Privacy, Confidentiality, and Security of Health Information

Consumers have a right to accurate, secure, and confidential health and health-related information. 

Policymakers should ensure that consumers have easy and convenient access to their health and health-related records and data. Consumer access and possession of their health records and data should not create undue burdens or responsibilities for consumers. It also should not expose their health information to unnecessary risks. 

Policies to encourage access and data exchange should complement, not replace, provider responsibility to obtain and share health information needed to provide high-quality care. 

Organizations (including private companies, nonprofits, and government entities) should be required to provide consumers with meaningful transparency, choice, and control related to their health and health-related data. This includes obtaining consumer consent over how such data are collected, used, shared, or sold. 

They should also be required to: 

• ensure accuracy of health and health-related data, 
• provide consumers with the opportunity to review the health information and data held about them, 
• allow consumers to dispute and resolve the accuracy or completeness of health and health-related data, 
• provide consumers with an easy and swift process to delete data when they want to end the relationship with an organization, and 
• obtain consumers’ explicit opt-in consent before selling, sharing, or trading personally identifiable health or health-related data, including doing so with a subsidiary. 

However, entities covered by the Health Insurance Portability and Accountability Act (HIPAA) should continue to be able to share identifiable data with other covered entities without obtaining opt-in consent, consistent with HIPAA. 

Organizations should continue to be prohibited from sharing or selling personally identifiable protected health data without consumer consent. Even when consent is provided, consumers should have easy access to information on who has received the data and why. 

State and federal regulators should create clear guidelines for when it is permissible to share information with other entities authorized to receive it. This guidance should be designed to address uncertainties that may inhibit or deter appropriate legal data-sharing. 

Privacy protections should be embedded into health systems, products, and services. Organizations (including private companies, nonprofits, and government entities) must only collect and retain such personally identifiable information necessary to make the system, product, or service work. This is known as data minimization. They should ensure individual control and accountability. 

Policymakers should protect people from the harms of disclosure or misuse of all personally identifiable health- and health-related data. This includes data stripped of personally identifiable information because of the ease of reidentification. Policymakers and the private sector should take steps to mitigate consumer risks of data reidentification. Policymakers should develop standards and tests to verify that methods used to mask or strip out identifiable information adequately protect consumers from reidentification. 

Protections should be updated to keep pace with changing technology. State and federal regulators should periodically review and update as appropriate privacy and security laws and regulations to address technology innovations, including consumer-mediated health exchanges, records, and information. 

Privacy standards are developed with strong input from consumers. 

Consumers should receive clear, understandable, and accessible information about how their health and health-related data are being collected, used, shared, and sold. Policymakers should require plain-language disclosures with information about what data are collected and maintained, and how the data may be used, shared, or sold. 

Consumers must have the right to withdraw consent easily and at any time. 

Appropriate federal and state agencies should vigorously enforce health privacy laws and regulations. Well-funded federal and state enforcement authorities must have meaningful enforcement mechanisms, including the ability to impose penalties and enforce swift compliance deadlines. 

Consumers should be empowered to make informed choices. As such, the public must be educated about the benefits and drawbacks of health and health-related data collection and sharing. Policymakers should protect people from the harms of disclosure or misuse of all personally identifiable health- and health-related data. This includes data that have been stripped of personally identifiable information because of the ease of reidentification. 

Policymakers and the private sector should take steps to mitigate the consumer risks of the reidentification of data. Policymakers should develop standards and tests to verify that methods used to mask or strip out identifiable information adequately protect consumers from reidentification. 

Genetic testing should not be performed on individuals unless they have provided informed consent. 

Licensed health professionals should play a role in advising consumers about the need for interpretation of all genetic testing, including direct-to-consumer testing. Health professionals who counsel or advise consumers about genetic testing, including direct-to-consumer testing, should be licensed. 

Consumers should be protected from discrimination based on their genetic profile or predispositions, gathered directly from personally identifiable data or through inferences from other data sources. For instance, consumers should not be subject to employment, insurance, or other discrimination based on inferences drawn on data or testing from a relative. 

