PHI. Moreover, HIPAA’s technical requirements ensure that covered entities institute protective measures and safeguards for their data management systems to prevent security breaches and other possible threats.

What can be improved?

  • High Costs and Challenges with HITECH Compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009, enforces the HIPAA Privacy Rule by mandating compliance audits of covered healthcare providers, clearinghouses, and plans. These audits evaluate a covered entity’s compliance with HIPAA, focusing on security risks, assets and devices, physical environment, and policies and practices that ensure patients can access their own data safely. These organizational-focused policies can cost thousands of dollars to implement and create barriers to entry for small companies working to manage sensitive PHI.
  • Lack of Oversight for Non-Covered Entities. The lack of oversight for non-HIPAA entities leaves many organizations and companies that manage and use health data outside of the rules for de-identification and technical protections. For example, many workplace wellness programs (on-site employee focused fitness and nutrition programs) offered outside of health plans may not fall into the covered entities category for HIPAA. For more information on how HIPAA governs workplace wellness programs, visit the HIPAA website.

HIPAA’s Right of Access ensures that patients may access their PHI from covered entities at any time. The Right of Access specifically states that a patient has the right to inspect or obtain a copy of their PHI in a designated record set. A designated record set is a group of health records that includes the medical and billing records about a patient, the enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan, and a set of records used to make decisions about a patient. The Right of Access is critical to patient advocacy groups and healthcare companies that rely on the right of access to ensure effective treatment plans for patients and members of healthcare plans.

What can be improved?

  • Patients Can’t Always Access Their Data from Covered Entities. Although the Right of Access provides legal access to a patient’s PHI, this rule is not always followed by covered entities. A 2018 assessment of US Hospital compliance with regulations for patients’ access to their PHI found that nearly half of the 83 hospitals in the study did not comply with the patient’s request to obtain their medical records.
  • Patients lack access to data created through their smartphone and other devices. Health data is increasingly generated from an individual’s smartphone, wearable, or voice assistant. These devices are manufactured by companies that do not fall under FDA or HIPAA guidelines. Patients may face difficulties in accessing this data since company privacy policies do not need to comply with HIPAA’s Right of Access.
  • Researchers and patients alike face challenges with merging data. As the volume and variety of health data increases, consumers, companies, and providers are increasingly seeking to merge and aggregate data from different sources. This data may come from HIPAA-covered entities in the form of EHRs or claims data as well as from entities that are not covered by HIPAA in the form of social determinants or genomics data from home kits. The Security Rule dictates that data outside of HIPAA, such as housing or nutrition data, becomes subject to HIPAA rules when a HIPAA covered entity obtains it. But this rule is often unclear to patients, especially when social determinant data is gathered at the population rather than clinical level. This same issue applies to researchers that gather data from companies like Facebook or Google.

Covered entities are allowed to release data for routine reasons like treatment, payment, and healthcare operations. Under the Right to an Accounting of Disclosures section of HIPAA, patients are entitled to request information about when and why their healthcare records were shared for permitted purposes. Patients have more control over how their data is used for marketing communications, research, and other purposes. In these cases, covered entities must  receive written consent from patients before sharing data. Additionally, HIPAA aims to ensure that research subjects must grant informed consent for use of their data and be aware of how their health data will be used. Programs like the HHS All of Us Research program and the Million Veteran Program of the Department of Veterans Affairs are precision medicine initiatives that rely strongly on a patient’s willingness to provide their data for research purposes.

What can be improved?

  • Patients are limited in what they can disclose. The HITECH requirement to include Treatment, Payment, and Healthcare Operations (TPO) in the Accounting of Disclosures section of HIPAA has not been implemented yet by the OCR. As a result, patients are not able to see when covered entities may have used sensitive patient PHI for one of these specific uses.
  • Current definitions of Research are unclear. HIPAA defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Federal regulation 45 CFR Part 46 provides the framework for informed consent as an ethical principle of human subjects research. However, research is being increasingly carried out in settings that generate data outside the rules required of HIPAA-covered entities. Pharmaceutical clinical trials data, for example, falls outside of HIPAA and may not be appropriately regulated.
  • Lack of consistent opt-in rules for patients. Varying types of sensitive health data, such as mental health or drug addiction information, has created a fragmented approach to what data is shareable and what data is protected. Moreover, patient opt-in and opt-out rules vary widely by state and across healthcare providers for health information exchange. For example, Florida, Nevada, California, New York, Vermont, Rhode Island, and Massachusetts maintain opt-in policies that require patient consent to share data with a qualified Health Information Exchange, but many other states have no such policies.
  • Patients can be confused by Terms of Service Agreements. Health-related data that is managed by an entity not covered by HIPAA is often subject to that company’s privacy policy and terms of service agreements. These agreements can be overly complex or obscure how the company plans to use a patient’s data. Many companies continue to use complex or misleading provisions in their End User License Agreements (EULAs) such as changing the terms of conditions without notification or failing to describe how their product will monitor individuals

As written and implemented, HIPAA aims to reduce discrimination where possible and minimize the amount of data collected by covered entities. This “Privacy by Design” approach encourages organizations to think about the possible adverse effects of using sensitive data during the initial design phases of a health-related application or program. HIPAA has effective non-discrimination measures, minimizes the amount of patient data gathered, and requires regular privacy impact assessments. These three measures are critical to encouraging the appropriate use of data.

What can be improved?

  • HIPAA should regulate how de-identified data can be used and disclosed.There is the growing possibility that deidentified data, when combined with other big data (such as retail purchases or location information), could be employed by insurance companies to restrict coverage or raise premiums for certain communities. Additionally, the risk of re-identification suggests that de-identified data shared with third parties could be used to discriminate against individuals.
  • HIPAA does not govern entities that gather and share consumer-generated data. An exercise tracker handed out by your doctor or health insurance company is governed by HIPAA, but when you buy it in a department store, HIPAA does not apply. The FTC has taken a more active role in safeguarding consumer-generated health data through its health breach notification rule. Despite this advancement, the rule applies only during breaches and primarily to vendors of personal health records or related entities rather than companies that manage health-related mobile applications and wearables.
  • HIPAA has unclear definitions of incidental and secondary use. HIPAA permits certain incidental uses and disclosures that may occur as a by-product of another, permissible use of data. They are allowed as long as the covered entity has instituted a reasonable set of technical, administrative, and physical safeguards. However, poor definitions of incidental and secondary use can create confusion and hinder accountability for inappropriate uses of health data.