Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

  • View all journals
  • My Account Login
  • Explore content
  • About the journal
  • Publish with us
  • Sign up for alerts
  • Review Article
  • Open access
  • Published: 04 January 2021

Privacy protections to encourage use of health-relevant digital data in a learning health system

  • Deven McGraw   ORCID: orcid.org/0000-0002-8172-4400 1 &
  • Kenneth D. Mandl   ORCID: orcid.org/0000-0002-9781-0477 2  

npj Digital Medicine volume  4 , Article number:  2 ( 2021 ) Cite this article

23k Accesses

54 Citations

96 Altmetric

Metrics details

  • Social sciences

The National Academy of Medicine has long advocated for a “learning healthcare system” that produces constantly updated reference data during the care process. Moving toward a rapid learning system to solve intractable problems in health demands a balance between protecting patients and making data available to improve health and health care. Public concerns in the U.S. about privacy and the potential for unethical or harmful uses of this data, if not proactively addressed, could upset this balance. New federal laws prioritize sharing health data, including with patient digital tools. U.S. health privacy laws do not cover data collected by many consumer digital technologies and have not been updated to address concerns about the entry of large technology companies into health care. Further, there is increasing recognition that many classes of data not traditionally considered to be healthcare-related, for example consumer credit histories, are indeed predictive of health status and outcomes. We propose a multi-pronged approach to protecting health-relevant data while promoting and supporting beneficial uses and disclosures to improve health and health care for individuals and populations. Such protections should apply to entities collecting health-relevant data regardless of whether they are covered by federal health privacy laws. We focus largely on privacy but also address protections against harms as a critical component of a comprehensive approach to governing health-relevant data. U.S. policymakers and regulators should consider these recommendations in crafting privacy bills and rules. However, our recommendations also can inform best practices even in the absence of new federal requirements.

Introduction

The National Academy of Medicine has long advocated for a “learning healthcare system” that produces constantly updated reference data during the care process 1 . Moving toward a rapid learning system to solve intractable problems in health demands a balance between protecting patients and making data available to improve health and health care. Since much of what impacts an individual’s health and wellbeing occurs outside of a doctor’s office or hospital 2 , a rapid learning health system also requires data generated outside of traditional healthcare.

This paper comprehensively explores the growing U.S. health data landscape and the privacy risks and innovation obstacles raised by under-regulation of this data. We propose a multi-pronged approach to protecting “health relevant” data while promoting and supporting beneficial uses and disclosures essential to improving health and health care. A roadmap of the key points explored in this paper can be found at Box 1 .

Box 1 Overview

A wide array of information about individuals is health-relevant.

Health information can have beneficial and detrimental impacts for individuals and populations, depending on use.

HIPAA provides limited coverage of health data, including data shared by consumers with third party applications.

The Federal Trade Commission regulates companies’ use of health data but not through comprehensive rules.

Other U.S. and international laws provide only some protection for health data in the U.S.

Congress is considering privacy legislation, but the bills have significant shortcomings for protecting health data. They:

–Overrely on providing individuals with greater notice and consent, which feels empowering for consumers but shifts to them the burden for protecting data.

–Overvalue de-identification or pseudonymization as privacy measures, providing zero protections for de-identified data notwithstanding potential re-identification risk and concerns about commercialization.

–Do nothing to encourage responsible uses of health data to improve individual and population health, notwithstanding significant shortcomings in U.S. health and health care.

–Focus largely on entities not covered by HIPAA, though HIPAA urgently needs reevaluation given current practices.

COVID-19 responses sharply illustrate the tension between beneficent data use and privacy incursions.

The dual requirements to both protect individuals and assure data availability call for comprehensive policies governing all entities collecting and using health information, whether covered by HIPAA or not. Legislation and company best practices should draw from HIPAA’s framework and FTC consumer privacy recommendations and include:

–Increased transparency and choice for consumers.

–Limitations on how health data can be collected, used, and disclosed versus relying only on consent.

–Mechanisms to assure beneficial uses of health relevant data, e.g., independent data ethics boards, health trusts, impact assessments, and accountable data custodians.

–Strengthened remedies for harms incurred from malevolent uses of health data.

–Accountability for uses of de-identified data.

Defining health data

Though traditionally, the term “health data” has referred to information produced and stored by healthcare provider organizations, vast amounts of health-relevant data are collected from individuals and entities elsewhere, both passively and actively. Much of data beyond Category 1 in Box 2 is outside of the scope of comprehensive health privacy laws in the U.S.

Recently, concerns about whether existing privacy laws provide sufficient protections for health-relevant data have motivated Congress and state legislatures to propose legislation to fill the gaps 3 . These concerns have been exacerbated by revelations about how the largest information technology companies collect, use, and share personal data 4 , 5 and these companies’ increasing activities in health care 6 .

The tension between protecting privacy while promoting more widespread access to health-relevant data is not new. Data produced by the healthcare system (Category 1) has been difficult to access and marshal for health reform, to protect public health, to underpin discoveries, or to expand the evidence base for health and wellness interventions 7 . Yet recent new federal initiatives aimed at increasing access to Category 1 data—particularly with respect to sharing this data with consumer-facing applications—were met with fierce resistance as privacy concerns were raised 8 .

At the same time, nontraditional health-relevant data (Categories 2–4), often equally revealing of health status, are in widespread commercial use and, in the hands of commercial companies, largely unregulated—yet often less accessible by providers, patients and public health for improving individual and population health 9 . The following examples illustrate this tension. There is increasing recognition that social determinants of health (sometimes discernable from data in Categories 3–4) can be highly influential in health and wellness and the costs of both 2 , 10 . On the one hand, these data are sensitive because of stigma, health, and financial implications associated with having limited resources. On the other hand, they could be used to improve the health of individuals by identifying those most in need of supports and services. However, in the absence of controls companies could use these data perversely, for example, to avoid locating in neighborhoods perceived to be more costly, or to avoid insuring populations with the highest risks from social determinants. Other types of data in Categories 3 and 4 may not on the surface appear to be health-relevant but could be used to make powerful inferences about an individual’s or a population’s health, e.g. homeownership and job status are predictive of medication adherence 11 . Such information either could be used to target resources toward improving adherence or to penalize individuals unlikely to take their medications.

To date, U.S. laws governing health data and new legislative proposals tend to focus more on privacy by limiting or controlling access to health-relevant data than on assuring its availability for uses that could improve individual and population health. Lacking are multifaceted policy solutions incorporating protections for health-relevant data while stimulating and encouraging responsible uses for transforming healthcare into a more data-driven enterprise. Necessary protections for health-relevant data also must go beyond a pure privacy focus and extend to preventing or penalizing uses that could harm individuals and populations. Here, we address both privacy protections but also potential data-related harms as a critical component of a comprehensive approach to governing health-relevant data.

Box 2 Major categories of health-relevant data with examples

Category 1. Health Care System Generated . Electronic medical record data, prescriptions, laboratory data—including molecular “omics” data, pathology images, radiography, payor claims data.

Category 2. Consumer Health and Wellness Industry Generated. Wearable fitness tracking devices, medical wearables such as insulin pumps and pacemakers, medical or health monitoring apps, patient-reported outcome surveys, direct-to-consumer tests (including DNA analysis) and treatments.

Category 3. Digital Exhaust Generated as a Byproduct of Consumers’ Daily Activities. Social media posts, Internet search histories, location and proximity data.

Category 4. Non Health Demographic, Social, and Economic Sources. Race, gender, income, credit history, employment status, education, level, residential zip code, housing status, census records, bankruptcy and other financial records, grocery store purchases, fitness club memberships, voter registration.

U.S. Federal privacy protections for health-relevant personal data

The limitations of hipaa.

The privacy, security, and breach notification regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) 12 and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) 13 provide a comprehensive set of protections—but only for data within the health care system. Like many U.S. laws, HIPAA is a sectoral law, covering only certain types of entities. For the most part, HIPAA does not extend to organizations and businesses outside of the traditional health care ecosystem. (See Supplementary Discussion for a brief overview of HIPAA and other laws governing data in the health care system.) Though many may think of HIPAA as only applying to Category 1 data, once health-relevant data—in any of the four categories in Box 2 —are collected within an entity covered by HIPAA, those data will be covered by HIPAA’s protections. Specifically, all information that is identifiable “protected health information” is covered 14 , and this includes information that may not look like health data (such as in Category 4) but is used in a way that makes it “related to health and health care.” However, since HIPAA’s coverage is about “who” holds the data, but not what type of data, much of the health-relevant data collected today is collected by entities outside of HIPAA’s coverage bubble and thus resides outside of HIPAA’s protections 15 , 16 , 17 .

An increasingly important example of information leaving HIPAA’s coverage is when a consumer uses a third party health application (app) to obtain Category 1 data for personal use. Health apps used by consumers are frequently hosted by third parties and may share data further, with little transparency to users. Most are not covered by HIPAA. An analysis of 10 apps (two of them intended to enable women to track menstrual cycles and predict ovulation times) found they transmitted data on user activities in the app to 70 different third parties involved in advertising and profiling, without explicit consent from the users 18 . Another study examining 14 health and nutrition apps, including apps tracking medication use, migraines, and sleep, and some helping to manage diabetes, found that all but one (the Apple Health App) shared data with third parties without full transparency to the user 19 . A cross-sectional study of 36 apps for depression and smoking-cessation researchers found that 29 transmitted data to services provided by Facebook or Google, but only 12 accurately disclosed this in a privacy policy 20 .

Privacy concerns over consumer apps nearly halted new federal initiatives that require health care providers and health plans to share more health information with patients. As directed by the 21st Century Cures Act 21 , the federal Office of the National Coordinator for Health IT (ONC) recently finalized rules prohibiting “information blocking,” which includes the failure to share health information with individuals or health apps chosen by those individuals 22 . ONC’s rules also require certified electronic health records (EHRs) used by health care providers to offer open, standard application programming interfaces (APIs), specifically the SMART on FHIR API 23 and the SMART/HL7 Bulk Data API 24 , 25 , to facilitate seamless digital data sharing of electronic health record data, including with individuals and their chosen health apps 24 , 25 . Demonstrating a similar commitment to greater data sharing, particularly with individuals, the Centers for Medicare and Medicaid Services (CMS) now requires health plans under its purview to share claims data with subscribers and hospitals to send alerts to physicians when their patients have been hospitalized 26 .

When CMS and ONC initially proposed these rules and sought public comment, they were sharply criticized by health care provider organizations and by a major vendor of provider EHR systems for promoting the sharing of sensitive clinical and claims data—data in Category 1 - with consumer-facing apps without adequately addressing privacy concerns 27 . Although neither CMS nor ONC has authority to regulate consumer-facing tools, the critics capitalized on a significant gap in U.S. health privacy protections 28 .

FTC jurisdiction and other protections

The new federal rules on interoperability and information blocking facilitate patient-mediated data flows, sending EHR data (Category 1) across an API, leaving a HIPAA-covered entity and entering a consumer-controlled app. As the data traverse the API, the regulatory authority instantaneously shifts from the HHS Office for Civil Rights (OCR), which enforces HIPAA, to the Federal Trade Commission (FTC) 29 . The FTC has the most enforcement power over privacy in the U.S. through Section 5(a) of the FTC Act (FTCA), which broadly prohibits “unfair or deceptive acts or practices in or affecting commerce” 30 . The FTCA applies to most entities engaged in commerce, including developers and marketers of mobile health technologies, social media sites, and technology companies. Generally, the FTC’s Section 5 authority does not extend to nonprofit entities or insurance companies ( https://www.ftc.gov/news-events/media-resources/what-ftc-does ), and there are exceptions related to banks, savings and loans, federal credit unions, and common carriers such as airlines 31 .

In the context of privacy, the FTC has translated its unfair and deceptive trade practices authority by, for example, requiring companies covered by the FTCA to honor their commitments set forth in privacy policies and service and to adopt reasonable security safeguards 32 . Further, the Commission has brought numerous cases against businesses covered by the FTCA for failing to protect consumers from companies’ deceptive and unfair practices with regard to their health data and failing to have reasonable and appropriate data security practices regarding that data 33 .

Entities not covered by the FTCA (for example, nonprofit entities and insurance companies) may be regulated regarding privacy and security only if covered by another federal law (HIPAA, for example) or by state law. Ironically, this means that in terms of federal privacy protections, an app offered by a nonprofit company outside of the health care system (for example, offered by a patient advocacy organization) might offer the least accountability to consumers. Of note, the FTC also administers breach notification requirements enacted by Congress in the Health Information Technology for Economic and Clinical Health Act (HITECH) (see Supplementary Discussion ) and applicable to “personal health records,” which are health records maintained by or primarily for individuals 34 , and “related apps” 13 .

The FTCA is broadly applicable to most companies collecting health-relevant data, and the FTC has taken enforcement action against developers of mobile health apps 35 . However, there is a perception that these protections—because they are not established in comprehensive regulations similar to the HIPAA rules—are not sufficient to protect health data 36 . Notwithstanding the breadth of FTC’s authority, its recent settlement with Facebook regarding a number of alleged violations of the FTCA has generated doubts about whether the FTC is equipped to take on takes this enforcement role outside of HIPAA’s boundaries 37 , 38 . Concerns have also been raised that the FTC currently lacks sufficient resources to enforce privacy protections for health-relevant data at scale.

Other federal statutes extend some privacy protections for personal data, which could include health-relevant data, in particular contexts 39 (See Supplementary Table 1 for a brief summary of some federal laws that extend protections for personal data). State privacy laws protecting health and personal data often are more protective than federal law 40 , 41 . For example, HIPAA does not preempt state laws that are more protective of privacy 42 . To help resolve privacy concerns, a number of organizations have proposed voluntary privacy frameworks for health data. Voluntary commitments made by companies subject to the FTCA can be enforced by the FTC (See Box 3 for a summary of these efforts).

Finally, international laws also can affect protections for U.S residents if global companies governed by international laws decide to apply those heightened protections to all of their customers. For example, the Global Data Protection Regulation (GDPR), which went into effect in May of 2018, covers all data “controllers” and “processors” in the European Union (EU). It also includes entities not located in the EU but who offer goods and services to EU residents or monitor the behavior of EU data subjects within the EU 43 . Commitments U.S. companies make to their U.S. customers to comply with the GDPR can be enforced by the FTC.

Box 3 Summary of health data best practice frameworks

Detailed, voluntary privacy and security best practice frameworks have been proposed, including by the Center for Democracy and Technology (CDT) and the eHealth Initiative (eHI) ( https://www.ehidc.org/resources/draft-consumer-privacy-framework-health-data ), the CARIN Alliance ( https://www.carinalliance.com/our-work/trust-framework-and-code-of-conduct ), the Consumer Technology Association ( https://www.cta.tech/cta/media/policyImages/policyPDFs/Guiding-Principles-on-the-Privacy-and-Security-of-Personal-Wellness.pdf ), the American Medical Association’s Xcertia Initiative ( https://xcertia.org/the-guidelines/ ), and Patient Privacy Rights ( https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3439701 ). These best practices, if publicly attested to by companies subject to the FTCA, can be enforced by the FTC (such as if a company publicly commits to good data practice but doesn’t actually follow that practice). In addition, in 2016 the ONC published a Model Privacy Notice intended to help consumers compare privacy policies across consumer health applications ( https://www.healthit.gov/sites/default/files/2016_model_privacy_notice.pdf (02 Dec 2016)).

These best practice frameworks and the model notice differ in their intended uses and level of detail, but there are similarities. Each address issues of transparency to consumers and when consent for data collection, use, or disclosure is necessary. Each provide consumers with rights such as the right to access and request amendments to data. Most cover only identifiable data, although at least one, the CARIN Trust Framework, requires transparency for uses of less identifiable or “de-identified” data. One, Xcertia, focuses also on the reliability of the health data or advice dispensed by consumer-facing services. The framework from the Consumer Technology Association recommends that personal wellness data not be knowingly used or disclosed “in ways that are likely to be unjust or prejudicial” to consumers and encourages companies to periodically review algorithms or automated decision methodologies to guard against the creation of unjust or prejudicial outcomes for subgroups. The CDT/EHI framework would place collection, use, and disclosure limitations on health data and require that automated, algorithmic or artificial intelligence systems be designed and implemented in ways to mitigate bias.

