Privacy, Confidentiality, and Security of Health Information


The benefits of computerized data systems that facilitate access to personal health information are clear. The need to protect the privacy, confidentiality, and security of that information is also paramount. Media reports about data breaches have understandably heightened the public’s concerns about protecting personal information. A number of federal laws and regulations govern the disclosure and safeguarding of health information. 

Regulations issued under the 1996 Health Insurance Portability and Accountability Act (HIPAA) established important privacy and security protections. HIPAA rules apply to health plans, health care clearinghouses, and health care providers that conduct billing and other transactions electronically (“covered entities”). The HIPAA Privacy Rule delineates who is allowed to access personal health information and for what purposes. The Privacy Rule also obligates covered entities to release records to patients who request them or to transmit records to any recipient designated by the patient. The HIPAA Security Rule requires that covered entities implement safeguards to prevent inappropriate disclosure of personal health information. 

The High Information Technology for Economic and Clinical Health (HITECH) portion of the American Recovery and Reinvestment Act of 2009 further strengthened privacy and security protections, moving the health care system closer to achieving a robust privacy and data security framework. HITECH also extends accountability to those doing business (known as “business associates”) with HIPAA-covered entities. (It is important to note that HIPAA does not apply to most mobile application developers or device manufacturers.) 

The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, provides additional protections for genetic information, including family medical history and genetic test results pertaining to an individual or their family members. GINA bars the use of genetic testing information for health insurance and employment decisions. It does not apply to life, disability, or long-term care insurance. 

Using Social Security numbers (SSNs) as a primary form of identification in health insurance programs exposes individuals to identity theft. To combat this, Medicare began issuing non-SSN-linked Medicare cards in 2018. 

Additionally, many states have enacted statutes that provide some protection against inappropriate disclosures of personally identifiable medical information. Still, the patchwork of state laws leaves many gaps in privacy protections. 

Emerging technologies allow individuals to be in charge of aspects of their care. These include genetic testing kits marketed directly toward consumers and mobile applications designed to help patients manage their health and wellness outside clinical settings. Such advances raise concerns about opportunities for the inappropriate disclosure of personal health information. Additionally, the flow of data from covered entities to consumers via third-party applications raises questions about the limits of existing protections. 

Third-party intermediaries like app developers and mobile device manufacturers are usually not covered by HIPAA. They may become responsible for holding or directing personal health data to various providers. The Food and Drug Administration (FDA) regulates a limited number of mobile applications that are used by health care professionals but does not regulate many applications that are used by consumers. FDA’s policy tries to balance the need for consumer protections and the advantages of innovative technologies (see also this chapter’s section on Medical Devices). Technology experts say it is possible to protect personal health information by encrypting or anonymizing user data stored on mobile devices, but many consumer devices lack these protections. They also caution that the more data stored on a device, the greater the consequences of a potential security breach. 

Through a process known as consumer-mediated data-sharing, consumers could be responsible for requesting and authorizing third-party apps to perform health information exchange (see also this chapter’s section on Health Information Technology for more discussion about consumer-mediated data-sharing). Anecdotal evidence from focus groups of consumers and family caregivers conducted by AARP in 2016, participants raised concerns about the privacy and security of their personal data in such exchanges of personal health information. 

Privacy experts believe that the Fair Information Practice Principles developed by the Federal Trade Commission could provide a framework to protect personal health information stored or transmitted via mobile applications, health devices, consumer-mediated health information exchange, and other emerging technologies. The principles call for full disclosure, including details of how data will be used. They call for data integrity, quality, and accuracy. 

Finally, leveraging health information to improve the quality and efficiency of care for individual patients may be considered paramount. However, federal and state laws also support the secondary use of electronic health information for public health and research purposes. Some critics say that HIPAA and the “Common Rule” (which outlines basic provisions for the protection of human subjects in research) interfere with biomedical research and restrict access to genetic databases, patient registries, medical records, and other information sources. Others maintain that barriers to the access, use, and disclosure of health information result from overzealous interpretation of the legal requirements, not the law or the regulations themselves. 

A comprehensive framework of privacy and security safeguards will help ensure public trust in health information technology and the appropriate use of health information. Any such safeguards should be transparent in their use and disclosures of personal health data. 



