Privacy, Confidentiality, and Security of Health Information


The benefits of computerized data systems that facilitate access to personal health information are clear. Also evident is the need to protect the privacy, confidentiality, and security of that information. Media reports about data breaches have understandably heightened the public’s concerns about protecting personal information. A number of federal laws and regulations govern the disclosure and safeguarding of health information.

Regulations issued under the 1996 Health Insurance Portability and Accountability Act (HIPAA) established important privacy and security protections. HIPAA rules apply to health plans, health care clearinghouses, and health care providers that conduct billing and other transactions electronically (“covered entities”). The HIPAA Privacy Rule delineates who is allowed to access personal health information and for what purposes. The Privacy Rule also obligates covered entities to release records to patients who request them or to transmit records to any recipient designated by the patient. The HIPAA Security Rule requires that covered entities implement safeguards to prevent inappropriate disclosure of personal health information.

The High Information Technology for Economic and Clinical Health (HITECH) portion of the American Recovery and Reinvestment Act of 2009 further strengthened privacy and security protections, moving the health care system closer to achieving a robust privacy and data security framework. HITECH also extends accountability to those doing business (known as “business associates”) with HIPAA-covered entities. (It is important to note that HIPAA does not apply to most mobile application developers or device manufacturers.)

The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, provides additional protections for genetic information, which includes family medical history as well as genetic test results pertaining to an individual or their family members. GINA bars the use of genetic testing information for health insurance and employment decisions. It does not apply to life, disability, or long-term care insurance.

Recognizing that the use of Social Security numbers (SSNs) as a primary form of identification in health insurance programs exposes individuals to identity theft, Medicare began issuing non-SSN linked Medicare cards in 2018.

Additionally, many states have enacted statutes that provide some protection against inappropriate disclosures of personally identifiable medical information. Still, the patchwork of state laws leaves many gaps in privacy protections.

Emerging technologies include genetic testing kits marketed directly towards consumers and mobile applications designed to help patients manage their health and wellness outside of clinical settings. Such advances raise concerns about opportunities for the inappropriate disclosure of personal health information. Additionally, the flow of data from covered entities to consumers via third-party applications raises questions about the limits of existing protections.

Third-party intermediaries like app developers and mobile device manufacturers are usually not covered by HIPAA. They may become responsible for holding or directing personal health data to various providers. The Food and Drug Administration (FDA) regulates a limited number of mobile applications that are used by health care professionals but does not regulate many applications that are used by consumers. FDA’s policy tries to balance the need for consumer protections and the advantages of innovative technologies (see also Medical Devices). Technology experts say that it is possible to protect personal health information by encrypting or anonymizing user data stored on mobile devices, but many consumer devices lack these protections. They also caution that the more data stored on a device, the greater the consequences of a potential security breach.

Through a process known as consumer-mediated data-sharing, consumers would be responsible for requesting and authorizing third-party apps to perform health information exchange (see also Health Information Technology for more discussion about consumer-mediated data-sharing). Anecdotal evidence from focus groups of consumers and family caregivers conducted by AARP in 2016, participants raised concerns about the privacy and security of their personal data in such exchanges of personal health information.

Privacy experts believe that the Fair Information Practice Principles developed by the Federal Trade Commission could provide a framework to protect personal health information stored or transmitted via mobile applications, health devices, consumer-mediated health information exchange, and other emerging technologies. The principles call for full disclosure, including details of how data will be used. They call for data integrity, quality, and accuracy.

Lastly, leveraging health information to improve the quality and efficiency of care for individual patients may be considered of paramount importance. However, federal and state laws also support the secondary use of electronic health information for public health and research purposes. Some critics say that HIPAA (which established federal privacy and security protections concerning the access, use, and disclosure of personal health information) and the “Common Rule” (which outlines basic provisions for the protection of human subjects in research) interfere with biomedical research and restrict access to genetic databases, patient registries, medical records, and other information sources. Others maintain that barriers to the access, use, and disclosure of health information result from overzealous interpretation of the legal requirements, not the law or the regulations themselves.

A comprehensive framework of privacy and security safeguards, including transparency regarding uses and disclosures of personal health data, will help ensure public trust in health information technology and the appropriate use of health information.