Reevaluating HIPAA

The presumption has been that, at least with respect to Category 1 data, the U.S. has sufficient protections in HIPAA, but that presumption appears to be fading. Some have questioned whether HIPAA is still protective in an increasingly digital era 44 . The more the public learns about what HIPAA allows, the less satisfied they are with the “protections” afforded by the law. For example, entities covered by HIPAA frequently sell data that are de-identified per HIPAA standards but still can be linked to create health profiles of individuals 45 .

In particular, HIPAA’s sufficiency is being questioned when it comes to sharing health-relevant data with large technology companies. After years of periodic experimentation, major technology companies are retooling business models to address need in health care ( https://www.cbinsights.com/research/apple-healthcare-strategy-apps/ ). In many cases, these initiatives involve contracting with health care system actors to improve how these actors deliver health care 46 , 47 , 48 , 49 . Technology companies have the potential to bring needed resources and innovation into health and health care 50 . However, the tech companies’ history of ubiquitous data collection and tracking of consumers has generated public backlash 51 . Facebook 52 , Google 53 , and Twitter ( https://help.twitter.com/en/information-and-ads#10-08-2019 ) have had substantial lapses in protecting personal information, generating public doubt that these companies can yet be trusted to responsibly handle health-relevant data 54 . A whistleblower’s alarm 55 over an arrangement between Google and Ascension Health to facilitate data analytics for Ascension caused an uproar, triggering investigations by the U.S. Department of Health and Human Services (HHS) to assure the arrangement complied with HIPAA regulations 56 . In the arrangement, Google is a vendor to Ascension and covered under HIPAA as a business associate. Consequently, Google must abide by the same rules that govern health care providers and health plans, plus any additional Ascension may have imposed as part of the business associate agreement. Nevertheless, this arrangement sparked a public conversation, suggesting public dissatisfaction with such data arrangements even when they are in compliance with HIPAA.

COVID-19: the perfect storm

COVID-19 may perfectly illustrate the conundrum between protecting health information and ensuring its availability to meet the challenges posed by a significant global pandemic. U.S. lawmakers have used enforcement discretion to relax existing health privacy laws to stimulate more widespread reporting of relevant COVID-19-related data to federal and state public health authorities 57 . Public health experts have published best practices to enable existing health information exchange networks—built to facilitate digital data sharing among health care providers for treatment purposes—to be rapidly leveraged for public health reporting 58 .

But efforts from major technology companies to assist in fighting the pandemic have been met with skepticism. Verily’s establishment of community testing sites—and an online site to screen people for eligibility for a test—was initially met with criticism from privacy advocates 59 . Public health experts ( https://apps.npr.org/documents/document.html?id=6877567-Bipartisan-Public-Health-Leaders-Letter-on ) are calling for robust contact tracing to combat COVID-19 and help states and localities begin to safely re-open public spaces 60 . China and South Korea have mandated public use of contact tracing technologies, with few privacy controls 61 ; other countries are also adopting contact tracing technologies 62 . However, in the U.S., states and localities have been slow to adopt technology solutions that would voluntarily be used by consumers to facilitate contact tracing, both due to privacy concerns and uncertainty regarding whether technology is an effective replacement for the customary human-to-human contact involved in contact tracing 61 . Google and Apple—typically fierce competitors—joined together to enable apps to use Bluetooth proximity data to facilitate privacy-preserving contact tracing 63 . However, questions have arisen both about whether such information can be collected in a way that responds to privacy concerns 64 and whether privacy controls will create unnecessary barriers to deploying these technologies in an optimal way to fight the pandemic 65 . Others have expressed concerns regarding the equitable collection and use of this information given disparities in use of smart phones and access to broadband 64 .

The collection and use by public health authorities of geolocation data for purposes of COVID-19 response illustrates the need for objective review of health-relevant data sharing. The collection of geolocation data has long been controversial 66 . Sharing such data with governments raises concerns about how those data could be used to harm individuals (such as by stigmatizing or unjustly penalizing those who are determined, based solely on this data, to be ill or at risk to themselves or others). Further, public health authorities typically are not “covered entities” under HIPAA, and laws governing how local authorities can access, use, and disclose data may vary by state and locality 67 (Of note: the U.S. Centers for Disease Control and Prevention is covered by the federal Privacy Act of 1974 (see Supplementary Table 1 )).

Current federal data privacy bills

Several bills have been introduced in the 116 th Congress to fill gaps in U.S. privacy law (See Supplementary Table 2 for a sample list of those bills). For the most part, the federal bills adopt one or more of the following approaches:

Requirements to provide individuals with clear notice about how their personal information is collected, used, and disclosed;

Requirements to provide individuals with choices (either opt-in or opt-out) for the collection, use, and disclosure of their personal information.

Broad definitions of personal data, with stricter standards for data to be considered to be de-identified (and therefore no longer covered).

Establishment of individual rights concerning data, including the right to know whether a company possesses your data, the right to request corrections, the right to obtain copies, and the right to have data deleted.

Increased authority to, and resources for, the FTC to enforce new privacy mandates; and

Exemptions from new law for entities already covered by HIPAA.

These bills incorporate many of the customary provisions found in privacy laws but have the following key limitations, particularly for regulating the privacy of health-relevant data:

Too much reliance on notice and consent to protect privacy

The predominant model for protecting privacy involves companies giving individuals notice of, and rights to consent to, uses and disclosures of their data. These “commitments” regarding data are typically found in Privacy Policies and Terms of Service, and consumers are required to acknowledge that they have read and agree to these documents before they are permitted to use an app or a service.

But this model of notice and consent is widely recognized by privacy scholars as being inadequate on its own to protect privacy, particularly with respect to online transactions 68 , 69 , 70 , 71 . Privacy notices and terms of service are famously too long and hard to understand and are frequently missing or inadequate 72 . In an age of “big data,” it is often difficult to predict at the time of data collection all future uses 69 . Individuals too often agree to terms of service without reading them 73 . Companies design technology in ways that “maximize the collection, use, and disclosure of personal information,” challenging the notion that individuals truly can make informed choices online even when they are trying to do so 74 . Reliance on notice and consent also shifts the burden for protecting privacy to the individual, instead of holding institutions and data holders accountable for acting transparently and responsibly with individuals’ data 70 . Further, companies can change their consent policies, and consumers may not be aware of these changes or have little choice but to agree to them to continue using a service 70 . Relying on individual consent to protect privacy also fails to account for others whose interests are often implicated in health data, as some health data (such as genetic information) reveals information about family members 75 .

GDPR and new state privacy laws, such as the California Consumer Privacy Act (CCPA), tend to rely on consent (either opt-in or opt-out) for collection and use of data, particularly by commercial companies 76 . Nonetheless, these laws do not appear to have substantially limited the ubiquitous collection and use of personal data in commerce 77 .

Overvaluing de-identification or pseudonymization as a privacy measure

Most existing privacy laws and proposed federal bills cover only identifiable information. Consequently, information that has been de-identified, anonymized, or pseudonymized is outside of regulation. Although techniques to reduce identifiability of information lessen privacy risks, they do not reduce the risk to zero. Too often, there is no legal accountability for unauthorized re-identification. For example, HIPAA’s de-identification standard requires data to be at “very low” (not zero) risk of re-identification. Consequently, some risk of re-identification remains, but regulators cannot hold recipients of de-identified data accountable for unauthorized re-identification 78 .

More recent privacy laws, such as GDPR and CCPA, appear to have more robust standards for how data qualify as “de-identified” or pseudonymized and no longer subject to regulation. For example, under the CCPA, data that can be linked to a particular person or household, such as through an IP address or advertising identifier, is considered to be covered even if the particular individual is not identified 79 . But because the CCPA is new, it is unclear whether these definitions will be effective at giving consumers more control over robust collection and commercialization of personal data. Further, medical researchers depend on the ability to collect and analyze de-identified data. Amendments have been proposed to the CCPA to assure that the CCPA’s more stringent definition of de-identified data does not create obstacles to the collection and use of information for health and medical research purposes 80 .

Absence of provisions to assure availability of health data for a learning health system

Responsible collection and analysis of health-relevant data are critical to addressing deficiencies in U.S. health and health care. De-siloed data combinable for delivery, research, and public health are needed for coordinated care 81 , genomic diagnosis 82 , including accurate diagnoses across genetic ancestries 83 , comparative effectiveness research 84 , post-marketing surveillance 85 , data-driven accrual to clinical trials 86 , rare disease research ( https://www.rarediseasesnetwork.org/researchers/nih-data-sharing ), public health surveillance 87 , early disease detection 88 , development of digital biomarkers to manage patients care at home 89 or to combat a pandemic 90 , and advancing discovery 91 . Sometimes inclusion of entire populations is necessary to ensure generalizability of conclusions across diverse patients and to avoid the nonrandom statistical biases that would emerge from opt-in models.

The National Academy of Medicine (then the Institute of Medicine) first proposed a Learning Healthcare System framework in 2007 1 , but progress has been slow, in part due to difficulty in accessing and sharing health-relevant data. Data to improve health and health care needs to include data sources outside of HIPAA, as much of what happens to influence an individual’s health and wellbeing occurs outside of the doctor’s office or hospital 92 . However, most of the proposed bills focus disproportionately on protecting personal data and do little to promote its availability. This shortcoming may be of little import for data not used for health purposes, but it has significant implications for health-relevant data. Ultimately, the U.S. will need a long-term, national solution that both addresses privacy and data availability. Survey data reveal that individuals practice “privacy-protective” behaviors such as not seeking health care or hiding the truth about health conditions if they don’t trust that their information will be kept confidential 93 .

Recommended protections for health-relevant data to fuel a learning health system

Determining whether there are sufficient protections for data based on whether an entity is or is not covered by HIPAA arguably is no longer the appropriate benchmark. The lack of strong, consistent protections for health data that respond to 21st-century risks could have the “long term effect of reducing the uptake of new innovative technologies” and undermining the promise of digital medicine 18 . At the same time, focusing just on privacy without assuring needed data flows fails to address the compelling need for data to address significant health needs 94 , including the need to address significant disparities in health outcomes based on race and gender. Creation of a learning health system may require a “moral priority on learning,” with active contributions of data from both health care professionals and from patients 95 .

The dual needs in health to both protect individuals and assure data availability to improve individual and population health call for comprehensive policies governing all entities collecting and using health-relevant information whether covered by HIPAA or not. Policymakers need not reinvent the wheel and can draw from HIPAA’s framework, as well as FTC recommendations. Specifically, in 2012, the FTC issued a report, Protecting Consumer Privacy in an Era of Rapid Change (hereinafter “FTC Report”) 96 . The report established recommendations for privacy “best practices” to be adopted by all commercial companies, except smaller companies and those not sharing sensitive data with third parties 96 . Though the report was not focused on health-relevant data and is now eight years old, the best practice recommendations nonetheless provide some noteworthy approaches for establishing enforceable rules and norms for this data.

U.S. policymakers should consider these recommendations in crafting privacy bills. But given the glacial pace of federal legislation, the recommendations below also can inform best practices adopted by companies in the absence of any new federal requirements. These best practices, if publicly attested to by companies already covered by the FTCA, can be enforced by the FTC (such as if a commercial company publicly commits to a data limitation (for example, not sharing data except with consent) but doesn’t actually follow that practice) 96 .

Establish rules for health-relevant data rather than relying just on consent

Although HIPAA has its deficiencies, its overall comprehensive approach has value in considering how to govern health-relevant data, even when collected and used outside of the health care system. For example, HIPAA’s regulations include a role for individual consent but do not push all of the obligations for protecting privacy to the individual, instead creating enforceable boundaries for when and how identifiable information can be used and shared. From its inception, HIPAA’s regulatory framework has recognized that health data must be protected and also made available for treatment, to secure payment, to enable health care institutions and medical practices to conduct operations, for public health, and research purposes.

On the other hand, HIPAA’s drafters established a comprehensive list of required and permitted uses and disclosures to enable data flows typical in a functioning health care system (see Supplementary Discussion ); that list would not necessarily effectively govern data collected, used, and shared by commercial companies outside of healthcare. Lawmakers will need to establish a list of permitted collections, uses, and disclosures that more directly address the privacy risks in the commercial space. Also, there are few, if any, prohibitions on what an entity covered by HIPAA can do with data, as uses or disclosures not expressly permitted can still occur with the written authorization of the individual. To effectively govern commercial companies’ behavior with health-relevant data, lawmakers will need to prohibit uses and disclosures where the privacy risks are significant in comparison to the benefits.

Impose collection, use, and disclosure limitations

In the FTC Report, the Commission recommended that “companies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.” 96 In other words, data collection should be limited to what a consumer might expect, given the context. “Fair Information Practice Principles,” the foundation for information privacy law, include collection limitations as a critical component of protecting data 97 .

However, the concept of “collection limitations” may seem antithetical to the robust health data enterprise that contributes to a learning health system. HIPAA’s regulations contain few limits on whether entities may collect health information, choosing instead to comprehensively regulate how that information can be used and disclosed once an entity covered by HIPAA has it. When HHS first drafted the HIPAA regulations, it may have made sense to disregard collection limitations. HHS was setting ground rules for how a defined set of entities within the health care system could handle data. But as health care entities increasingly collect data on socioeconomic determinants, in some cases beyond what patients might expect 98 , policymakers may want to consider whether collection limitations should be imposed in HIPAA (for example, requiring such collection to be directly connected to addressing individual or population health).

Further, for commercial companies, whose business models revolve around monetization of personal information, some limits on the collection of health-relevant data make sense. For example, the collection of health-relevant data could be prohibited unless the data collection is consistent with consumer expectations and intended to benefit the individual or population health. For example, a bill drafted (but not yet introduced) by Senator Sherrod Brown (D-OH) would prohibit the collection of personal data unless it is “strictly necessary” to provide the good or service sought by the consumer 77 .

Use and disclosures of health-relevant data similarly should be limited to what the consumer would reasonably expect, given the context 70 . This maxim also should govern the repurposing of information. For example, technology and telecommunications companies routinely collect geolocation data ( https://www.gravitatedesign.com/blog/what-is-geolocation/ ). Today, governments across the world are seeking or already collecting these data for COVID-19 response activities. These data were not collected for this purpose initially, and consumers likely did not expect it to be used for this purpose. The FTC Report recommends consumer consent be obtained before collecting, using, or disclosing information in ways not consistent with the context of consumer’s relationship to the company 96 . Given the limitations of relying on consent for protecting privacy, such an approach feels ripe for abuse. Individual consent should be required, but some additional gating criteria may be needed to rein in companies’ tendencies to pursue uses and disclosures of data that enhance the bottom line, do not contribute to improving individual and/or population health, and where the impact of risks to privacy created by those activities is chiefly borne by the consumer.

Assure beneficial uses of health-relevant data

Federal policies should also assure that data are available to be used ethically to address health system improvements. Of note, one of the federal bills pending before Congress - the Data Care Act 99 would impose duties of “care, loyalty, and confidentiality” on online service providers that collect individual identifying information, detailing specific requirements and prohibitions under each of the three categories (See Supplementary Discussion ). This approach is appealing for governing health-relevant data—but the categories are so broadly worded that it is unclear it would result in beneficial uses of these data consistently across all data holders. Though allowable under HIPAA, the sale of “de-identified” data by covered entities is another flashpoint in an expanding debate 100 which suggests that policies governing health-relevant data should address de-identified as well as identifiable data.

Companies collecting, using or disclosing health-relevant data (identifiable and de-identified) could be required to establish independent data ethics review boards. Such boards would evaluate proposed data projects for legal and ethical implications as well as the potential to improve health or the health care system [ 101 ]. Such boards could be similar to Institutional Review Boards (IRBs), which provide ethical review of proposals for research on human subjects under the federal Common Rule 102 . However, data ethics review boards should focus more on privacy than interventional risk and include members with substantial privacy expertise. Today, the Common Rule does not require IRB review of research using data that are not identifiable and provides exemptions (including rapid review by one or two members of the IRB) for research using identifiable data 103 . Further, data ethics review boards could evaluate uses and disclosures beyond just those for research.