Data privacy, security, and use

Consumers have a right to accurate, secure, and confidential health and health-related information. 

Policymakers should ensure that consumers have easy and convenient access to their health and health-related records and data. Consumer access and possession of their health records and data should not create undue burdens or responsibilities for consumers. It also should not expose their health information to unnecessary risks. 

Policies to encourage access and data exchange should complement, not replace, provider responsibility to obtain and share health information needed to provide high-quality care. 

Organizations (including private companies, nonprofits, and government entities) should be required to provide consumers with meaningful transparency, choice, and control related to their health and health-related data. This includes obtaining consumer consent over how such data are collected, used, shared, or sold. 

They should also be required to: 

  • ensure accuracy of health and health-related data, 
  • provide consumers with the opportunity to review the health information and data held about them, 
  • allow consumers to dispute and resolve the accuracy or completeness of health and health-related data, 
  • provide consumers with an easy and swift process to delete data when they want to end the relationship with an organization, and 
  • obtain consumers’ explicit opt-in consent before selling, sharing, or trading personally identifiable health or health-related data, including doing so with a subsidiary. 

However, entities covered by the Health Insurance Portability and Accountability Act (HIPAA) should continue to be able to share identifiable data with other covered entities without obtaining opt-in consent, consistent with HIPAA. 

Data covered under HIPAA

Organizations should continue to be prohibited from sharing or selling personally identifiable protected health data without consumer consent. Even when consent is provided, consumers should have easy access to information on who has received the data and why. 

State and federal regulators should create clear guidelines for when it is permissible to share information with other entities authorized to receive it. This guidance should be designed to address uncertainties that may inhibit or deter appropriate legal data-sharing. 

Privacy by design

Privacy protections should be embedded into health systems, products, and services. Organizations (including private companies, nonprofits, and government entities) must only collect and retain such personally identifiable information necessary to make the system, product, or service work. This is known as data minimization. They should ensure individual control and accountability. 

Protecting against reidentification

Policymakers should protect people from the harms of disclosure or misuse of all personally identifiable health- and health-related data. This includes data stripped of personally identifiable information because of the ease of reidentification. Policymakers and the private sector should take steps to mitigate consumer risks of data reidentification. Policymakers should develop standards and tests to verify that methods used to mask or strip out identifiable information adequately protect consumers from reidentification. 

Protections should be updated to keep pace with changing technology. State and federal regulators should periodically review and update as appropriate privacy and security laws and regulations to address technology innovations, including consumer-mediated health exchanges, records, and information. 

Privacy standards are developed with strong input from consumers. 

Transparency, accountability, and education

Consumers should receive clear, understandable, and accessible information about how their health and health-related data are being collected, used, shared, and sold. Policymakers should require plain-language disclosures with information about what data are collected and maintained, and how the data may be used, shared, or sold. 

Consumers must have the right to withdraw consent easily and at any time. 

Appropriate federal and state agencies should vigorously enforce health privacy laws and regulations. Well-funded federal and state enforcement authorities must have meaningful enforcement mechanisms, including the ability to impose penalties and enforce swift compliance deadlines. 

Consumers should be empowered to make informed choices. As such, the public must be educated about the benefits and drawbacks of health and health-related data collection and sharing. Policymakers should protect people from the harms of disclosure or misuse of all personally identifiable health- and health-related data. This includes data that have been stripped of personally identifiable information because of the ease of reidentification. 

Policymakers and the private sector should take steps to mitigate the consumer risks of the reidentification of data. Policymakers should develop standards and tests to verify that methods used to mask or strip out identifiable information adequately protect consumers from reidentification. 

Consumer protections in genetic testing

Genetic testing should not be performed on individuals unless they have provided informed consent. 

Licensed health professionals should play a role in advising consumers about the need for interpretation of all genetic testing, including direct-to-consumer testing. Health professionals who counsel or advise consumers about genetic testing, including direct-to-consumer testing, should be licensed. 

Consumers should be protected from discrimination based on their genetic profile or predispositions, gathered directly from personally identifiable data or through inferences from other data sources. For instance, consumers should not be subject to employment, insurance, or other discrimination based on inferences drawn on data or testing from a relative. 

