Recommendations and Solutions for Policymakers Looking to Address Health Data Privacy Solutions to Address Health Data Privacy

There are a number of shortcomings in health data governance, particularly around privacy. The following recommendations for policymakers reflect suggestions made by participants at a Roundtable on Balancing Privacy With Health Data Access hosted by HHS and CODE and further research by CODE and additional input from key stakeholders. These recommendations do not represent a consensus of Roundtable attendees. They fall into three categories: supporting and enforcing existing regulations, regulating data that is not covered by HIPAA, and empowering patients through new tools and resources.

What interventions would be helpful to update HIPAA?

While HIPAA and other existing regulations have some limitations, they provide a framework that is familiar to healthcare providers and can be applied more broadly. Several measures for supporting and enforcing the provisions that HIPAA already includes were proposed at the HHS/CODE Roundtable.

Educating Stakeholders and Enforcing the HIPAA Right of Access

The Right of Access is an important tool to empower patients to access a variety of PHI safeguarded under HIPAA. The Office of Civil Rights (OCR) is currently responsible for enforcing this rule and ensuring that providers and payers comply when patients request this data. Despite the Right of Access, many patients are denied access to their data or remain unaware that they are allowed to request it from providers.

  • Solution: Increase OCR enforcement of the HIPAA Right to Access and better monitor compliance
  • Impact: Increased patient awareness of the ability to access their data, enhancing medical transparency and potentially improving treatment and self-care.
  • Resources Needed: Additional government spending on awareness campaigns, increased staffing, and a new capacity for public tracking on the OCR website.
  • Stakeholders: HHS, particularly the OCR, patient advocates, patients, vendors/developers, researchers, providers, and civil society organizations
  • Policy Changes: Enforce existing policy to maximize patients’ awareness of their rights.
  • Immediate Actions:
    • Dedicate OCR staff to manage a widespread patient awareness campaign using Public Service Announcements (PSAs) to increase knowledge of the Right of Access.
    • Direct OCR to conduct outreach to payers and providers about their compliance responsibilities.
  • Long-Term Goals: Fulfill the promise of the law from the consumer perspective through empowerment, education, and enforcement.

Regulating Business Associate Compliance

The passage of the HITECH Act required that *business associates* comply with the security and privacy rules of HIPAA just like covered clearinghouses, providers, and payers. Despite this advancement, these business associates are not directly regulated: the covered entities they work with are responsible for ensuring that their business associates follow the rules. HIPAA should be amended to require direct monitoring and enforcement of business associates, to ensure that these business associates adhere to the standards of data de-identification, limited data collection, and the range of accepted and incidental data uses.

    • Solution: Directly monitor business associate adherence to the privacy and security rules.
    • Impact: Increased compliance with HIPAA security and privacy rules, especially for third party data contractors
    • Resources Needed: Additional resources to upholding HIPAA’s mandate, special guidance and support for business associates navigating new requirements
    • Stakeholders: HHS, particularly the OCR; experts in privacy law; business associates such as third-party health plan administrators, accounting firms, and consultants
    • Policy Changes: HIPAA, the HITECH Act, and related regulations may need to be amended to include business associates, or HHS may determine that the ability to regulate business associates falls under existing authority


  • Immediate Actions:


    • HHS or another interested party should convene privacy experts who can provide input on challenges and opportunities for implementation
    • Next steps may include drafting legislation or rule changes, depending on judgment of HHS informed by privacy experts
    • Increase HHS staff resources for implementation
  • Long-Term Goals: Ensure that business associates face the same level of regulation when they manage a patient’s PHI as covered entities do.

Improving HIPAA-Compliant Data Containers for Startups

HIPAA sets a high standard for covered entities that gather data with PHI, and costs for HIPAA compliance can be prohibitive for small and medium sized businesses. Just obtaining the HITRUST certification to confirm compliance can cost tens of thousands of dollars. As one solution to help companies avoid these high startup costs, the CMS has established a Virtual Research Data Center (VRDC) to provide a secure portal to efficiently use de-identified CMS data that is approved for wider use. This “containerized” approach creates a HIPAA-compliant virtual sandbox where small companies can submit and run their tech applications on the portal without ever having to download the data in ways that would require them to be HIPAA-compliant.