This approach provides no magic bullet. Notably, IRBs have not been a panacea for assuring the ethical conduct of human subjects research. The proposed data ethics review boards similarly would need to be established with safeguards against industry capture and conflicts of interest and should not be viewed as a comprehensive solution. For such boards to be effective, they must have independence from the company and ideally include outsiders, such as consumers and experts. Facebook recently announced the establishment of an independent Oversight Board to achieve “fair decision-making” concerning the removal of unacceptable content on the site. Among the Board’s authorities are to “instruct” Facebook to allow or remove content and “interpret” Facebook’s Community Standards and other policies “in light of Facebook’s articulated values” 104 . Of note, Facebook relied on a provision in Delaware law, the Purpose Trust Statute, to assure the Board was independent of Facebook 105 . However, notwithstanding this unique (and expensive) endeavor by Facebook, there is little evidence that this Board has made a difference in assuring better decision-making with respect to content on the site 106 . Similarly, Google dismantled its ethics board intended to “guide responsible development of AI [artificial intelligence]” at Google shortly after it was established due to controversy over its membership 107 .

In another example, GDPR requires a Data Protection Impact Assessment, and in some cases regulatory review, for certain high-risk processing activities, such as health data processed in large numbers 43 . Similarly, U.S. federal agencies are required to conduct Privacy Impact Assessments “for all new or substantially changed technology” that collects, maintains, or disseminates personally-identifying information ( https://www.archives.gov/privacy/privacy-impact-assessments ). Such assessments could be valuable if subject to independent, objective review and not merely check-the-box exercises.

“Data trusts” or “civic trusts” also have been proposed as legal mechanisms for assuring that companies use and disclose consumers’ personal data for the benefit of consumers, even after a change in company strategy or sale of the company 108 . Consumer data trusts have been defined as “intermediaries that aggregate consumers’ interests and represent them vis-à-vis data-using organizations” 109 . By aggregating consumer interests, consumer trusts would have bargaining power to negotiate better terms of data use and disclosure than could be achieved by any individual consumer 109 . Existing laws giving individuals the right to copies of their information (for example, HIPAA, CCPA, and GDPR) could help facilitate the establishment of these trusts, as individuals could direct copies of their personal data to be held and managed therein. Common to the different versions of data trusts is the use of trust law to help assure that commitments regarding how data can be accessed, used, and disclosed are honored. But trusts also can be established to protect private interests; consequently, the ability of a data trust to assure only responsible uses of data depends on what terms and conditions are established for use and disclosure of the data, and who establishes those rules.

Another option is to require companies collecting or processing health or health-relevant data to adhere to additional oversight and requirements. Ontario province in Canada permits data custodians to disclose personal health information for health system improvement purposes. However, custodians may disclose information only to entities approved by the Privacy Commissioner as having adequate practices and procedures to protect privacy and maintain confidentiality 110 . In a variation on that theme, health data collection and processing could be limited only to entities that demonstrate (through periodic audits) that they meet ethical, privacy, and security standards. Companies collecting health-relevant data also could be required to segment or “firewall” their health business from other aspects of the company.

Health system entities customarily rely on “data use agreements” to bind recipients of health data to contractual commitments regarding the use of that data. Such agreements often include prohibitions on further uses and disclosures and, in the case of de-identified information, commitments not to re-identify individuals in the dataset. HIPAA requires a data use agreement when a “limited data set” (data stripped of 16 common identifiers) is used or disclosed for routine health care operations, public health, or research 111 . Data use agreements also may be voluntarily adopted when sharing even de-identified data, as an additional measure of protection adopted by the disclosing entity. However, such agreements are not a scalable solution to protecting health-relevant data. They depend on the parties to the contract to agree to responsible terms (often difficult where the data recipient has greater bargaining power), and those terms can only be enforced by the parties to the contract. While such contracts can be protective, they can also be vehicles for protecting data as a proprietary asset, which can limit the availability of data even for potentially beneficial uses.

Increase transparency and choice around health data uses and disclosures

Although notice and consent should not be the cornerstone for privacy, individuals still want and should have notice of, and some choice about, collection, use, and disclosure of health-relevant information ( https://ogury.com/blog/how-consumers-really-feel-about-their-privacy-and-data/ ). The FTC Report called for “simplified choice,” with clearer, shorter, and more standardized privacy notices, in circumstances where the data collection, use, and sharing is beyond what consumers would ordinarily expect or involves sensitive data 96 . For example, companies can improve notice and choice through layered notice and use of visuals to improve comprehension 112 , 113 .

But even if consent is not sought for a particular use or disclosure, either because it is within consumer expectations or is mandated or authorized by law, companies should still be required to be transparent about data uses and disclosures ( https://bankingjournal.aba.com/2019/06/study-consumers-increasingly-concerned-with-data-security-privacy/ ). As demonstrated by the public reaction to Google’s arrangements with Ascension Health System, greater transparency of health data uses and disclosures appears important to engendering public trust in digital medicine technologies.

Even within traditional health care, there is a need for greater communication about health-relevant data uses and disclosures. The National Research Council report on Precision Medicine emphasizes that it is patients who “uniquely understand the potential value of a social contract in which patients both contribute personal clinical data and benefit from the knowledge gained through the collaboration” 114 . In consenting to care and treatment, physicians, hospitals, and health systems should consider entering a compact with patients such that data and biospecimens captured as a byproduct of the care delivery system can be aggregated and linked to be used in a learning health system. Both consent to treat documents and the notice of privacy practices provided to patients should explicitly outline the compact 82 .

Strengthen remedies for harms

Ideally, protections for health-relevant data should go beyond addressing privacy and also address the potential for harm. Historically, in the U.S. policymakers have separated addressing discrimination—such as through the enactment of provisions in the Affordable Care Act prohibiting discrimination in health insurance based on health status or history—and privacy. However, in many respects privacy and nondiscrimination can collectively help create public trust in the collection, use, and sharing of health-relevant data 115 . The Genetic Information Nondiscrimination Act (GINA) is one model of a combined privacy and antidiscrimination law 116 . For example, GINA prohibits employers from collecting genetic information (protecting privacy) and prohibits employers from discriminating based on genetic information. Because health-relevant data can be collected and used for benefit and harm (compare using information to target scarce health care resources toward individuals and populations most in need with using that same information to avoid enrolling individuals and populations likely to be more costly and difficult to treat), it is critically important that policies not just focus on controls on health-relevant data and also address and minimize the opportunities for information to be used in ways that harm individuals and populations.

What may be needed are stronger protections against discrimination—for example, discrimination in health and health-related insurance (for example, disability insurance) and protections against harmful employer uses of health-relevant information. The Affordable Care Act, which prohibits discrimination in the provision of health insurance (except with respect to information on smoking status) is perceived to be on shaky ground due to persistent opposition from a number of Republican policymakers ( https://www.bbc.com/news/world-us-canada-24370967 ), and there are no federal protections for disability and life insurance. Similarly, the Americans with Disabilities Act provides employment protections for individuals with disabilities—but these protections do not extend to health information collected about persons who do not meet the definition of an individual with a disability 117 .

In protecting against potential “harms” of data use, policymakers also need to consider the chilling effect that law enforcement access to data will have on the willingness of individuals—particularly marginalized populations—to have their data collected and used for “learning” purposes. Data for Black Lives is “committed to the mission of using data science to create concrete and measurable change in the lives of Black people,” recognizing that data has “tremendous potential to empower communities of color”—while at the same time data is too often “wielded as an instrument of oppression, reinforcing inequality and perpetuating injustice.” ( https://d4bl.org/about.html ) Privacy laws often contain exemptions for access to data by law enforcement. For example, HIPAA allows law enforcement access to data based on an “administrative request” if the information sought is “relevant and material to a legitimate law enforcement inquiry,” limited in scope, and requiring identifiable (vs. de-identified) information 118 . HIPAA also allows entities to release certain medical information to law enforcement—including name, address, blood type, and physical characteristics—to identify or locate a suspect, fugitive, witness or missing person 119 . For entities not covered by HIPAA, company commitments may provide the only assurance that law enforcement access to data will be required to meet probable cause standards, as determined by a neutral authority (such as a court), absent stronger protections in applicable state law. Police recently caught the Golden State Killer by matching DNA found at a crime scene with DNA in a free online genetic database used by one of his relatives. Although this information helped police to resolve 12 murders and at least 45 rapes committed in California between 1976 to 1986, the potential for law enforcement access to online health-relevant databases may deter individuals from using these tools 120 .

In developing its 2012 report, the FTC expressly rejected calls for a “harm-based” model of privacy that focuses only on protecting consumers from harms like “physical security, economic injury, and unwanted intrusions into their daily lives.” 96 FTC’s contention was that such a model would fail to recognize “a wider range of privacy-related concerns, including reputational harm or the fear of being monitored.” 96 Feelings of risk and anxiety also are among the harms suffered by individuals whose data are breached 121 . Rules-based privacy regimes like HIPAA instead create enforceable expectations regarding how health data must be handled without regard to whether or not individuals or populations suffer any cognizable harm when organizations don’t follow the rules. In addition to addressing discrimination harms, policymakers should also consider addressing more traditional privacy harms (for example, breaches of heath information). In enforcing HIPAA, OCR considers whether a HIPAA violation harmed individuals in determining the level of civil monetary penalty it will pursue 122 . Through HITECH, Congress amended the HIPAA Privacy Rule to require HHS to establish a mechanism to enable individuals “harmed” by HIPAA violations to receive a portion of any civil monetary penalties or settlements imposed or reached by HHS. However, HHS has yet to act on this measure 13 .

Harm should not be the linchpin of privacy regulation; but addressing harm should be a component, particularly for health-relevant data given its sensitivity. One interesting example is a privacy tax on data collectors and processors that could fund a no-fault compensation program for privacy harms 123 . Companies also could be required to establish funds to compensate harms, with broad recognition of the types of privacy harms that can occur due to unauthorized or unethical uses or disclosures of data 123 .

Maintain incentives to use and disclose data which are less identifiable—but refrain from treating these data as zero risk

In general, information at low or very low risk of re-identification is typically not subject to privacy laws and consequently is not regulated. Such an approach leaves privacy risk on the table; however, relaxing regulations on data at very low risk of re-identification provides incentives for entities to collect, use, and disclose data with fewer privacy risks. Experience with HIPAA’s rules for de-identification suggests that if the law sets clear and achievable standards for de-identification, entities will leverage de-identified data for public health, research, and business analytics. On the other hand, anger and frustration over commercialization of HIPAA de-identified health data appears to be increasing—and some entities are responding to those concerns 124 . For example, one renowned medical center has recently adopted an ethical framework for sharing even de-identified data and biospecimens with external entities, including commercial companies 125 .

Regulation of health-relevant data should provide incentives for the use and disclosure of that data in less identifiable forms. However, given that this data will still retain some residual risk of re-identification, this data should be subject to some regulation. For example, civil monetary penalties should be imposed for unauthorized re-identification of de-identified data and criminal penalties for intentional re-identification. But merely controlling for risk of re-identification will not be sufficient to garner consumer trust in how companies handle their health-relevant data, even if it is “de-identified.” Companies should be required to be transparent about the uses and disclosures of de-identified data and to identify the general methodologies used for de-identification. Because consent is not sufficiently protective of privacy, uses and disclosures of de-identified data also could be subject to ethics board review.

To fully realize the potential of digital data and digital medicine, and to advance U.S health and healthcare toward becoming a rapid learning system, the U.S. will need comprehensive privacy and security protections for health data regardless of where the data are collected or maintained. At the same time, such health protections must also encourage responsible uses and disclosures. The COVID-19 pandemic shines a spotlight on this problem—but COVID-19 is far from the only health issue that more robust access to data could help address. And in the aftermath of COVID-19, as health threats ease, re-equilibrating around access to health care data will be an essential conversation. To date privacy bills introduced to date focus more on protecting health-relevant data than on assuring its appropriate use. Also, proposed measures for protecting data rely too much on notice and consent and de-identification of data as protections.

What is needed is a multi-pronged approach that implements strong privacy protections but also includes accountability even for uses of so-called “de-identified” or anonymized data and addresses the potential for harm to individuals and populations. Such measures should also facilitate assure the availability of health-relevant data for societal benefit and to support a learning healthcare system Such a transformation could not be more important and urgent, as U.S. healthcare adapts to the impact of a global pandemic, struggles to care for an aging population, faces a diminishing primary care workforce, and continues to have the highest expenditures in the world despite often having poorer health outcomes. Innovative and pervasive use of data must underpin any substantial transformation.

Data availability

This paper is not original research involving data collection. Hence, there is no research data to make available.

The Learning Healthcare System: Workshop Summary (The National Academies Press, Washington, DC, 2007).

Gottlieb, L., Sandel, M. & Adler, N. Collecting and applying data on social determinants of health in health care settings. JAMA Intern Med. 173 , 1017–1020 (2013).

Article   Google Scholar  

Kuraitis, V. & McGraw, D. Health Data Outside Hipaa: The Wild West of Unprotected Personal Data. The Healthcare Blog . https://thehealthcareblog.com/blog/2019/08/12/health-data-outside-hipaa-the-wild-west-of-unprotected-personal-data/ . Accessed 12 Aug 2019.

NY Times. The Privacy Project. https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html (Series of articles, June 2019 to Feb. 2020)

What They Know. Wall St J . https://www.wsj.com/news/types/what-they-know (series of articles, 27 Feb 2011 to 23 Dec. 2012).

Cohen, I. G. & Mello, M. M. Big data, big tech, and protecting patient privacy. JAMA 322 , 1141–1142 (2019).

U.S. Department of Health and Human Services. Report to Congress.- Report on Health Information Blocking. https://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf . Accessed 20 Apr 2015.

Finley, D. About 60 Health Systems are Siding with Epic Systems Against HHS Proposed Data-sharing Rules. https://www.businessinsider.com/60-health-systems-epic-systems-hhs-2020-2 . Accessed 06 Feb 2020.

Weber, G. M., Mandl, K. D. & Kohane, I. S. Finding the Missing Link for Big Biomedical Data. JAMA 311 , 2479–2480 (2014).

CAS   PubMed   Google Scholar  

Chess, E. Step Aside, Biomarkers. Look to the Bank Account for Early Signs Of Dementia. https://www.statnews.com/2019/12/05/dementia-early-warning-check-bank-accounts-not-biomarkers/ . Accessed 05 Dec 2019.

Parker-Pope, T. Keeping Score On How You Take your Medicine . The NY Times . https://well.blogs.nytimes.com/2011/06/20/keeping-score-on-how-you-take-your-medicine/ . Accessed 20 Jun 2011.

Health Insurance Portability and Accountability Act. Public Law No. 104-191, 110 Stat. 1938 (1996).

Health Information Technology for Economic and Clinical Health Act (HITECH). Public Law No. 111-5, 123 Stat. 226 (Feb. 17, 2009).

Code of Federal Regulations title 45, § 160.103 (definition of health information).

Price, W. N. & Cohen, I. G., Privacy in the Age of Medical Big Data. Nat. Med . 25 , 37–43 (2019).

National Committee on Vital and Health Statistics (NCVHS). Health Information Privacy Beyond HIPAA: A Framework for Use and Protection (A Report for Policy Makers. https://ncvhs.hhs.gov/wp-content/uploads/2019/07/Report-Framework-for-Health-Information-Privacy.pdf . Accessed 18 Jun 2019.

U.S. Department of Health & Human Services. Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf . Accessed 17 Jun 2016.

Forbrukerradet. Out of Control: How Consumers are Exploited by the Online Advertising Industry . https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf . Accessed 14 Jan 2020.

Test-Achats. Nutrition And Health Applications Do Not Respect Privacy . https://www.test-achats.be/action/espace-presse/communiques-de-presse/2020/food-and-health-apps# . Accessed 23 Jan 2020.

Huckvale, K., Torous, J., & Larsen, M. Assessment of the Data Sharing and Privacy Practices of Smartphone Apps For Depression And Smoking Cessation . JAMA Network Open. https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2730782 (2019).

Public Law 114-255. 130 Stat 1033 Sections 4003–4004.

Federal Register vol. 85 25642-25961. Accessed 01 May 2020.