Data privacy, security, and use

Consumers have a right to accurate, secure, and confidential health and health-related information.

Policymakers should ensure that consumers have easy and convenient access to their health and health-related records and data. Consumer access and possession of their health records and data should not create undue burdens or responsibilities for consumers or expose their health information to undue risks.

Policies to encourage access and data exchange should complement, not replace, provider responsibility to obtain and share health information needed to provide high-quality care.

Organizations (including private companies, nonprofits, and government entities) should be required to provide consumers with meaningful transparency, choice, and control related to their health and health-related data. This includes obtaining consumer consent over how such data are collected, as well as how they may be used, shared, or sold.

Organizations should be required to:

  • ensure accuracy of health and health-related data;
  • provide consumers with the opportunity to review the health information and data held about them;
  • allow consumers to dispute and resolve accuracy or completeness of health and health-related data;
  • provide consumers with an easy and swift process to delete data when they want to end the relationship with an organization; and
  • obtain consumers’ explicit opt-in consent before selling, sharing, or trading personally identifiable health or health-related data, including doing so with a subsidiary. However, entities covered by the Health Insurance Portability and Accountability Act (HIPAA) should continue to be able to share identifiable data with other covered entities without obtaining opt-in consent, consistent with HIPAA.

Data covered under HIPAA

Organizations should continue to be prohibited from sharing or selling personally identifiable protected health data without prior consent. Even when consent is provided, consumers should have easy access to information on who has received the data and why.

State and federal regulators should create clear guidance on when it is permissible to share information with other entities authorized to receive it. This guidance should be designed to address uncertainties that may inhibit or deter appropriate, legal data-sharing.

Privacy by design

Privacy protections should be embedded into health systems, products, and services. Organizations (including private companies, nonprofits, and government entities) must only collect and retain such personally identifiable information as is necessary to make the system, product, or service work. This is known as data minimization. They should ensure individual control and accountability.

Protecting against reidentification

Policymakers should protect people from the harms of disclosure or misuse of all personally identifiable health- and health-related data. This includes data that have been stripped of personally identifiable information because of the ease of reidentification. Policymakers and the private sector should take steps to mitigate the consumer risks of reidentification of data. Policymakers should develop standards and tests to verify that methods used to mask or strip out identifiable information adequately protect consumers from reidentification.

Protections should be updated to keep pace with changing technology. State and federal regulators should periodically review and update as appropriate privacy and security laws and regulations to address new technology innovation, including consumer-mediated health exchanges, records, and information.

Privacy standards are developed with strong input from consumer stakeholders.


Transparency, accountability, and education

Consumers should receive clear, understandable, and accessible information about how their health and health-related data are being collected, used, shared, and sold. Policymakers should require plain-language disclosures with information about what data are collected and maintained, and how the data may be used, shared, or sold.

Consumers must have the right to withdraw consent easily and at any time.

Appropriate federal and state agencies should vigorously enforce health privacy laws and regulations. This includes through well-funded federal and state enforcement authorities that have meaningful enforcement mechanisms, including the ability to impose penalties and enforce swift compliance deadlines.

Policymakers and the private sector should educate the public about the benefits and drawbacks of health and health-related data collection and sharing to empower consumers to make informed choices. Policymakers should protect people from the harms of disclosure or misuse of all personally identifiable health- and health-related data. This includes data that have been stripped of personally identifiable information because of the ease of reidentification.

Policymakers and the private sector should take steps to mitigate the consumer risks of reidentification of data. Policymakers should develop standards and tests to verify that methods used to mask or strip out identifiable information adequately protect consumers from reidentification.

Consumer protections in genetic testing

Genetic testing should not be performed on individuals unless they have provided informed consent.

Licensed health professionals should play a role in advising consumers about the need for interpretation of all genetic testing, including direct-to-consumer testing. Health professionals who counsel or advise consumers about genetic testing, including direct-to-consumer testing, should be licensed.

Consumers should be protected from discrimination based on their genetic profile or predispositions, gathered directly from personally identifiable data or through inferences from other data sources. For instance, consumers should not be subject to employment, insurance, or other discrimination based on inferences drawn on data or testing from a relative.