  • Solution: Continue to build the CMS VRDC and develop similar data “containers” for other sensitive HHS data.
  • Impact: Ensures patient privacy with a moderated virtual portal and expands access for researchers to de-identified PHI.
  • Resources Needed: Funding to update the current cloud infrastructure and hire staff to manage access to sensitive PHI
  • Stakeholders: CMS, OCR, and potentially other operating divisions in HHS; private companies like Amazon and Google that provide cloud services
  • Policy Changes: To be determined; may not be necessary
  • Immediate Actions:
    • Find partners to help expand the CMS VRDC and build other similar resources
    • HHS CTO to release a Request for Information, which may be followed by a Request for Proposals to pilot potential portals
  • Long-Term Goals: Pilot and scale selected proposals for large-scale adoption.

Regulating Data Not Covered by HIPAA

Despite the various improvements that can be made to HIPAA, a wide range of PHI data still falls outside its purview. Technology companies that manufacture and sell fitness wearables, mobile applications, and home assistants are not considered “covered entities” under HIPAA. Moreover, despite its increasing use, especially to help model disease outbreaks like COVID-19, data on the Social Determinants of Health is also not regulated by HIPAA. These recommendations outline strategies for HHS and other partners to extend the kinds of protections provided by HIPAA to other data types.

Adopting Legislative Oversight of Non-Covered Entities

Throughout the Roundtable series, stakeholders from across the government,  private sector, and civil society noted that there is currently no federal oversight of consumer-generated health data. Experts have stated that this problem should not be left to industry self-regulation. Rather, they suggested that the House and Senate should pass comprehensive legislation to properly regulate the appropriate use of patient-generated data. There have been some proposed pieces of legislation (see Current Legislation Governing Health Data Privacy), including the Protecting Personal Health Data Act introduced by Senators Murkowski and Klobuchar, which would create a comprehensive set of policies to regulate the use and sharing of consumer-generated health data.

  • Solution: Have Congress pass legislation to regulate consumer-generated health data.
  • Impact: Adopt uniform standards for consumer-generated data and ensure de-identification, consent, and sharing rules are adopted. Protect individual privacy across new types of PHI
  • Resources: Additional funds for staff resources in the FTC, FDA, HHS, or other federal agencies as determined by legislation
  • Stakeholders: FTC, HHS, Congress, patient and consumer advocates
  • Policy Changes: New policies to be established by new legislation
  • Immediate Actions:
    • Provide expert input from HHS and stakeholders, as appropriate, in hearings on proposed legislation
    • HHS and stakeholders to participate in expert task force (which may be required by legislation) on specific actions to address privacy of consumer-generated data
  • Long Term Goals: Create a flexible and effective legal framework to protect and regulate consumer-generated data.

Informing Consumers About Ethical Guidelines for Consumer-Generated Data

Even with legislation in place, the private sector will need to coordinate its efforts to adopt best practices for preventing individual discrimination or group harm from misuse of health data. Companies should collaborate to produce a set of ethical guidelines that govern the use of patient-generated data. This framework could build on existing models such as the Future of Privacy Forum, Consumer Technology Association, or the CARIN Alliance. For example, the MITRE Framework for the Use of Consumer-Generated Data in Healthcare outlines a set of Principles, Values, and Guidelines for companies using consumer generated data. Moreover, companies should inform their consumers about these guidelines and publicly commit to following them.

  • Solution: Develop industry-wide ethical guidelines and best practices for managing consumer-generated health data.
  • Impact: Increased consumer trust and reduced risk of harm.
  • Resources Needed: Resources for industry-wide convenings and working groups to develop best practices for managing consumer-generated health data
  • Stakeholders: Healthcare providers, private technology companies, FTC, HHS, and civil society groups such as the CARIN Alliance and MITRE
  • Policy Changes: None required.
  • Immediate Actions:
    • HHS can convene a working group of companies collecting consumer-generated data to identify guidelines and best practices needed to minimize harm.
    • Work to streamline and improve user agreements for consumer literacy.
    • Draft an initial set of guidelines based on both consumer and industry feedback.
    • Adopt an awareness strategy to inform consumers of these changes.
  • Long Term Goals: Create a flexible overview of guidelines that can be iterative and change as new forms of consumer-generated health data become prevalent.