Mandl, K. D., Mandel, J. C. & Kohane, I. S. Driving Innovation in Health Systems Through an Apps-Based Information Economy. Cell Syst. 1 , 8–13 (2015).

Article   CAS   Google Scholar  

Mandl, K. D. et al. Push Button Population Health: The SMART/HL7 Bulk Data Access Application Programming Interface. npj Digit. Med. 3 , 151 (2020).

Mandl, K. D. & Kohane, I. S. A 21st Century Health IT System: Creating a Real-World Information Economy. N. Engl. J. Med. 376 , 1905–1907.

Federal Register vol. 85 no. 85. 25510-25640. Accessed 01 May 2020.

Roth, M. Special Report: Epic Uproar Exposes Conflict Between Data Privacy and Innovation. Health Leaders Media . https://www.healthleadersmedia.com/innovation/special-report-epic-uproar-exposes-conflict-between-data-privacy-and-innovation . Accessed 11 Feb 2020.

Mandl, K. D. & Kohane, I. S. Epic’s call to block a proposed data rule is wrong for many reasons. Stat News . https://www.statnews.com/2020/01/27/epic-block-proposed-data-rule/ . Accessed 20 Jan 2020.

Mandl, K. D. & Kohane, I. S. Data Citizenship under the 21st Century Cures Act. N. Engl. J. Med 382 , 1781–1783 (2020). March 11.

U.S. Code title 15, §45.

US. Code title 15, §45(a)(2).

Solove, D. J. & Hartzog, W. The FTC and the New Common Law of Privacy. Col. Law Rev. 114 , 583–676 (2014).

Google Scholar  

U.S. Department of Health and Human Services. Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA. https://www.healthit.gov/sites/default/files/non-covered_entities_report_june_17_2016.pdf . Accessed 17 Jun 2016.

Mandl, K. D. & Kohane, I. S. Time for a Patient-Driven Health Information Economy? N. Engl. J. Med. 374 , 205–208 (2016). January 21.

Wagner, J. K. The Federal Trade Commission and Consumer Protections for Mobile Health Apps. J. Law, Med. Ethics 48 , 103–114 (2020). April 28.

Terry, N. Assessing the thin regulation of consumer-facing health technologies. J. Law, Med. Ethics 48 , 94–102 (2020).

Coldewey, D. 9 Reasons the Facebook FTC Settlement is a Joke . Techcrunch . https://techcrunch.com/2019/07/24/9-reasons-the-facebook-ftc-settlement-is-a-joke/ . Accessed 24 Jul 2019.

Olen, H. Why Facebook’s $5 Billion Settlement With the Ftc Won’t Change A Thing . Wash Post . https://www.washingtonpost.com/opinions/2019/07/25/why-facebooks-billion-settlement-with-ftc-wont-change-thing/ . Accessed 25 Jul 2019.

Congressional Research Service. Data Protection Law: An Overview . https://fas.org/sgp/crs/misc/R45631.pdf . Accessed 25 Mar 2019.

U.S. Department of Health and Human Services. Privacy and Security Solutions for Interoperable Health Information Exchange — Report on State Law Requirements for Patient Permission to Disclose Health Information . https://www.healthit.gov/sites/default/files/disclosure-report-1.pdf . Accessed Aug 2009.

Baum, S. Navigating State Patient Data Privacy Laws Will Only Get More Challenging . MedCity News . https://medcitynews.com/2018/11/navigating-state-patient-data-privacy-laws-will-only-get-more-challenging/ . Accessed 13 Nov 2018.

Craig, D. What You Need To Know About Hipaa And Your State’s Laws. https://blog.sprucehealth.com/need-know-hipaa-states-laws/ . Accessed 10 Oct 2016.

EU, General Data Protection Regulation (GDPR) OJ 2016 L119/1.

Butler, M. Is HIPAA outdated? While coverage gaps and growing breaches raise industry concern, others argue HIPAA is still effective. J. Ahima. 88 , 52 (2017).

Tanner, A. Our Bodies, Our Data: How companies make billions selling our medical records (Beacon Press, Boston, 2017).

Robbins, R. Contract offers unprecedented look at Google deal to obtain patient data from the University of California. Stat News . https://www.statnews.com/2020/02/26/patient-data-contract-google-university-of-california/ . Accessed 26 Feb 2020.

Rosenbaum, L. Google Health Exec Defends Controversial Partnership With Ascension: ‘We’re Super Proud of it .’ Forbes . https://www.forbes.com/sites/leahrosenbaum/2020/01/14/google-health-exec-defends-controversial-partnership-with-ascension-were-super-proud-of-it/#69dd0116a3be . Accessed 14 Jan 2020.

Landi, H. Providence St. Joseph Health, Microsoft form strategic alliance to leverage cloud, AI technology. Fierce Healthcare. https://www.fiercehealthcare.com/tech/providence-st-joseph-health-microsoft-form-strategic-alliance-to-leverage-cloud-ai-technology . Accessed 08 Jan 2019.

Jahns, I. For the benefit of all’” Mayo partners with Amazon, Microsoft and others in the fight against COVID-19. MedCityBeat. https://www.medcitybeat.com/news-blog/2020/for-the-benefit-of-all-mayo-partners-with-amazon-microsoft-and-others-in-fight-against-covid-19 . Accessed 26 Mar 2020.

Wachter, R. & Cassel, C. Sharing Health Data with Digital Giants: Overcoming Obstacles and Reaping Benefits While Protecting Patients. JAMA 323 , 507–508 (2020).

Smith, E. The Techlash Against Amazon, Facebook And Google – And What They Can Do Economist . https://www.economist.com/briefing/2018/01/20/the-techlash-against-amazon-facebook-and-google-and-what-they-can-do . Accessed 20 Jan 2018.

Davis, J. Facebook Accused Of Exposing User Health Data In Complaint to FTC . Health IT News . https://healthitsecurity.com/news/facebook-accused-of-exposing-user-health-data-in-ftc-complaint . Accessed 20 Feb 2019.

Nakashima, R. A. P. Exclusive: Google tracks your movements, like it or not. Associated Press . https://apnews.com/828aefab64d4411bac257a07c1af0ecb . Accessed 13 Aug 2018.

Zuboff, S. Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (PublicAffairs, New York, 2019).

Anonymous. I’M The Google Whistleblower. The Medical Data Of Millions Of Americans Is At Risk . The Guardian . https://www.theguardian.com/commentisfree/2019/nov/14/im-the-google-whistleblower-the-medical-data-of-millions-of-americans-is-at-risk. Accessed 14 Nov 2019.

Garcia, A. Google’s ‘Project Nightingale’ center of Federal inquiry. https://www.cnn.com/2019/11/12/tech/google-project-nightingale-federal-inquiry/index.html . Accessed 15 Nov 2019.

U.S. Department of Health and Human Services. HIPAA and COVID-19. https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html . Accessed 12 Jun 2020.

Mostashari, F. & McClellan, M. Data Interoperability and Exchange to Support COVID-19 Containment . https://healthpolicy.duke.edu/sites/default/files/atoms/files/data_interoperability_and_exchange_to_support_covid-19_containment_final.pdf. Accessed 01 May 2020.

Gebhart, G. Verily’s COVID-19 Screening Website Leaves Privacy Questions Unanswered . https://www.eff.org/deeplinks/2020/03/verilys-covid-19-screening-website-leaves-privacy-questions-unanswered . Accessed 25 Mar 2020.

Watson, C., Cicero, A., Blumenstock, J., & Fraser, M. A National Plan to Enable Comprehensive COVID-19 Case Finding and Contact Tracing in the U.S. https://www.centerforhealthsecurity.org/our-work/pubs_archive/pubs-pdfs/2020/200410-national-plan-to-contact-tracing.pdf . Accessed 10 Apr 2020.

Vogelstein, F. & Knight, W. Health Officials Say ‘No Thanks’ to Contact Tracing Tech . Wired . https://www.wired.com/story/health-officials-no-thanks-contact-tracing-tech/ . Accessed 08 May 2020.

O’Neill, P. H., Ryan-Mosley, T. & Johnson, B. A Flood Of Coronavirus Apps Are Tracking Us. Now It’s Time To Keep Track Of Them . MIT Tech Rev . https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/ . Accessed 07 May 2020.

Holmes, A. Take A First Look At Apple And Google’s Ambitious New Covid-19 Contact Tracing Technology That Will Send You A Notification If You Were Near Someone Who Has The Coronavirus. Bus Insider . https://www.businessinsider.com/apple-google-covid-19-contact-tracing-smartphone-screenshots-2020-5 . Accessed 04 May 2020.

Morrison, S. Apple and Google look like problematic heroes in the pandemic . Vox . https://www.vox.com/recode/2020/4/16/21221458/apple-google-contact-tracing-app-coronavirus-covid-privacy . Accessed 16 Apr 2020.

Newton, C. Why Countries Keep Bowing To Apple And Google’s Contact Tracing App Requirements. The Verge . https://www.theverge.com/interface/2020/5/8/21250744/apple-google-contact-tracing-england-germany-exposure-notification-india-privacy. Accessed 08 May 2020.

Nanos, J. Every Step You Take: How Companies Use Geolocation Data To Target You–And Everyone Around–In Ways You’re Not Even Aware of Boston Globe . https://apps.bostonglobe.com/business/graphics/2018/07/foot-traffic/ . Accessed 20 Jun 2020.

O'Connor, J. & Matthews, G. Informational Privacy, Public Health, and State Laws. Am. J. Public Health 101 , 1845–1850 (2011).

Hartzog, W. & Richards, N. It’s Time to Try Something Different On Internet Privacy . Wash Post . https://www.washingtonpost.com/opinions/its-time-to-try-something-different-on-internet-privacy/2018/12/20/bc1d71c0-0315-11e9-9122-82e98f91ee6f_story.html?noredirect=on . Accessed 20 Dec 2018.

Cate, F. H. & Mayer-Schönberger, V. Notice and Consent in a World of Big Data . https://www.repository.law.indiana.edu/facpub/2662 (2013).

Nissenbaum, H. A. contextual approach to privacy online. Daedalus 140 , 32–48 (2011).

Pasquale, F. Redescribing health policy: the importance of information policy. Houst. J. Health Law Policy 14 , 95–128 (2014).

Unyaef, A., Dehling, T., Taylor, P. L. & Mandl, K. D. Availability and quality of mobile health app privacy policies. J. Am. Med Inf. Assoc. 22 , 28–33 (2015). April.

Berreby, D. Click to Agree With What? No One Reads Terms Of Service, Studies Confirm. The Guardian . https://www.theguardian.com/technology/2017/mar/03/terms-of-service-online-contracts-fine-print . Accessed 03 Mar 2017.

Hartzog, W. Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard University Press, Cambridge, 2018).

McGuire, A. L. et al. Confidentiality, privacy, and security of genetic and genomic test information in electronic health records: points to consider. Genet. Med. 10 , 495–499 (2008).

Brumfield, C. 11 New State Privacy And Security Laws Explained: Is Our Business Ready ? CSO. https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html . Accessed 08 Aug 2019.

Fowler, G. Nobody Reads Privacy Policies. This Senator Wants Lawmakers To Stop Pretending We Do . Wash Post. https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown/ . Accessed 18 Jun 2020.

McGraw, D. Building public trust in uses of Health Insurance Portability and Accountability Act de-Identified data. J. Am. Med Inform. Assn 20 , 29–34 (2013).

Title 1.81.5 of Part 4 of Division 3 of the California Civil Code (Section 1798.100 et seq.) at 1798.140(o).

Doddi, D. & Gottlieb, D. California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health data. JD Supra . https://www.jdsupra.com/legalnews/california-bill-proposes-ccpa-34045/ (Jan 17, 2020).

Anderson, A. C. & Chen, J. ACO Affiliated Hospitals increase implementation of care coordination strategies. Med. Care 2019 , 300–304 (2019).

Mandl, K. D. & Bourgeois, F. T. The Evolution of patient diagnosis: from art to digital data-driven science. JAMA 318 , 1859–1860 (2017).

Manrai, A. K. et al. Genetic misdiagnoses and the potential for health disparities. N. Eng. J. Med. 375 , 655–665 (2016).

Collins, F. S., Hudson, K. L., Briggs, J. P. & Lauer, M. S. PCORnet: turning a dream into reality. J. Am. Med. Inform. Ass’n 21 , 576–577 (2014).

Califf, R. The Patient-Centered Outcomes Research Network: a national infrastructure for comparative effectiveness research. N. C. Med. J. 75 , 204–210 (2014).

PubMed   Google Scholar  

Visweswaran, S. et al. Accrual to Clinical Trials (ACT): a clinical and translational science award consortium network. J. Am. Med Inform. Ass’n Open 1 , 147–152 (2018).

Platt, R. et al. The FDA sentinel initiative–an evolving national resource. N. Engl. J. Med. 379 , 2091–2093 (2018).

Mandl, K. D. et al. Implementing syndromic surveillance: a practical guide informed by the early experience. J. Am. Med. Inform. Ass’n 11 , 141–150 (2004).

Coravos, A., Khozin, S. & Mandl, K. Developing and adopting safe and effective digital biomarkers to improve patient outcomes. NPJ Digital Med. 2 , 14 (2019).

Hale, C. Fitbit Posts Early Findings Showing Its Trackers Can Identify Cases Of Covid-19 Before Symptoms Take Hold. Fierce Biotech. https://www.rarediseasesnetwork.org/researchers/nih-data-sharing . Accessed 19 Aug 2020.

Mandl, K. D. & Kohane, I. S. Federalist principles for healthcare data networks. Nat. Biotechnol. 33 , 360–363 (2015).

Quinn, M. The future of healthcare is outside the doctor’s office. https://www.governing.com/topics/health-human-services/gov-community-health-workers.html (2017). Accessed 7 Apr 2020.

McGraw, D., Dempsey, J. X., Harris, L. & Goldman, J. Privacy as enabler, not an impediment: building trust into healthcare information exchange. Health Aff. 28 , 416–427 (2009).

Pasquale, F. Grand Bargains for Big Data: The Emerging Law of Health Information. Md. Law Rev. 72 , 682–772 (2013).

Faden R. R. et al. An Ethics Framework for a Learning Health Care System: A Departure from Traditional Research Ethics and Clinical Ethics . Hastings Ctr Special Report: Ethical Oversight of Learning Health Care Systems S16–S27 (Jan–Feb 2013).

FTC Report. Protecting Consumer Privacy In An Era Of Rapid Change: Recommendations For Businesses And Policymakers. https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf . Accessed Mar 2012.

Gellman, R. Fair Information Practices: A Basic History. https://bobgellman.com/rg-docs/rg-FIPshistory.pdf . Accessed 07 Oct 2019.

Millenson, M. Big Data on Social Determinants: Improved Health and Unaddressed Privacy Concerns. https://catalyst.nejm.org/doi/full/10.1056/CAT.18.0161 . Accessed 05 Jun 2018.

S.3744. Data Care Act of 2018. https://www.congress.gov/bill/115th-congress/senate-bill/3744 . Accessed 12 Dec 2018.

Farr, C. Hospital Execs Say They Are Getting Flooded With Requests For Your Health Data . CNBC. https://www.cnbc.com/2019/12/18/hospital-execs-say-theyre-flooded-with-requests-for-your-health-data.html . Accessed 18 Dec 2019.

Parasidis, E., Pike, E. & McGraw, D. A Belmont Report for Health Data. N. Engl. J. Med 380 , 1493–1495 (2019).

U.S. Department of Health and Human Services, Office for Human Research Protections. Federal Policy for the Protection of Human Subjects (‘Common Rule’) . https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html . Accessed 18 Mar 2016.

Menikoff, J., Kaneshiro, J. & Pritchard, I. The Common Rule, Updated. N. Engl. J. Med. 375 , 613–615 (2017).

Facebook Oversight Board Charter . https://about.fb.com/wp-content/uploads/2019/09/oversight_board_charter.pdf . Accessed 23 Jun 2020.

Thomas, V. C., Duda, J. P. & Maurer, T. G. Independence With A Purpose: Facebook’s Creative Use Of Delaware’s Purpose Trust Statute To Establish Independent Oversight . https://businesslawtoday.org/2019/12/independence-purpose-facebooks-creative-use-delawares-purpose-trust-statute-establish-independent-oversight/ . Accessed 17 Dec 2019.