Federal policymakers should prohibit employers and insurance companies from using data-driven inferences about an individual’s genetic information to make decisions affecting the individual.This could be accomplished by updating the Genetic Information Nondiscrimination Act or establishing another pathway.

Organizations (including private companies and nonprofits) offering direct-to-consumer genetic tests should be required to:

  • develop transparent and understandable privacy policies;
  • provide consumers with meaningful choices about the extent to which their data can be used for genetic information research and disposition of their DNA samples; and
  • only offer testing that is evidence-based, especially when claiming to reveal risk of disease.

Policymakers should require companies to obtain express consent to collect, analyze, share or report genetic data. Companies that want to transfer genetic data that could reveal a person’s identity to any third party should be required to obtain separate opt-in consent for this particular practice.

Consumers should receive high-quality information and guidance about testing results. Companies should not offer tests for which there is insufficient evidence on the connection between result and disease risk. Federal policymakers should work with consumers and other stakeholders to develop and enforce standards for what types of testing are allowed, the evidence base for any claims about the results, and information that should be provided about follow up and counseling.

Security by Design

Policymakers and the private sector should ensure that organizations effectively protect against unauthorized access to or misuse of consumers’ health and health-related information, including those collected by new technologies. Organizations should be required to take steps to prevent reidentification of data that have been deidentified.

Security controls should be embedded into products and services. Organizations by default should appropriately secure health and health-related information.

Protections should be updated to keep pace with changing technology and privacy standards and developed with ample input from consumer stakeholders.

Improved coordination and quality of care

Healthcare providers should continue to be responsible for obtaining and maintaining the health records for their patients. Healthcare providers should also be empowered to coordinate care seamlessly with data in a format that can be shared easily with other providers. This is known as interoperability.

Consumers should not have to be responsible for providing their health data and information between or among their health care providers. However, consumers can be encouraged to use their data to manage their health. Federal policymakers should continue to encourage development of stronger standards for Application Programming Interfaces (APIs), which facilitate the exchange of health data between providers, and between a provider and a patient. Standards development should meaningfully include stakeholders, including consumers.

Federal policymakers should promote interoperability across the health system through requirements and incentives. Policymakers should establish interoperability standards that apply to all health providers, long-term care providers, and payers.

Federal and state governments should advance the use of health information technology. They should continue to explore innovative approaches to integrating information and sharing data to improve care and support consumer and family caregiver engagement. They should also develop the infrastructure to support standards and privacy protections that are at least consistent with national standards. Federal and state policymakers should ensure that policies to promote interoperability do not impose undue burden and responsibility on consumers and family caregivers.

Federal and state governments should require providers to incorporate long-term services and support (LTSS) service plans in electronic health records to enable providers to utilize a standardized care plan as consumers with LTSS needs move across settings.

New treatments, drugs, remote-monitoring technologies, and medical devices should be required to demonstrate safety and effectiveness before they are approved for coverage or sale. Policymakers and appropriate regulators should actively monitor advertising of remote-monitoring, wearable, or other devices. However, consumers can be encouraged to use their data to manage their health.

Consumer trust

Policymakers and the private sector should explore opportunities to build trust in efforts to encourage health data-sharing to benefit health research that promotes the greater public good. This includes outreach to underserved communities to ensure that all groups are appropriately represented in data. In seeking to include traditionally underserved communities, researchers must recognize and address long-standing mistrust of research studies and the healthcare system. This includes providing clear

Health-research studies should limit the collection of personal health data to the information necessary to make the product, service, or research project work. Personal data must be obtained by lawful and fair means, and with the knowledge and consent of the data subject.

Federal policymakers should restrict access to large government-owned or government-funded health-research databases to researchers who agree to meet rigorous standardized guidelines for data privacy. They should prioritize research on advancing healthcare quality and health outcomes, in particular those that address disparities and social determinants of health.

Health innovation that benefits all

All consumers should have the opportunity to benefit from the wide array of data-driven insights and innovation stemming from the accumulation, combination, and analysis of large health and health-related data sets. This includes groups that are traditionally underserved by the health system.

Unique identifier for health insurance coverage

All health insurers should follow Medicare’s examples and replace SSNs with new identification numbers by a specified date (see also Data Privacy and Data Security for background and further policies on protecting the privacy of SSNs).