Increasing Legally Protected Access to Social Determinants of Health Data

The social determinants of health have emerged as a key priority for health providers across the country. But data on determinants like economic stability and education can be difficult to access, and when it is available, it falls outside of the purview of HIPAA. As SDOH continues to play a major role for federal healthcare policies and creating community-level public goods, there is an equal need to address privacy issues in that data. This solution seeks to increase access to SDOH data while simultaneously providing legal protections needed to prevent discrimination based on the SDOH.

  • Solution: Identify ways to increase access and use of data on social determinants of health and establish protections to prevent its misuse.
  • Impact: Increased benefits from the use of SDOH data with appropriate safeguards to reduce the risk of harm.
  • Resources Needed: Funding to create innovative ways to access and use data (e.g. sandboxes); funding for legal analysis of ways to mitigate risks of data misuse
  • Stakeholders: SDOH stakeholders (e.g. housing, transportation and education agencies), community members, private sector
  • Policy Changes: Adopting federal levers to incentivize analysis and collection of SDOH data
  • Immediate Actions:
    • Convene different sectors relevant to SDOH such as social services, community representatives, housing experts, and others
    • Identify the low hanging fruit of easily accessible data versus more difficult data
    • Develop engagement and feedback loops between government, private sector, and local communities for use of SDOH data
  • Long Term Goals: Establish and define SDOH and create a repository of approved SDOH data for public use.

Empowering Patients Through New Tools and Resources

Whatever regulations and protections are established, individual patients will need to be informed and involved in the management of their own data to ensure that it is used in ways they approve of. Roundtable participants suggested two paths to this kind of patient engagement.

Applying Technological Innovations to Improve Consent and Data Sharing

Patients face confusing choices if they are interested in granting informed consent for the use of their personal health data. Technology platforms may provide new methods for creating “dynamic consent”, whereby patients electronically “control consent through time and receive information about the uses of their data.” This approach could provide a transparent, flexible, and user-friendly means to make more data available for use in a way that patients can trust. The expansion of smartphones and other mobile devices enable greater user control over their records and the ability to quickly update their consent preferences. This could apply to End User License Agreements (EULAs) and Terms of Service agreements as well.

  • Solution: Use technology to create a better, more dynamic system for informed consent and a spectrum of user preferences rather than a binary opt-in and opt-out.
  • Impact: Facilitates data sharing while preserving patient control over data use.
  • Resources Needed: Technological capacity, political will and monetary resources for new technology adoption
  • Stakeholders: Patients, clinicians, software development and tech companies, researchers, government agencies, healthcare institutions, and state governments
  • Policy Changes: Providing incentives to use the technology and adopting new regulations for implementation
  • Immediate Actions:
    • Identification of pilot projects for technology application
    • Dissemination campaign for stakeholders and patients
  • Long Term Goals: Generating better protections for patient data and increasing trust in research

Creating Patient-Centric Outreach and Engagement Programs

Patients often feel confused and resentful in the current health data landscape due to the emergence of new forms of health data, inconsistent rules and regulations, and a lack of awareness around how their health data may be used. HHS and its partners could undertake a comprehensive outreach strategy that would increase awareness among patients of the right to access their data, the regulations designed to prevent harm from data misuse, and the resources patients have at their disposal to protect their health data. Moreover, HHS can help provide recommendations to industry to improve consumer literacy for EULAs and terms of service agreements.

  • Solution: Create an outreach and engagement program to inform and empower patients about the uses of their data.
  • Impact: Empowers patients and consumers with knowledge that helps them better access, use, and control their health data
  • Resources Needed: Funding and staff resources, marketing campaign support, patient input
  • Stakeholders: Patients, government agencies, private healthcare companies, healthcare institutions, and state governments
  • Policy Changes: None required
  • Immediate Actions:
    • HHS convenes or participates in a patient stakeholder group to advise on major health data issues
    • Develop a campaign with videos, webinars, and visual materials to improve awareness of health data privacy issues
    • Provide guidelines to industry that recommend language and terminology for consumer awareness

Long Term Goals: Improved patient empowerment and sense of comfort and confidence navigating health data