Privacy, Confidentiality, and Security of Health Information

The benefits of computerized data systems that facilitate access to personal health information are clear. Also evident is the need to protect the privacy, confidentiality, and security of that information. Media reports about data breaches have understandably heightened the public’s concerns about protecting personal information. A number of federal laws and regulations govern the disclosure and safeguarding of health information.

Regulations issued under the 1996 Health Insurance Portability and Accountability Act (HIPAA) established important privacy and security protections. HIPAA rules apply to health plans, health care clearinghouses, and health care providers that conduct billing and other transactions electronically (“covered entities”). The HIPAA Privacy Rule delineates who is allowed to access personal health information and for what purposes. The Privacy Rule also obligates covered entities to release records to patients who request them or to transmit records to any recipient designated by the patient. The HIPAA Security Rule requires that covered entities implement safeguards to prevent inappropriate disclosure of personal health information.

The High Information Technology for Economic and Clinical Health (HITECH) portion of the American Recovery and Reinvestment Act of 2009 further strengthened privacy and security protections, moving the health care system closer to achieving a robust privacy and data security framework. HITECH also extends accountability to those doing business (known as “business associates”) with HIPAA-covered entities. (It is important to note that HIPAA does not apply to most mobile application developers or device manufacturers.)

The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, provides additional protections for genetic information, which includes family medical history as well as genetic test results pertaining to an individual or their family members. GINA bars the use of genetic testing information for health insurance and employment decisions. It does not apply to life, disability, or long-term care insurance.

Recognizing that the use of Social Security numbers (SSNs) as a primary form of identification in health insurance programs exposes individuals to identity theft, Medicare began issuing non-SSN linked Medicare cards in 2018.

Additionally, many states have enacted statutes that provide some protection against inappropriate disclosures of personally identifiable medical information. Still, the patchwork of state laws leaves many gaps in privacy protections.

Emerging technologies include genetic testing kits marketed directly towards consumers and mobile applications designed to help patients manage their health and wellness outside of clinical settings. Such advances raise concerns about opportunities for the inappropriate disclosure of personal health information. Additionally, the flow of data from covered entities to consumers via third-party applications raises questions about the limits of existing protections.

Third-party intermediaries like app developers and mobile device manufacturers are usually not covered by HIPAA. They may become responsible for holding or directing personal health data to various providers. The Food and Drug Administration (FDA) regulates a limited number of mobile applications that are used by health care professionals but does not regulate many applications that are used by consumers. FDA’s policy tries to balance the need for consumer protections and the advantages of innovative technologies (see also Medical Devices). Technology experts say that it is possible to protect personal health information by encrypting or anonymizing user data stored on mobile devices, but many consumer devices lack these protections. They also caution that the more data stored on a device, the greater the consequences of a potential security breach.

Through a process known as consumer-mediated data-sharing, consumers would be responsible for requesting and authorizing third-party apps to perform health information exchange (see also Health Information Technology for more discussion about consumer-mediated data-sharing). Anecdotal evidence from focus groups of consumers and family caregivers conducted by AARP in 2016, participants raised concerns about the privacy and security of their personal data in such exchanges of personal health information.

Privacy experts believe that the Fair Information Practice Principles developed by the Federal Trade Commission could provide a framework to protect personal health information stored or transmitted via mobile applications, health devices, consumer-mediated health information exchange, and other emerging technologies. The principles call for full disclosure, including details of how data will be used. They call for data integrity, quality, and accuracy.

Lastly, leveraging health information to improve the quality and efficiency of care for individual patients may be considered of paramount importance. However, federal and state laws also support the secondary use of electronic health information for public health and research purposes. Some critics say that HIPAA (which established federal privacy and security protections concerning the access, use, and disclosure of personal health information) and the “Common Rule” (which outlines basic provisions for the protection of human subjects in research) interfere with biomedical research and restrict access to genetic databases, patient registries, medical records, and other information sources. Others maintain that barriers to the access, use, and disclosure of health information result from overzealous interpretation of the legal requirements, not the law or the regulations themselves.

A comprehensive framework of privacy and security safeguards, including transparency regarding uses and disclosures of personal health data, will help ensure public trust in health information technology and the appropriate use of health information.