Federal policymakers should prohibit employers and insurance companies from using data-driven inferences about an individual’s genetic information to make decisions affecting the individual. This could be accomplished by updating the Genetic Information Nondiscrimination Act or establishing another pathway. 

Organizations (including private companies and nonprofits) offering direct-to-consumer genetic tests should be required to: 

  • develop transparent and understandable privacy policies, 
  • provide consumers with meaningful choices about the extent to which their data can be used for genetic information research and disposition of their DNA samples, and 
  • only offer testing that is evidence-based, especially when claiming to reveal risk of disease. 

Policymakers should require companies to obtain express consent to collect, analyze, share, or report genetic data. Companies that want to transfer genetic data that could reveal a person’s identity to any third party should be required to obtain separate opt-in consent for this particular practice. 

Consumers should receive high-quality information and guidance about testing results. Companies should not offer tests for which there is insufficient evidence of the connection between results and disease risk. Federal policymakers should work with consumers and other stakeholders to develop and enforce standards for what types of testing are allowed, the evidence base for any claims about the results, and information that should be provided about follow-up and counseling. 

Security by design

Policymakers and the private sector should ensure that organizations effectively protect against unauthorized access to or misuse of consumers’ health and health-related information. This includes those collected by new technologies. Steps must be taken to prevent data that have been deidentified from being reidentified. 

Security controls should be embedded into products and services. Organizations, by default, should appropriately secure health and health-related information. 

Protections should be updated to keep pace with changing technology and privacy standards and developed with ample input from consumer. 

Improved coordination and quality of care

Health care providers should continue to be responsible for obtaining and maintaining the health records of their patients. Health care providers should also be empowered to coordinate care seamlessly with data in a format that can be shared easily with other providers. This is known as interoperability. 

Consumers should not have to be responsible for providing their health data and information between or among their health care providers. However, consumers can be encouraged to use their data to manage their health. Federal policymakers should continue to promote the development of stronger standards for Application Programming Interfaces (APIs), which facilitate the exchange of health data between providers and between providers and patients. Standards development should meaningfully include affected parties, including consumers. 

Federal policymakers should promote interoperability across the health system through requirements and incentives. They should establish interoperability standards that apply to all health providers, long-term care providers, and payers. 

Federal and state governments should advance the use of health information technology. They should continue to explore innovative approaches to integrating information and sharing data to improve care and support consumer and family caregiver engagement. They should also develop the infrastructure to support standards and privacy protections that are at least consistent with national standards. Federal and state policymakers should ensure that policies to promote interoperability do not impose undue burden and responsibility on consumers and family caregivers 

Federal and state governments should require providers to incorporate long-term services and support (LTSS) service plans in electronic health records to enable providers to utilize a standardized care plan as consumers with LTSS needs move across settings. 

New treatments, drugs, remote-monitoring technologies, and medical devices should be required to demonstrate safety and effectiveness before they are approved for coverage or sale. Policymakers and appropriate regulators should actively monitor the advertising of remote-monitoring, wearable, or other devices. However, consumers should be encouraged to use their data to manage their health. 

Consumer trust

Policymakers and the private sector should explore opportunities to build trust in efforts to encourage health data-sharing to benefit health research that promotes the greater public good. This includes outreach to underserved communities to ensure that all groups are appropriately represented in data. In seeking to include traditionally underserved communities, researchers must recognize and address long-standing mistrust of research studies and the health care system.  

Health-research studies should limit the collection of personal health data to the information necessary to make the product, service, or research project work. Personal data must be obtained by lawful and fair means and with the knowledge and consent of the data subject. 

Researchers who access large government-owned or government-funded health-research databases must agree to meet rigorous standardized guidelines for data privacy. They should prioritize research on advancing health care quality and health outcomes, particularly those that address disparities and social determinants of health. 

Health innovation that benefits all

All consumers should have the opportunity to benefit from the vast array of data-driven insights and innovation stemming from the accumulation, combination, and analysis of large health and health-related data sets. This includes groups that are traditionally underserved by the health system. 

Unique identifier for health insurance coverage

All health insurers should follow Medicare’s examples and replace SSNs with new identification numbers by a specified date (see also the subsections on Data Privacy and Data Security for background and additional policies on protecting the privacy of SSNs).