Sullivan, M. Facebook Has A Huge Truth Problem. A High-priced ‘Oversight Board’ Won’t Fix It . Wash Post. https://www.washingtonpost.com/lifestyle/media/facebook-has-a-huge-truth-problem-a-high-priced-oversight-board-wont-fix-it/2020/05/14/c5b53cba-95d9-11ea-9f5e-56d8239bf9ad_story.html?utm_campaign=wp_post_most&utm_medium=email&utm_source=newsletter&wpisrc=nl_most . Accessed 14 May 2020.

Piper, K. Exclusive: Google Cancels Ai Ethics Board In Response To Outcry . Vox . https://www.vox.com/future-perfect/2019/4/4/18295933/google-cancels-ai-ethics-board . Accessed 04 Apr 2019.

McDonald, S. The Civic Trust. Medium. https://medium.com/@McDapper/the-civic-trust-e674f9aeab43 . Accessed 04 Aug 2015.

Siftung Neue Verantwortung. Designing Data Trusts—Why We Need to Test Consumer Data Trusts Now . https://www.stiftung-nv.de/en/publication/designing-data-trusts-why-we-need-test-consumer-data-trusts-now . Accessed 23 Jun 2020.

Information and Privacy Commissioner/Ontario. A Guide to the Personal Health Information Protection Act . https://www.ipc.on.ca/wp-content/uploads/Resources/hguide-e.pdf . Accessed Dec 2004.

Code of Federal Regulations, title 45 § 164.514(e)(4).

Schaub, F., Balebako, R., Durity, A. L., & Cranor, L. F. A Design Space For Effective Privacy Notices. 2015 Symposium On Usable Privacy and Security (SOUPS). https://www.ftc.gov/system/files/documents/public_comments/2015/10/00038-97832.pdf . Accessed 22–24 Jul 2015,

Kay, M. & Terry, M. Textured Agreements: Re-envisioning Electronic Consent. 2010 Symposium On Usable Privacy And Security (SOUPS) . http://hci-web.cs.uwaterloo.ca/sites/default/files/soups_2010_textured.pdf . Accessed 14–16 Jul 2010.

National Research Council of the National Academies. Toward Precision Medicine: Building a Knowledge Network for Biomedical Research and a New Taxonomy of Disease (National Academies Press, Washington, DC, 2011).

Roberts, J. L. Protecting Privacy to Prevent Discrimination. Wm. Mary L. Rev. 56 , 2097–2174 (2015).

Genetic Information Nondiscrimination Act. Pub. L. 110-233, 122 Stat. 881 (21 May 2008).

U.S. Department of Justice, Civil Rights Division, Disability Rights Section. A Guide to Disability Rights Laws. https://www.ada.gov/cguide.htm#:~:text=Americans%20with%20Disabilities%20Act%20(ADA,to%20the%20United%20States%20Congress . Accessed Feb 2020.

Code of Federal Regulations, title 45 §164.512(f)(1)(C).

Code of Federal Regulations, title 45 §164.512(f)(2).

Guerini, C. J., Robinson, J. O., Petersen, D., & McGuire, A. L. Should police have access to genetic genealogy databases? Capturing the Golden State Killer and other criminals using a controversial new forensic technique. PLOS Biol. https://doi.org/10.1371/journal.pbio.2006906 (2018).

Solove, D. & Citron, D. K. Risk and anxiety: a theory of data-breach harms. Tex. Law Rev. 96 , 737–786 (2018).

Code of Federal Regulations, title 45 §160.408(b).

Edwards, L. Reconstructing consumer privacy protection on-line: a modest proposal. Int. Rev. Law Comput. Technol. 18 , 313–344 (2004).

McGraw, D. & Petersen, C. From Commercialization to Accountability: Responsible Health Data Collection Use, and Disclosure for the 21st Century. Appl. Clin. Inform. 11 , 366–373 (2020).

Spector-Bagdady, K., Hutchinson, R., Kaleba, E. O. & Kheterpal, S. Sharing Health Data and Biospecimens with Industry - A Principle-Driven, Practical Approach. N. Engl. J. Med. 382 , 2072–2075 (2020).

Download references

Acknowledgements

The authors thank Alice Leiter, Senior Counsel, E-Health Initiative, for her assistance with earlier drafts of this article. K.D.M. was supported by cooperative agreement U01TR002623 from the National Center for Advancing Translational Sciences, National Institutes of Health and by the PrecisionLink initiative at Boston Children’s Hospital. D.M. receives a salary from Ciitizen Corporation.

Author information

Authors and affiliations.

Ciitizen, Palo Alto, CA, USA

Deven McGraw

Boston Children’s Hospital, Harvard Medical School, Boston, MA, USA

Kenneth D. Mandl

You can also search for this author in PubMed   Google Scholar

Contributions

Both authors contributed equally to the drafting of this article. D.M.’s contributions come from her diverse experiences in health and privacy, including serving: as the head of the HIPAA division of OCR for 2.5 years; as a health privacy advocate at the Center for Democracy & Technology for 6 years; as an attorney for health care systems for 6 years; and, most recently, as a co-founder of a consumer health technology company for 2.5 years. K.D.M.’s contributions stem from his experience designing and deploying information technologies in lock step with regulatory considerations–including personally controlled health records, biosurveillance systems, participatory surveillance systems, EHR and data sharing networks, and widely adopted application programming interfaces for data exchange—as well has his contributions to the 21 st Century Cures Act and ensuing rules.

Corresponding author

Correspondence to Deven McGraw .

Ethics declarations

Competing interests.

D.M. is employed by and has stock in Ciitizen, a personal health record platform ( www.ciitizen.com ) that helps individuals collect, use, and disclose their health information to meet their needs. Ciitizen is a Board member of the CARIN Alliance, which advances the ability of individuals to get copies of their health information. K.D.M. chairs the scientific advisory Board for Medal, Inc. Boston Children’s Hospital receives corporate philanthropic support for K.D.M.’s laboratory from SMART Advisory Committee members which include the American Medical Association, the BMJ Group, Eli Lilly and Company, First Databank, Google Cloud, Hospital Corporation of America, Microsoft, Optum, Premier Inc, and Quest Diagnostics.

Additional information

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Supplementary information, rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

McGraw, D., Mandl, K.D. Privacy protections to encourage use of health-relevant digital data in a learning health system. npj Digit. Med. 4 , 2 (2021). https://doi.org/10.1038/s41746-020-00362-8

Download citation

Received : 06 November 2019

Accepted : 30 October 2020

Published : 04 January 2021

DOI : https://doi.org/10.1038/s41746-020-00362-8

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

This article is cited by

Reply to: concerns about using a digital mask to safeguard patient privacy.

  • Junfeng Lyu
  • Haotian Lin

Nature Medicine (2023)

GRANDPA: GeneRAtive network sampling using degree and property augmentation applied to the analysis of partially confidential healthcare networks

  • Carly A. Bobak
  • A. James O’Malley

Applied Network Science (2023)

A novel decentralized federated learning approach to train on globally distributed, poor quality, and protected private medical data

  • T. V. Nguyen
  • M. A. Dakka
  • D. Perugini

Scientific Reports (2022)

Ushering in safe, effective, secure, and ethical medicine in the digital era

  • William J. Gordon
  • Andrea R. Coravos
  • Ariel D. Stern

npj Digital Medicine (2021)

Quick links

  • Explore articles by subject
  • Guide to authors
  • Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

research and hipaa privacy protections

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Standards for Privacy of Individually Identifiable Health Information

[ 45 CFR Parts 160 and 164 ]

General Overview

The following is an overview that provides answers to general questions regarding the regulation entitled, Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS), and process for modifications to that rule. Detailed guidance on specific requirements in the regulation is presented in subsequent sections, each of which addresses a different standard.

The Privacy Rule provides the first comprehensive federal protection for the privacy of health information. All segments of the health care industry have expressed their support for the objective of enhanced patient privacy in the health care system. At the same time, HHS and most parties agree that privacy protections must not interfere with a patient's access to or the quality of health care delivery.

The guidance provided in this section and those that follow is meant to communicate as clearly as possible the privacy policies contained in the rule. Each section has a short summary of a particular standard in the Privacy Rule, followed by "Frequently Asked Questions" about that provision. In some cases, the guidance identifies areas of the Privacy Rule where a modification or change to the rule is necessary. These areas are summarized below in response to the question "What changes might you make to the final rule?" and discussed in more detail in the subsequent sections of this guidance. We emphasize that this guidance document is only the first of several technical assistance materials that we will issue to provide clarification and help covered entities implement the rule. We anticipate that there will be many questions that will arise on an ongoing basis which we will need to answer in future guidance. In addition, the Department will issue proposed modifications as necessary in one or more rulemakings to ensure that patients' privacy needs are appropriately met. The Department plans to work expeditiously to address these additional questions and propose modifications as necessary.

Frequently Asked Questions

Q: What does this regulation do?

A: The Privacy Rule became effective on April 14, 2001. Most health plans and health care providers that are covered by the new rule must comply with the new requirements by April 2003.

The Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.

  • It gives patients more control over their health information.
  • It sets boundaries on the use and release of health records.
  • It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
  • It holds violators accountable , with civil and criminal penalties that can be imposed if they violate patients' privacy rights.

For patients - it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

  • It enables patients to find out how their information may be used and what disclosures of their information have been made.
  • It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.

Q: Why is this regulation needed?

A: In enacting the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress mandated the establishment of standards for the privacy of individually identifiable health information.

When it comes to personal information that moves across hospitals, doctors' offices, insurers or third party payers, and state lines, our country has relied on a patchwork of federal and state laws. Under the current patchwork of laws, personal health information can be distributed - without either notice or consent - for reasons that have nothing to do with a patient's medical treatment or health care reimbursement. Patient information held by a health plan may be passed on to a lender who may then deny the patient's application for a home mortgage or a credit card - or to an employer who may use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will continue to apply over and above the new federal privacy standards.

Health care providers have a strong tradition of safeguarding private health information. But in today's world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the rule provides clear standards for all parties regarding protection of personal health information.

Q: What does this regulation require the average provider or health plan to do?

A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:

  • Providing information to patients about their privacy rights and how their information can be used.
  • Adopting clear privacy procedures for its practice, hospital, or plan.
  • Training employees so that they understand the privacy procedures.
  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Responsible health care providers and businesses already take many of the kinds of steps required by the rule to protect patients' privacy. Covered entities of all types and sizes are required to comply with the final Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,

  • The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
  • The training requirement may be satisfied by a small physician practice's providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
  • The policies and procedures of small providers may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

Q. Who must comply with these new privacy standards?

A: As required by Congress in HIPAA, the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards are required to be adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These entities (collectively called "covered entities") are bound by the new privacy standards even if they contract with others (called "business associates") to perform some of their essential functions. The law does not give HHS the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. The "Business Associate" section of this guidance provides a more detailed discussion of the covered entities' responsibilities when they engage others to perform essential functions or services for them.

Q: When will covered entities have to meet these standards?

A: As Congress required in HIPAA, most covered entities have two full years from the date that the regulation took effect - or, until April 14, 2003 - to come into compliance with these standards. Under the law, small health plans will have three full years - or, until April 14, 2004 - to come into compliance.

The HHS Office for Civil Rights (OCR) will provide assistance to help covered entities prepare to comply with the rule. OCR maintains a Web site with information on the new regulation, including guidance for industry, such as these frequently asked questions, at http://www.hhs.gov/ocr/hipaa/ .

Q: Do you expect to make any changes to this rule before the compliance date?

A: We can and will issue proposed modifications to correct any unintended negative effects of the Privacy Rule on health care quality or on access to such care.

In February 2001, Secretary Thompson requested public comments on the final rule to help HHS assess the rule's real-world impact in health care delivery. During the 30-day comment period, we received more than 11,000 letters or comments - including some petitions with thousands of names. These comments are helping to guide the Department's efforts to clarify areas of the rule to eliminate uncertainties and to help covered entities begin their implementation efforts.

Q: What changes might you make in the final rule?

A: We continue to review the input received during the recent public comment period to determine what changes are appropriate to ensure that the rule protects patient privacy as intended without harming consumers' access to care or the quality of that care.

Examples of standards in the Privacy Rule for which we will propose changes are:

  • Phoned-in Prescriptions - A change will permit pharmacists to fill prescriptions phoned in by a patient's doctor before obtaining the patient's written consent (see the "Consent" section of this guidance for more discussion).
  • Referral Appointments - A change will permit direct treatment providers receiving a first time patient referral to schedule appointments, surgery, or other procedures before obtaining the patient's signed consent (see the "Consent" section of this guidance for more discussion).
  • Allowable Communications - A change will increase the confidence of covered entities that they are free to engage in whatever communications are required for quick, effective, high quality health care, including routine oral communications with family members, treatment discussions with staff involved in coordination of patient care, and using patient names to locate them in waiting areas (see the "Oral Communications" section of this guidance for more discussion).
  • Minimum Necessary Scope - A change will increase covered entities' confidence that certain common practices, such as use of sign-up sheets and X-ray lightboards, and maintenance of patient medical charts at bedside, are not prohibited under the rule (see the "Minimum Necessary" section of this guidance for more discussion).

In addition, HHS may reevaluate the Privacy Rule to ensure that parents have appropriate access to information about the health and well-being of their children. This issue is discussed further in the "Parents and Minors" section of this guidance.

Other changes to the Privacy Rule also may be considered as appropriate.

Q: How will you make any changes?

A: Any changes to the final rule must be made in accordance with the Administrative Procedures Act (APA). HHS intends to comply with the APA by publishing its rule changes in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a final rule to implement appropriate modifications.

Congress specifically authorized HHS to make appropriate modifications in the first year after the final rule took effect in order to ensure the rule could be properly implemented in the real world. We are working as quickly as we can to identify where modifications are needed and what corrections need to be made so as to give covered entities as much time as possible to implement the rule. Covered entities can and should begin the process of implementing the privacy standards in order to meet their compliance dates.

[ 45 CFR § 164.506 ]

The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient's written consent before using or disclosing the patient's personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient's consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients' consent for uses and disclosures of health information about the patient to carry out TPO.

General Provisions

  • Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO. Exceptions to this standard are shown in the next bullet.
  • Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.
  • Health care providers that have indirect treatment relationships with patients (such as laboratories that only interact with physicians and not patients), health plans, and health care clearinghouses may use and disclose PHI for purposes of TPO without obtaining a patient's consent. The rule permits such entities to obtain consent, if they choose.
  • If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient.
  • A patient's written consent need only be obtained by a provider one time.
  • The consent document may be brief and may be written in general terms. It must be written in plain language, inform the individual that information may be used and disclosed for TPO, state the patient's rights to review the provider's privacy notice, to request restrictions and to revoke consent, and be dated and signed by the individual (or his or her representative).

Individual Rights

  • An individual may revoke consent in writing, except to the extent that the covered entity has taken action in reliance on the consent.
  • An individual may request restrictions on uses or disclosures of health information for TPO. The covered entity need not agree to the restriction requested, but is bound by any restriction to which it agrees.
  • An individual must be given a notice of the covered entity's privacy practices and may review that notice prior to signing a consent.

Administrative Issues

  • A covered entity must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by the covered entity.
  • Certain integrated covered entities may obtain one joint consent for multiple entities.
  • If a covered entity obtains consent and also receives an authorization to disclose PHI for TPO, the covered entity may disclose information only in accordance with the more restrictive document, unless the covered entity resolves the conflict with the individual.
  • Transition provisions allow providers to rely on consents received prior to April 14, 2003 (the compliance date of the Privacy Rule for most covered entities), for uses and disclosures of health information obtained prior to that date.

Q. Are health plans or clearinghouses required to obtain an individual's consent to use or disclose PHI to carry out TPO?

A: No. Health plans and clearinghouses may use and disclose PHI for these purposes without obtaining consent. These entities are permitted to obtain consent. If they choose to seek individual consent for these uses and disclosures, the consent must meet the standards, requirements, and implementation specifications for consents set forth under the rule.

Q: Can a pharmacist use PHI to fill a prescription that was telephoned in by a patient's physician if the patient is a new patient to the pharmacy and has not yet provided written consent to the pharmacy?