Federal policymakers should prohibit employers and insurance companies from using data-driven inferences about an individual’s genetic information to make decisions affecting the individual. This could be accomplished by updating the Genetic Information Nondiscrimination Act or establishing another pathway. 

Organizations (including private companies and nonprofits) offering direct-to-consumer genetic tests should be required to: 

• develop transparent and understandable privacy policies, 
• provide consumers with meaningful choices about the extent to which their data can be used for genetic information research and disposition of their DNA samples, and 
• only offer testing that is evidence-based, especially when claiming to reveal risk of disease. 

Policymakers should require companies to obtain express consent to collect, analyze, share, or report genetic data. Companies that want to transfer genetic data that could reveal a person’s identity to any third party should be required to obtain separate opt-in consent for this particular practice. 

Consumers should receive high-quality information and guidance about testing results. Companies should not offer tests for which there is insufficient evidence of the connection between results and disease risk. Federal policymakers should work with consumers and other stakeholders to develop and enforce standards for what types of testing are allowed, the evidence base for any claims about the results, and information that should be provided about follow-up and counseling. 

Policymakers and the private sector should ensure that organizations effectively protect against unauthorized access to or misuse of consumers’ health and health-related information. This includes those collected by new technologies. Steps must be taken to prevent data that have been deidentified from being reidentified. 

Security controls should be embedded into products and services. Organizations, by default, should appropriately secure health and health-related information. 

Protections should be updated to keep pace with changing technology and privacy standards and developed with ample input from consumer. 

Health care providers should continue to be responsible for obtaining and maintaining the health records of their patients. Health care providers should also be empowered to coordinate care seamlessly with data in a format that can be shared easily with other providers. This is known as interoperability. 

Consumers should not have to be responsible for providing their health data and information between or among their health care providers. However, consumers can be encouraged to use their data to manage their health. Federal policymakers should continue to promote the development of stronger standards for Application Programming Interfaces (APIs), which facilitate the exchange of health data between providers and between providers and patients. Standards development should meaningfully include affected parties, including consumers. 

Federal policymakers should promote interoperability across the health system through requirements and incentives. They should establish interoperability standards that apply to all health providers, long-term care providers, and payers. 

Federal and state governments should advance the use of health information technology. They should continue to explore innovative approaches to integrating information and sharing data to improve care and support consumer and family caregiver engagement. They should also develop the infrastructure to support standards and privacy protections that are at least consistent with national standards. Federal and state policymakers should ensure that policies to promote interoperability do not impose undue burden and responsibility on consumers and family caregivers 

Federal and state governments should require providers to incorporate long-term services and support (LTSS) service plans in electronic health records to enable providers to utilize a standardized care plan as consumers with LTSS needs move across settings. 

New treatments, drugs, remote-monitoring technologies, and medical devices should be required to demonstrate safety and effectiveness before they are approved for coverage or sale. Policymakers and appropriate regulators should actively monitor the advertising of remote-monitoring, wearable, or other devices. However, consumers should be encouraged to use their data to manage their health. 

Policymakers and the private sector should explore opportunities to build trust in efforts to encourage health data-sharing to benefit health research that promotes the greater public good. This includes outreach to underserved communities to ensure that all groups are appropriately represented in data. In seeking to include traditionally underserved communities, researchers must recognize and address long-standing mistrust of research studies and the health care system.  

Health-research studies should limit the collection of personal health data to the information necessary to make the product, service, or research project work. Personal data must be obtained by lawful and fair means and with the knowledge and consent of the data subject. 

Researchers who access large government-owned or government-funded health-research databases must agree to meet rigorous standardized guidelines for data privacy. They should prioritize research on advancing health care quality and health outcomes, particularly those that address disparities and social determinants of health. 

All consumers should have the opportunity to benefit from the vast array of data-driven insights and innovation stemming from the accumulation, combination, and analysis of large health and health-related data sets. This includes groups that are traditionally underserved by the health system. 

All health insurers should follow Medicare’s examples and replace SSNs with new identification numbers by a specified date (see also the subsections on Data Privacy and Data Security for background and additional policies on protecting the privacy of SSNs).