A: The Privacy Rule, as written, does not permit this activity without prior patient consent. It poses a problem for first-time users of a particular pharmacy or pharmacy chain. The Department of Health and Human Services did not intend the rule to interfere with a pharmacist's normal activities in this way. The Secretary is aware of this problem, and will propose modifications to fix it to ensure ready patient access to high quality health care.

Q: Can direct treatment providers, such as a specialist or hospital, to whom a patient is referred for the first time, use PHI to set up appointments or schedule surgery or other procedures before obtaining the patient's written consent?

A: As in the pharmacist example above, the Privacy Rule, as written, does not permit uses of PHI prior to obtaining the patient's written consent for TPO. This unintended problem potentially exists in any circumstance when a patient's first contact with a direct treatment provider is not in person. As noted above, the Secretary is aware of this problem and will propose modifications to fix it.

Q: Will the consent requirement restrict the ability of providers to consult with other providers about a patient's condition?

A: No. A provider with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient's health information for treatment purposes. Consulting with another health care provider about the patient's case falls within the definition of "treatment" and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient's consent to engage in the consultation.

Q: Does a pharmacist have to obtain a consent under the Privacy Rule in order to provide advice about over-the-counter medicines to customers?

A: No. A pharmacist may provide advice about over-the-counter medicines without obtaining the customers' prior consent, provided that the pharmacist does not create or keep a record of any PHI. In this case, the only interaction or disclosure of information is a conversation between the pharmacist and the customer. The pharmacist may disclose PHI about the customer to the customer without obtaining his or her consent (§ 164.502(a)(1)(i)), but may not otherwise use or disclose that information.

Q: Can a patient have a friend or family member pick up a prescription for her?

A: Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient's best interest in allowing a person, other than the patient, to pick up a prescription (see § 164.510(b)). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual's care, and the rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.

Q: The rule provides an exception to the prior consent requirement for "emergency treatment situations." How will a provider know when the situation is an "emergency treatment situation" and, therefore, is exempt from the Privacy Rule's prior consent requirement?

A: Health care providers must exercise their professional judgment to determine whether obtaining a consent would interfere with the timely delivery of necessary health care. If, based on professional judgment, a provider reasonably believes at the time the patient presents for treatment that a delay involved in obtaining the patient's consent to use or disclose information would compromise the patient's care, the provider may use or disclose PHI that was obtained during the emergency treatment, without prior consent, to carry out TPO. The provider must attempt to obtain consent as soon as reasonably practicable after the provision of treatment. If the provider is able to obtain the patient's consent to use or disclose information before providing care, without compromising the patient's care, we require the provider to do so.

Q: Does the exception to the consent requirement regarding substantial barriers to communication with the individual affect requirements under Title VI of the Civil Rights Act of 1964 or the Americans with Disabilities Act?

A: No. The provision of the Privacy Rule regarding substantial barriers to communication does not affect covered entities' obligations under Title VI or the Americans with Disabilities Act. Entities that are covered by these statutes must continue to meet the requirements of the statutes. The Privacy Rule works in conjunction with these laws to remove impediments to access to necessary health care for all individuals.

Q: What is the difference between "consent" and "authorization" under the Privacy Rule?

A: A consent is a general document that gives health care providers, which have a direct treatment relationship with a patient, permission to use and disclose all PHI for TPO. It gives permission only to that provider, not to any other person. Health care providers may condition the provision of treatment on the individual providing this consent. One consent may cover all uses and disclosures for TPO by that provider, indefinitely. A consent need not specify the particular information to be used or disclosed, nor the recipients of disclosed information.

Only doctors or other health care providers with a direct treatment relationship with a patient are required to obtain consent. Generally, a "direct treatment provider" is one that treats a patient directly, rather than based on the orders of another provider, and/or provides health care services or test results directly to patients. Other health care providers, health plans, and health care clearinghouses may use or disclose information for TPO without consent, or may choose to obtain a consent.

An authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. Covered entities may not condition treatment or coverage on the individual providing an authorization. An authorization is more detailed and specific than a consent. It covers only the uses and disclosures and only the PHI stipulated in the authorization; it has an expiration date; and, in some cases, it also states the purpose for which the information may be used or disclosed.

An authorization is required for use and disclosure of PHI not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in § 164.510 (uses and disclosures that require an opportunity for the individual to agree or to object) or § 164.512 (uses and disclosures for which consent, authorization, or an opportunity to agree or to object is not required). Situations in which an authorization is required for TPO purposes are identified and discussed in the next question.

All covered entities, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes. For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose information for eligibility for life insurance. A covered entity will never need to obtain both an individual's consent and authorization for a single use or disclosure. However, a provider may have to obtain consent and authorization from the same patient for different uses or disclosures. For example, an obstetrician may, under the consent obtained from the patient, send an appointment reminder to the patient, but would need authorization from the patient to send her name and address to a company marketing a diaper service.

[** July 6 Q&A, Concerning When An Authorization Would Be Required For Uses and Disclosures For TPO, Removed on January 14, 2002**]

Q: Will health care providers be required to determine whether another covered entity has a more restrictive consent form before disclosing information to that entity for TPO purposes?

A: No. Generally, a consent permits only the covered entity that obtains the consent to use or disclose PHI for its own TPO purposes. Under the Privacy Rule, one covered entity is not bound by a consent or any restrictions on that consent agreed to by another covered entity, with one exception. A covered entity would be bound by the consent of another covered entity if the entities use a "joint consent," as permitted by the Privacy Rule (§ 164.506(f)).

In addition, it is possible for several entities to choose to be treated as a single covered entity under the rule, as "affiliated entities." Because affiliated entities are considered to be one covered entity under the rule, there would be only one consent and each entity would be bound by that consent (§ 164.504(d)).

Q: What is the interaction between "consent" and "notice"?

A: The consent and the notice of privacy practices are two distinct documents. A consent document is brief (may be less than one page). It must refer to the notice and must inform the individual that he has the opportunity to review the notice prior to signing the consent. The Privacy Rule does not require that the individual read the notice or that the covered entity explain each item in the notice before the individual provides consent. We expect that some patients will simply sign the consent while others will read the notice carefully and discuss some of the practices with the covered entity.

Q: May consent for use or disclosure of PHI be provided electronically?

A: Yes. The covered entity may choose to obtain and store consents in paper or electronic form, provided that the consent meets all of the requirements under the Privacy Rule, including that it be signed by the individual. Paper is not required.

Q: Must a covered entity verify a signature on a consent form if the individual is not present when he signs it?

Q: May consent be obtained by a health care provider only one time if there is a single connected course of treatment involving multiple visits?

A: Yes. A health care provider needs to obtain consent from a patient for use or disclosure of PHI only one time. This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A provider will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments.

Q: If an individual consents to the use or disclosure of PHI for TPO purposes, obtains a health care service, and then revokes consent before the provider bills for such service, is the provider precluded from billing for such service?

A: No. A health care provider that provides a health care service to an individual after obtaining consent from the individual, may bill for such service even if the individual immediately revokes consent after the service has been provided. The Privacy Rule requires that an individual be permitted to revoke consent, but provides that the revocation is not effective to the extent that the health care provider has acted in reliance on the consent. Where the provider has obtained a consent and provided a health care service pursuant to that consent with the expectation that he or she could bill for the service, the health care provider has acted in reliance on the consent. The revocation would not interfere with the billing or reimbursement for that care.

Q: If covered providers that are affiliated or part of an organized health care arrangement are located in different states with different laws regarding uses and disclosures of health information (e.g., a chain of pharmacies), do they need to obtain a consent in each state that the patient obtains treatment?

A: No. The consent is general and only needs to be obtained by a covered entity (or by affiliated entities or entities that are part of an organized health care arrangement) one time. The Privacy Rule does not require that the consent include any details about state law, and therefore, does not require different consent forms in each state. State law may impose additional requirements for consent forms on covered entities.

Q: Must a revocation of a consent be in writing?

Q: The Privacy Rule permits a covered entity to continue to use or disclose health information which it has on the compliance date pursuant to express legal permission obtained from an individual prior to the compliance date. Is a form, signed by a patient prior to the compliance date of the rule, that permits a provider to use or disclose information for the limited purpose of payment sufficient to meet these transition provision requirements?

A: Yes. A provider that obtains permission from a patient prior to the compliance date to use or disclose information for payment purposes may use the PHI about that patient collected pursuant to that permission for purposes of TPO. Under the transition provisions, if prior to the compliance date, a provider obtained a consent for the use or disclosure of health information for any one of the TPO purposes, the provider may use the health information collected pursuant to that consent for all three purposes after the compliance date (§ 164.532(b)). Thus, a provider that obtained consent for use or disclosure for billing purposes would be able to draw on the data obtained prior to the compliance date and covered by the consent form for all TPO activities to the extent not expressly excluded by the terms of the consent.

Q: Are health plans and health care clearinghouses required by the Privacy Rule to have some form of express legal permission to use and disclose health information obtained prior to the compliance date for TPO purposes?

A: No. Health plans and health care clearinghouses are not required to have express legal permission from individuals to use or disclose health information obtained prior to the compliance date for their own TPO purposes.

General Requirement

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary provisions do not apply to the following:

  • Disclosures to or requests by a health care provider for treatment purposes.
  • Disclosures to the individual who is the subject of the information.
  • Uses or disclosures made pursuant to an authorization requested by the individual.
  • Uses or disclosures required for compliance with the standardized Health Insurance Portability and Accountability Act (HIPAA) transactions.
  • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes.
  • Uses or disclosures that are required by other law.

The implementation specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity's business practices and workforce. We understand this guidance will not answer all questions pertaining to the minimum necessary standard, especially as applied to specific industry practices. As more questions arise with regard to application of the minimum necessary standard to particular circumstances, we will provide more detailed guidance and clarification on this issue.

Uses and Disclosures of, and Requests for PHI

For uses of PHI, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Case-by-case review of each use is not required. Where the entire medical record is necessary, the covered entity's policies and procedures must state so explicitly and include a justification.

For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required.

For non-routine disclosures, covered entities must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of PHI necessary to accomplish the purpose of a non-routine disclosure. Non-routine disclosures must be reviewed on an individual basis in accordance with these criteria. When making non-routine requests for PHI, the covered entity must review each request so as to ask for only that information reasonably necessary for the purpose of the request.

Reasonable Reliance

In certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by:

  • A public official or agency for a disclosure permitted under § 164.512 of the rule.
  • Another covered entity.
  • A professional who is a workforce member or business associate of the covered entity holding the information.
  • A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board.

The rule does not require such reliance, however, and the covered entity always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies.

Treatment Settings

We understand that medical information must be conveyed freely and quickly in treatment settings, and thus understand the heightened concern that covered entities have about how the minimum necessary standard applies in such settings. Therefore, we are taking the following steps to clarify the application of the minimum necessary standard in treatment settings. First, we clarify some of the issues here, including the application of minimum necessary to specific practices, so that covered entities may begin implementation of the Privacy Rule. Second, we will propose corresponding changes to the regulation text, to increase the confidence of covered entities that they are free to engage in whatever communications are required for quick, effective, high quality health care. We understand that issues of this importance need to be addressed directly and clearly to eliminate any ambiguities.

Q: How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

A: The Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not a strict standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information.

The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, we expect that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately will limit access to personal health information without sacrificing the quality of health care.

Q: Won't the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?

A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.

The Privacy Rule provides the covered entity with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of identifiable health information within the covered entity. The rule recognizes that the covered entity is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the covered entity can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.

Q: Do the minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients' medical information in the course of their training?

A: No. The definition of "health care operations" in the rule provides for "conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." Covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients' medical information, including entire medical records.

Q: Must minimum necessary be applied to disclosures to third parties that are authorized by an individual?

A: No, unless the authorization was requested by a covered entity for its own purposes. The Privacy Rule exempts from the minimum necessary requirements most uses or disclosures that are authorized by an individual. This includes authorizations covered entities may receive directly from third parties, such as life, disability, or casualty insurers pursuant to the patient's application for or claim under an insurance policy. For example, if a covered health care provider receives an individual's authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of § 164.508.

However, minimum necessary does apply to authorizations requested by the covered entity for its own purposes (see § 164.508(d), (e), and (f)).

Q: Are providers required to make a minimum necessary determination to disclose to federal or state agencies, such as the Social Security Administration (SSA) or its affiliated state agencies, for individuals' applications for federal or state benefits?

A: No. These disclosures must be authorized by an individual and, therefore, are exempt from the minimum necessary requirements. Further, use of the provider's own authorization form is not required. Providers can accept an agency's authorization form as long as it meets the requirements of § 164.508 of the rule. For example, disclosures to SSA (or its affiliated state agencies) for purposes of determining eligibility for disability benefits are currently made subject to an individual's completed SSA authorization form. After the compliance date, the current process may continue subject only to modest changes in the SSA authorization form to conform to the requirements in § 164.508.

Q: Doesn't the minimum necessary standard conflict with the Transactions standards? Does minimum necessary apply to the standard transactions?

A: No, because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the subchapter. This includes all data elements that are required or situationally required in the standard transactions. However, in many cases, covered entities have significant discretion as to the information included in these transactions. This standard does apply to those optional data elements.

Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification?

A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. A covered entity may use, disclose, or request an entire medical record, without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. In making non-routine requests, the covered entity may also establish and utilize criteria to assist in determining when to request the entire medical record.

The Privacy Rule does not require that a justification be provided with respect to each distinct medical record.

Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment or disclosures to the individual.

Q: In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigns of office space and upgrades of computer systems, in order to comply with the minimum necessary requirements?

A: No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity.

The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, covered entities may need to make certain adjustments to their facilities to minimize access, such as isolating and locking file cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information.

Covered entities should also take into account their ability to configure their record systems to allow access to only certain fields, and the practicality of organizing systems to allow this capacity. For example, it may not be reasonable for a small, solo practitioner who has largely a paper-based records system to limit access of employees with certain functions to only limited fields in a patient record, while other employees have access to the complete record. Alternatively, a hospital with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access in this manner to comply with the rule.

Q: Do the minimum necessary requirements prohibit covered entities from maintaining patient medical charts at bedside, require that covered entities shred empty prescription vials, or require that X-ray light boards be isolated?

A: No. The minimum necessary standards do not require that covered entities take any of these specific measures. Covered entities must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures. For example, while the Privacy Rule does not require that X-ray boards be totally isolated from all other functions, it does require covered entities to take reasonable precautions to protect X-rays from being accessible to the public. We understand that these and similar matters are of special concern to many covered entities, and we will propose modifications to the rule to increase covered entities' confidence that these practices are not prohibited.

Q: Will doctors' and physicians' offices be allowed to continue using sign-in sheets in waiting rooms?

A: We did not intend to prohibit the use of sign-in sheets, but understand that the Privacy Rule is ambiguous about this common practice. We, therefore, intend to propose modifications to the rule to clarify that this and similar practices are permissible.

Q: What happens when a covered entity believes that a request is seeking more than the minimum necessary PHI?

A: In such a situation, the Privacy Rule requires a covered entity to limit the disclosure to the minimum necessary as determined by the disclosing entity. Where the rule permits covered entities to rely on the judgment of the person requesting the information, and if such reliance is reasonable despite the covered entity's concerns, the covered entity may make the disclosure as requested.

Nothing in the Privacy Rule prevents a covered entity from discussing its concerns with the person making the request, and negotiating an information exchange that meets the needs of both parties. Such discussions occur today and may continue after the compliance date of the Privacy Rule.

ORAL COMMUNICATIONS

[ 45 CFR §§ 160.103, 164.501 ]

The Privacy Rule applies to individually identifiable health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken.

Providers and health plans understand the sensitivity of oral information. For example, many hospitals already have confidentiality policies and concrete procedures for addressing privacy, such as posting signs in elevators that remind employees to protect patient confidentiality.

We also understand that oral communications must occur freely and quickly in treatment settings, and thus understand the heightened concern that covered entities have about how the rule applies. Therefore, we are taking a two-step approach to clarifying the regulation with respect to these communications. First, we provide some clarification of these issues here, so that covered entities may begin implementing the rule by the compliance date. Second, we will propose appropriate changes to the regulation text to clarify the regulatory basis for the policies discussed below in order to minimize confusion and to increase the confidence of covered entities that they are free to engage in communications as required for quick, effective, and high quality health care. We understand that issues of this importance need to be addressed directly and clearly in the Privacy Rule and that any ambiguities need to be eliminated.

General Requirements

  • Covered entities must reasonably safeguard protected health information (PHI) - including oral information - from any intentional or unintentional use or disclosure that is in violation of the rule (see § 164.530(c)(2)). They must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonably safeguard" means that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. In determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards.
  • Covered entities must have policies and procedures that reasonably limit access to and use of PHI to the minimum necessary given the job responsibilities of the workforce and the nature of their business (see §§ 164.502(b), 164.514(d)). The minimum necessary standard does not apply to disclosures, including oral disclosures, among providers for treatment purposes. For a more complete discussion of the minimum necessary requirements, see the fact sheet and frequently asked questions titled "Minimum Necessary."
  • Many health care providers already make it a practice to ensure reasonable safeguards for oral information - for instance, by speaking quietly when discussing a patient's condition with family members in a waiting room or other public area, and by avoiding using patients' names in public hallways and elevators. Protection of patient confidentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule.

Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?

A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers' primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. For example, in a busy emergency room, it may be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):

  • Health care staff may orally coordinate services at hospital nursing stations.
  • Nurses or other health care professionals may discuss a patient's condition over the phone with the patient, a provider, or a family member.
  • A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.
  • Health care professionals may discuss a patient's condition during training rounds in an academic or training institution.

We will propose regulatory language to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.

Q: Does the Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?

A: No, the Privacy Rule does not require these types of structural changes be made to facilities.

Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.

For example, the Privacy Rule does not require the following types of structural or systems changes:

  • Private rooms.
  • Soundproofing of rooms.
  • Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners.
  • Encryption of telephone systems.

Covered entities must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information.

Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are:

  • Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling.
  • Providers could add curtains or screens to areas where oral communications often occur between doctors and patients or among professionals treating the patient.
  • In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, or similar barriers may constitute a reasonable safeguard. For example, a large clinic intake area may reasonably use cubicles or shield-type dividers, rather than separate rooms.

In assessing what is "reasonable," covered entities may consider the viewpoint of prudent professionals.

Q: Do covered entities need to provide patients access to oral information?

A: No. The Privacy Rule requires covered entities to provide individuals with access to PHI about themselves that is contained in their "designated record sets." The term "record" in the term "designated record set" does not include oral information; rather, it connotes information that has been recorded in some manner.

The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of "designated record set." For example, a health plan is not required to provide a member access to tapes of a telephone "advice line" interaction if the tape is only maintained for customer service review and not to make decisions about the member.

Q: Do covered entities have to document all oral communications?

A: No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations (TPO).

The rule includes, however, documentation requirements for some information disclosures for other purposes. For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon request. Where a documentation requirement exists in the rule, it applies to all relevant communications, whether in oral or some other form. For example, if a covered physician discloses information about a case of tuberculosis to a public health authority as permitted by the rule in § 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally by phone or in writing.

Q: Did the Department change its position from the proposed rule by covering oral communications in the final Privacy Rule?

A: No. The proposed rule would have covered information in any form or medium, as long as it had at some point been maintained or transmitted electronically. Once information had been electronic, it would have continued to be covered as long as it was held by a covered entity, whether in electronic, written, or oral form.

The final Privacy Rule eliminates this nexus to electronic information. All individually identifiable health information of the covered entity is covered by the rule.

By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today's health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these "business associates," the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate.

What is a "business associate"

  • A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI.
  • A business associate is not a member of the health care provider, health plan, or other covered entity's workforce.
  • A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
  • The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.

Q: Has the Secretary exceeded the statutory authority by requiring "satisfactory assurances" for disclosures to business associates?

A: No. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives the Secretary authority to directly regulate health care providers, health plans, and health care clearinghouses. It also grants the Department explicit authority to regulate the uses and disclosures of PHI maintained and transmitted by covered entities. Therefore, we do have the authority to condition the disclosure of PHI by a covered entity to a business associate on the covered entity's having a contract with that business associate.

Q: Has the Secretary exceeded the HIPAA statutory authority by requiring "business associates" to comply with the Privacy Rule, even if that requirement is through a contract?

A: The Privacy Rule does not "pass through" its requirements to business associates or otherwise cause business associates to comply with the terms of the rule. The assurances that covered entities must obtain prior to disclosing PHI to business associates create a set of contractual obligations far narrower than the provisions of the rule, to protect information generally and help the covered entity comply with its obligations under the rule. For example, covered entities do not need to ask their business associates to agree to appoint a privacy officer, or develop policies and procedures for use and disclosure of PHI.

Q: Is it reasonable for covered entities to be held liable for the privacy violations of business associates?

A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.

Moreover, a business associate's violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred.

If the covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, the covered entity must take "reasonable steps" to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship.

If such steps are not successful, the covered entity must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity. In such circumstances where termination is not feasible, the covered entity must report the problem to the Department.

Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.

PARENTS AND MINORS

[ 45 CFR § 164.502(g) ]

The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right to obtain access to and to request amendment of health information about themselves. These rights rest with that individual, or with the "personal representative" of that individual. In general, a person's right to control protected health information (PHI) is based on that person's right (under state or other applicable law, e.g., tribal or military law) to control the health care itself.

Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a "personal representative" of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor.

There are exceptions in which a parent might not be the "personal representative" with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor's health care decisions and, thus, does not control the PHI related to that care.

  • When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service, the parent is not the minor's personal representative under the Privacy Rule. For example, when a state law provides an adolescent the right to consent to mental health treatment without the consent of his or her parent, and the adolescent obtains such treatment without the consent of the parent, the parent is not the personal representative under the Privacy Rule for that treatment. The minor may choose to involve a parent in these health care decisions without giving up his or her right to control the related health information. Of course, the minor may always have the parent continue to be his or her personal representative even in these situations.
  • When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative under the Privacy Rule in these circumstances.

In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor's personal representative with respect to the relevant PHI:

  • When a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the health information related to that conversation or relationship. For example, if a physician asks the parent of a 16-year old if the physician can talk with the child confidentially about a medical condition and the parent agrees, the parent would not control the PHI that was discussed during that confidential conference.
  • When a physician (or other covered entity) reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child.

Relation to State Law

In addition to the provisions (described above) tying the right to control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (§ 160.202). This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law.

Q: Does the Privacy Rule allow parents the right to see their children's medical records?

A: The Privacy Rule generally allows parents, as their minor children's personal representatives, to have access to information about the health and well-being of their children when state or other underlying law allows parents to make treatment decisions for the child. There are two exceptions: (1) when the parent agrees that the minor and the health care provider may have a confidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement; and (2) when the provider reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the provider is permitted not to treat the parent as the child's personal representative with respect to health information.

Secretary Thompson has stated that he is reassessing these provisions of the regulation.

Q: Does the Privacy Rule provide rights for children to be treated without parental consent?

A: No. The Privacy Rule does not address consent to treatment, nor does it preempt or change state or other laws that address consent to treatment. The Rule addresses access to health information, not the underlying treatment.

Q: If a child receives emergency medical care without a parent's consent, can the parent get all information about the child's treatment and condition?

A: Generally, yes. Even though the parent did not provide consent to the treatment in this situation, under the Privacy Rule, the parent would still be the child's personal representative. This would not be so only when the minor provided consent (and no other consent is required) or the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child.

HEALTH-RELATED COMMUNICATIONS AND MARKETING

[ 45 CFR §§ 164.501, 164.514(e) ]

The Privacy Rule addresses the use and disclosure of protected health information (PHI) for marketing purposes in the following ways:

  • Defines what is "marketing" under the rule;
  • Removes from that definition certain treatment or health care operations activities;
  • Set limits on the kind of marketing that can be done as a health care operation; and
  • Requires individual authorization for all other uses or disclosures of PHI for marketing purposes.

What Is Marketing

The Privacy Rule defines "marketing" as "a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service." To make this definition easier for covered entities to understand and comply with, we specified what "marketing" is not, as well as generally defined what it is. As questions arise about what activities are "marketing" under the Privacy Rule, we will provide additional clarification regarding such activities.

Communications That Are Not Marketing

The Privacy Rule carves out activities that are not considered marketing under this definition. In recommending treatments or describing available services, health care providers and health plans are advising us to purchase goods and services. To prevent any interference with essential treatment or similar health-related communications with a patient, the rule identifies the following activities as not subject to the marketing provision, even if the activity otherwise meets the definition of marketing. (Written communications for which the covered entity is compensated by a third party are not carved out of the marketing definition.)

Thus, a covered entity is not "marketing" when it:

  • Describes the participating providers or plans in a network. For example, a health plan is not marketing when it tells its enrollees about which doctors and hospitals are preferred providers, which are included in its network, or which providers offer a particular service. Similarly, a health insurer notifying enrollees of a new pharmacy that has begun to accept its drug coverage is not engaging in marketing.
  • Describes the services offered by a provider or the benefits covered by a health plan. For example, informing a plan enrollee about drug formulary coverage is not marketing.

Furthermore, it is not marketing for a covered entity to use an individual's PHI to tailor a health-related communication to that individual, when the communication is:

  • Part of a provider's treatment of the patient and for the purpose of furthering that treatment. For example, recommendations of specific brand-name or over-the-counter pharmaceuticals or referrals of patients to other providers are not marketing.
  • Made in the course of managing the individual's treatment or recommending alternative treatment. For example, reminder notices for appointments, annual exams, or prescription refills are not marketing. Similarly, informing an individual who is a smoker about an effective smoking-cessation program is not marketing, even if that program is offered by someone other than the provider or plan making the recommendation.

Limitations on Marketing Communications

If a communication is marketing, a covered entity may use or disclose PHI to create or make the communication, pursuant to any applicable consent obtained under § 164.506, only in the following circumstances:

  • It is a face-to-face communication with the individual. For example, sample products may be provided to a patient during an office visit.
  • It involves products or services of nominal value. For example, a provider can distribute pens, toothbrushes, or key chains with the name of the covered entity or a health care product manufacturer on it.
  • It concerns the health-related products and services of the covered entity or a third party, and only if the communication:

- Identifies the covered entity that is making the communication. Thus, consumers will know the source of these marketing calls or materials.

- States that the covered entity is being compensated for making the communication, when that is so.

- Tells individuals how to opt out of further marketing communications, with some exceptions as provided in the rule. The covered entity must make reasonable efforts to honor requests to opt-out.

- Explains why individuals with specific conditions or characteristics (e.g., diabetics, smokers) have been targeted, if that is so, and how the product or service relates to the health of the individual. The covered entity must also have made a determination that the product or service may be of benefit to individuals with that condition or characteristic.

For all other communications that are "marketing" under the Privacy Rule, the covered entity must obtain the individual's authorization to use or disclose PHI to create or make the marketing communication.

Business Associates

Disclosure of PHI for marketing purposes is limited to disclosure to business associates that undertake marketing activities on behalf of the covered entity. No other disclosure for marketing is permitted. Covered entities may not give away or sell lists of patients or enrollees without obtaining authorization from each person on the list. As with any disclosure to a business associate, the covered entity must obtain the business associate's agreement to use the PHI only for the covered entity's marketing activities. A covered entity may not give PHI to a business associate for the business associate's own purposes.

Q: Does this rule expand the ability of providers, plans, marketers and others to use my PHI to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts?

A: No. The provisions described above impose limits on the use or disclosure of PHI for marketing that do not exist in most states today. For example, the rule requires patients' authorization for the following types of uses or disclosures of PHI for marketing:

  • Selling PHI to third parties for their use and re-use. Under the rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines.
  • Disclosing PHI to outsiders for the outsiders' independent marketing use. Under the rule, doctors may not provide patient lists to pharmaceutical companies for those companies' drug promotions.

These activities can occur today with no authorization from the individual. In addition, for the marketing activities that are allowed by the rule without authorization from the individual, the Privacy Rule requires covered entities to offer individuals the ability to opt-out of further marketing communications.

Similarly, under the business associate provisions of the rule, a covered entity may not give PHI to a telemarketer, door-to-door salesperson, or other marketer it has hired unless that marketer has agreed by contract to use the information only for marketing on behalf of the covered entity. Today, there may be no restrictions on how marketers re-use information they obtain from health plans and providers.

Q: Can telemarketers gain access to PHI and call individuals to sell goods and services?

A: Under the rule, unless the covered entity obtains the individual's authorization, it may only give health information to a telemarketer that it has hired to undertake marketing on its behalf. The telemarketer must be a business associate under the rule, which means that it must agree by contract to use the information only for marketing on behalf of the covered entity, and not to market its own goods or services (or those of another third party). The caller must identify the covered entity that is sponsoring the marketing call. The caller must provide individuals the opportunity to opt-out of further marketing.

Q: When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?

A: An authorization for use or disclosure of PHI for marketing is always required, unless one of the following three exceptions apply:

  • The marketing occurs during an in-person meeting with the patient (e.g., during a medical appointment).
  • The marketing concerns products or services of nominal value.
  • The covered entity is marketing health-related products and services (of either the covered entity or a third party), the marketing identifies the covered entity that is responsible for the marketing, and the individual is offered an opportunity to opt-out of further marketing. In addition, the marketing must tell people if they have been targeted based on their health status, and must also tell people when the covered entity is compensated (directly or indirectly) for making the communication.

Q: How can I distinguish between activities for treatment, payment or health care operations (TPO) versus marketing activities?

A: There is no need for covered entities to make this distinction. In recommending treatments, providers and health plans advise us to purchase good and services. The overlap between "treatment," "health care operations," and "marketing" is unavoidable. Instead of creating artificial distinctions, the rule imposes requirements that do not require such distinctions. Specifically:

  • If the activity is included in the rule's definition of "marketing," the rule's provisions restricting the use or disclosure of PHI for marketing purposes will apply, whether or not that communication also meets the rule's definition of "treatment," "payment," or "health care operations." For these communications, the individual's authorization is required before a covered entity may use or disclose PHI for marketing unless one of the exceptions to the authorization requirement (described above) applies.
  • The rule exempts certain activities from the definition of "marketing." If an activity falls into one of the definition's exemptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization if the activity meets the definition of "treatment," "payment," or "health care operations." These exemptions are described above, in the section titled "Communications That Are Not Marketing," and are designed to ensure that nothing in this rule interferes with treatment activities.

Q: Do disease management, health promotion, preventive care, and wellness programs fall under the definition of "marketing"?

A: Whether these kinds of activities fall under the rule's definition of "marketing" depends on the specifics of how the activity is conducted. The activities currently undertaken under these rubrics are diverse. Covered entities must examine the particular activities they undertake, and compare these to the activities that are exempt from the definition of "marketing."

Q: Can contractors (business associates) use PHI to market to individuals for their own business purposes?

A: The Privacy Rule prohibits health plans and covered health care providers from giving PHI to third parties for the third party's own business purposes, absent authorization from the individuals. Under the statute, this regulation cannot govern contractors directly.

The Privacy Rule establishes the conditions under which protected health information (PHI) may be used or disclosed by covered entities for research purposes. A covered entity may always use or disclose for research purposes health information which has been de-identified (in accordance with §§ 164.502(d), 164.514(a)-(c) of the rule) without regard to the provisions below.

The Privacy Rule also defines the means by which individuals/human research subjects are informed of how medical information about themselves will be used or disclosed and their rights with regard to gaining access to information about themselves, when such information is held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time, ensuring that researchers continue to have access to medical information necessary to conduct vital research. Currently, most research involving human subjects operates under the Common Rule (codified for the Department of Health and Human Services (HHS) at Title 45 Code of Federal Regulations Part 46) and/or the Food and Drug Administration's (FDA) human subjects protection regulations, which have some provisions that are similar to, but more stringent than and separate from, the Privacy Rule's provisions for research.

Using and Disclosing PHI for Research

In the course of conducting research, researchers may create, use, and/or disclose individually identifiable health information. Under the Privacy Rule, covered entities are permitted to use and disclose PHI for research with individual authorization, or without individual authorization under limited circumstances set forth in the Privacy Rule.

Research Use/Disclosure Without Authorization:

To use or disclose PHI without authorization by the research participant, a covered entity must obtain one of the following:

  • Documentation that an alteration or waiver of research participants' authorization for use/disclosure of information about them for research purposes has been approved by an Institutional Review Board (IRB) or a Privacy Board. This provision of the Privacy Rule might be used, for example, to conduct records research, when researchers are unable to use de-identified information and it is not practicable to obtain research participants' authorization.
  • Representations from the researcher, either in writing or orally, that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purposes preparatory to research, that the researcher will not remove any PHI from the covered entity, and representation that PHI for which access is sought is necessary for the research purpose. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.
  • Representations from the researcher, either in writing or orally, that the use or disclosure being sought is solely for research on the PHI of decedents, that the PHI being sought is necessary for the research, and , at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

A covered entity may use or disclose PHI for research purposes pursuant to a waiver of authorization by an IRB or Privacy Board provided it has obtained documentation of all of the following:

  • A statement that the alteration or waiver of authorization was approved by an IRB or Privacy Board that was composed as stipulated by the Privacy Rule;
  • A statement identifying the IRB or Privacy Board and the date on which the alteration or waiver of authorization was approved;
  • A statement that the IRB or Privacy Board has determined that the alteration or waiver of authorization, in whole or in part, satisfies the following eight criteria:

- The use or disclosure of PHI involves no more than minimal risk to the individuals;

- The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

- The research could not practicably be conducted without the alteration or waiver;

- The research could not practicably be conducted without access to and use of the PHI;

- The privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

- There is an adequate plan to protect the identifiers from improper use and disclosure;

- There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

- There are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by this subpart.

  • A brief description of the PHI for which use or access has been determined to be necessary by the IRB or Privacy Board;
  • A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures as stipulated by the Privacy Rule; and

Research Use/Disclosure With Individual Authorization:

The Privacy Rule also permits covered entities to use and disclose PHI for research purposes when a research participant authorizes the use or disclosure of information about him or herself. Today, for example, a research participant's authorization will typically be sought for most clinical trials and some records research. In this case, documentation of IRB or Privacy Board approval of a waiver of authorization is not required for the use or disclosure of PHI.

To use or disclose PHI created from a research study that includes treatment (e.g., a clinical trial), additional research-specific elements must be included in the authorization form required under § 164.508, which describe how PHI created for the research study will be used or disclosed. For example, if the covered entity/researcher intends to seek reimbursement from the research subject's health plan for the routine costs of care associated with the protocol, the authorization must describe types of information that will be provided to the health plan. This authorization may be combined with the traditional informed consent document used in research.

The Privacy Rule permits, but does not require, the disclosure of PHI for specified public policy purposes in § 164.512. With few exceptions, the covered entity/researcher may choose to limit its right to disclose information created for a research study that includes treatment to purposes narrower than those permitted by the rule, in accordance with his or her own professional standards.

Q: Will the rule hinder medical research by making doctors and others less willing and/or able to share information about individual patients?

A: We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to participate in research when they know their information is protected. For example, in genetic studies at the National Institutes of Health (NIH), nearly 32 percent of eligible people offered a test for breast cancer risk decline to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason. The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information.

The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the rule's requirements for research uses and disclosures are too burdensome and will choose to limit researchers' access to PHI. We believe few providers will take this route, however, because the Common Rule includes similar, and more stringent requirements, that have not impaired the willingness of researchers to undertake federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires IRB review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use or disclosure of PHI for research purposes is to be altered or waived.

Q: Are some of the criteria so subjective that inconsistent determinations may be made by IRBs and Privacy Boards reviewing similar or identical research projects?

A: Under the Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule's criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks and benefits. While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants' privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it.

In addition, for multi-site research that requires PHI from two or more covered entities, the Privacy Rule permits covered entities to accept documentation of IRB or Privacy Board approval from a single IRB or Privacy Board.

Q: Does the Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing PHI?

A: No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.

Q: Does the Privacy Rule permit the creation of a database for research purposes through an IRB or Privacy Board waiver of individual authorization?

A: Yes. A covered entity may use or disclose PHI without individuals' authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. PHI maintained in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule - that is, for future studies in which individual authorization has been obtained or where the rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.

Q: Will IRBs be able to handle the additional responsibilities imposed by the Privacy Rule?

A: Recognizing that some institutions may not have IRBs, or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board-which could have fewer members, and members with different expertise than IRBs.

In addition, for research that is determined to be of no more than minimal risk, IRBs and Privacy Boards could use an expedited review process, which permits covered entities to accept documentation when only one or more members of the IRB or Privacy Board have conducted the review.

Q: By establishing new waiver criteria and authorization requirements, hasn't the Privacy Rule, in effect, modified the Common Rule?

A: No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing PHI for research purposes.

Q: Is documentation of IRB and Privacy Board approval required before a covered entity would be permitted to disclose PHI for research purposes without an individual's authorization?

A: No. The Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

Q: Does a covered entity need to create an IRB or Privacy Board before using or disclosing PHI for research?

A: No. The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board.

Q: What does the Privacy Rule say about a research participant's right of access to research records or results?

A: With few exceptions, the Privacy Rule gives patients the right to inspect and obtain a copy of health information about themselves that is maintained in a "designated record set." A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider's medical records and billing records, and a health plan's enrollment, payment, claims adjudication, and case or medical management record systems. Research records or results maintained in a designated record set are accessible to research participants unless one of the Privacy Rule's permitted exceptions applies.

One of the permitted exceptions applies to PHI created or obtained by a covered health care provider/researcher for a clinical trial. The Privacy Rule permits the individual's access rights in these cases to be suspended while the clinical trial is in progress , provided the research participant agreed to this denial of access when consenting to participate in the clinical trial. In addition, the health care provider/researcher must inform the research participant that the right to access PHI will be reinstated at the conclusion of the clinical trial.

Q: Are the Privacy Rule's requirements regarding patient access in harmony with the Clinical Laboratory Improvements Amendments of 1988 (CLIA)?

A: Yes. The Privacy Rule does not require clinical laboratories that are also covered health care providers to provide an individual access to information if CLIA prohibits them from doing so. CLIA permits clinical laboratories to provide clinical laboratory test records and reports only to "authorized persons," as defined primarily by state law. The individual who is the subject of the information is not always included as an authorized person. Therefore, the Privacy Rule includes an exception to individuals' general right to access PHI about themselves if providing an individual such access would be in conflict with CLIA.

In addition, for certain research laboratories that are exempt from the CLIA regulations, the Privacy Rule does not require such research laboratories if they are also a covered health care provider to provide individuals with access to PHI because doing so may result in the research laboratory losing its CLIA exemption.

Q: Do the Privacy Rule's requirements for authorization and the Common Rule's requirements for informed consent differ?

A: Yes. Under the Privacy Rule, a patient's authorization will be used for the use and disclosure of PHI for research purposes. In contrast, an individual's informed consent as required by the Common Rule and FDA's human subjects regulations is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of PHI. For this reason, there are important differences between the Privacy Rule's requirements for individual authorization, and the Common Rule's and FDA's requirements for informed consent. Where the Privacy Rule, the Common Rule, and/or FDA's human subjects regulations are applicable, each of the applicable regulations will need to be followed.

RESTRICTIONS ON GOVERNMENT ACCESS TO HEALTH INFORMATION

[ 45 CFR §§ 160.300; 164.512(b); 164.512(f) ]

Under the Privacy Rule, government-operated health plans and health care providers must meet substantially the same requirements as private ones for protecting the privacy of individual identifiable health information. For instance, government-run health plans, such as Medicare and Medicaid, must take virtually the same steps to protect the claims and health information that they receive from beneficiaries as private insurance plans or health maintenance organizations (HMO). In addition, all federal agencies must also meet the requirements of the Privacy Act of 1974, which restricts what information about individual citizens - including any personal health information - can be shared with other agencies and with the public.

The only new authority for government involves enforcement of the Privacy Rule itself. In order to ensure covered entities protect patients' privacy as required, the rule provides that health plans, hospitals, and other covered entities cooperate with the Department's efforts to investigate complaints or otherwise ensure compliance. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the privacy protections and access rights for consumers under this rule.

Q: Does the rule require my doctor to send my medical records to the government?

A: No. The rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This rule does not require or allow any new government access to medical information, with one exception: the rule does give OCR the authority to investigate complaints and to otherwise ensure that covered entities comply with the rule.

OCR has been assigned the responsibility of enforcing the Privacy Rule. As is typical in many enforcement settings, OCR may need to look at how a covered entity handled medical records and other personal health information. The Privacy Rule limits disclosure to OCR to information that is "pertinent to ascertaining compliance." OCR will maintain stringent controls to safeguard any individually identifiable health information that it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the rule.

Q: Why would a Privacy Rule require covered entities to turn over anybody's personal health information as part of a government enforcement process?

A: An important ingredient in ensuring compliance with the Privacy Rule is the Department's responsibility to investigate complaints that the rule has been violated and to follow up on other information regarding noncompliance. At times, this responsibility entails seeing personal health information, such as when an individual indicates to the Department that they believe a covered entity has not properly handled their medical records.

What information would be needed depends on the circumstances and the alleged violations. The Privacy Rule limits OCR's access to information that is "pertinent to ascertaining compliance." In some cases, no personal health information would be needed. For instance, OCR may need to review only a business contract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims.

Examples of investigations that may require OCR to have access to protected health information (PHI) include:

  • Allegations that a covered entity refused to note a request for correction in a patient's medical record, or did not provide complete access to a patient's medical records to that patient.
  • Allegations that a covered entity used health information for marketing purposes without first obtaining the individuals' authorization when required by the rule. OCR may need to review information in the marketing department that contains personal health information, to determine whether a violation has occurred.

Q: Will this rule make it easier for police and law enforcement agencies to get my medical information?

A: No. The rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists. Today, law enforcement officers obtain health information for many purposes, sometimes without a warrant or other prior process. The rule establishes new procedures and safeguards to restrict the circumstances under which a covered entity may give such information to law enforcement officers.

For example, the rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some other legal requirements such as a warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement. In most states, such permission is not required today.

Where state law imposes additional restrictions on disclosure of health information to law enforcement, those state laws continue to apply. This rule sets a national floor of legal protections; it is not a set of "best practices."

Even in those circumstances when disclosure to law enforcement is permitted by the rule, the Privacy Rule does not require covered entities to disclose any information. Some other federal or state law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances.

Q: Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?

A: No. All states have laws that require providers to report cases of specific diseases to public health officials. The Privacy Rule allows disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.

The Privacy Rule continues to allow for the existing practice of sharing PHI with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food, drugs, biological products, and dietary supplements.

Q: How does the rule affect my rights under the federal Privacy Act?

A: The Privacy Act of 1974 protects personal information about individuals held by the federal government. Covered entities that are federal agencies or federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule's requirements but also must comply with the Privacy Act.

[ 45 CFR 164.501 ]

As provided for by the Privacy Rule, a covered entity may use and disclose protected health information (PHI) for payment purposes. "Payment" is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

  • Determining eligibility or coverage under a plan and adjudicating claims;
  • Risk adjustments;
  • Billing and collection activities;
  • Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
  • Utilization review activities; and
  • Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?

A: No. The Privacy Rule's definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.

We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

Q: Does the Privacy Rule prevent health plans and providers from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act?

A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements.

We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.

Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the Privacy Rule?

A: "Payment" is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of "payment." Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.

  • iPhone 15 battery lifespan
  • Best laptops for 2024
  • Smartwatch as doctor's assistant
  • Google's lightweight Gemma AI
  • Anker battery & charger sale

HIPAA protects health data privacy, but not in the ways most people think

It’s a very limited scope that still does a lot to keep information secure..

The “P” in HIPAA doesn’t stand for privacy. It’s one of the first things a lot of experts will say when asked to clear up any misconceptions about the health data law. Instead, it stands for portability — it’s called the Health Insurance Portability and Accountability Act —and describes how information can be transferred between providers. With misinterpretations of HIPAA starting with just its name, misunderstandings of what the law actually does greatly impact our ability to recognize how the kinds of data do and don't fall under its scope. That’s especially true as a growing number of consumer tech devices and services gather troves of information related to our health.

We often consider HIPAA a piece of consumer data privacy legislation because it did direct the Department of Health and Human Services to come up with certain security provisions, like breach notification regulations and a health privacy rule for protecting individually identifiable information. But when HIPAA went into effect in the 1990s, its primary aim was improving how providers worked with insurance companies. Put simply, “people think HIPAA covers more than it actually does,” said Daniel Solove, professor at George Washington University and CEO of privacy training firm TeachPrivacy.

HIPAA has two big restrictions in scope: a limited set of covered entities, and limited set of covered data, according to Cobun Zweifel-Keegan, DC managing director of the International Association of Privacy Professionals. Covered entities include healthcare providers like doctors and health plans like health insurance companies. The covered data refers to medical records and other individually identifiable health information used by those covered entities. Under HIPAA, your general practitioner can't sell data related to your vaccination status to an ad firm, but a fitness app (which wouldn't be a covered entity) that tracks your steps and heart rate (which aren't considered covered data) absolutely can.

“What HIPAA covers, is information that relates to health care or payment for health care, and sort of any piece of identifiable information that’s in that file,” Solove said. It doesn’t cover any health information shared with your employer or school, like if you turn in a sick note, but it does protect your doctor from sharing more details about your diagnosis if they call to verify.

A lot has changed in the nearly 30 years since HIPAA went into effect, though. The legislators behind HIPAA didn’t anticipate how much data we would be sharing about ourselves today, much of which can be considered personally identifiable. So, that information doesn’t fall under its scope. “When HIPAA was designed, nobody really anticipated what the world was going to look like,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation said. It’s not badly designed, HIPAA just can’t keep up with the state we’re in today. “You're sharing data all the time with other people who are not doctors or who are not the insurance company,” said Tien.

Think of all the data collected about us on the daily that could provide insight into our health. Noom tracks your diet. Peloton knows your activity levels. Calm sees you when you’re sleeping. Medisafe knows your pill schedule. Betterhelp knows what mental health conditions you might have, and less than a year ago was banned by the FTC from disclosing that information to advertisers . The list goes on, and much of it can be used to sell dietary supplements or sleep aids or whatever else. “Health data could be almost limitless,” so if HIPAA didn’t have a limited scope of covered entities, the law would be limitless, too, Solove said.

Not to mention the amount of inferences that firms can make about our health based on other data. An infamous 2012 New York Times investigation detailed how just by someone’s online searches and purchases, Target can figure out that they’re pregnant. HIPAA may not protect your medical information from being viewed by law enforcement officers. Even without a warrant, cops can get your records just by saying that you’re a suspect (or victim) of a crime . Police have used pharmacies to gather medical data about suspects , but other types of data like location information can provide sensitive details, too. For example, it can show that you went to a specific clinic to receive care. Because of these inferences, laws like HIPAA won’t necessarily stop law enforcement from prosecuting someone based on their healthcare decision.

Today, state-specific laws crop up across the US to help target some of the health data privacy gaps that HIPAA doesn’t cover. This means going beyond just medical files and healthcare providers to encompass more of people’s health data footprint. It varies between states , like in California which provides options to charge anyone who negligently discloses medical information or some additional breach protections for consumers based in Pennsylvania, but Washington state recently passed a law specifically targeting HIPAA’s gaps.

Washington State’s My Health My Data Act, passed last year, aims to “protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act,” according to a press release from Washington’s Office of the Attorney General. Any entity that conducts business in the state of Washington and deals with personal information that identifies a consumer’s past, present or future physical or mental health status must comply with the act’s privacy protections. Those provisions include the right not to have your health data sold without your permission and having health data deleted via written request. Under this law, unlike HIPAA, an app tracking someone’s drug dosage and schedule or the inferences made by Target about pregnancy would be covered.

My Health My Data is still rolling out, so we’ll have to wait and see how the law impacts national health data privacy protections. Still, it’s already sparking copycat laws in states like Vermont .

Latest Stories

Don't use smartwatches and rings that claim to measure blood sugar without needles, the fda warns.

“The FDA has not authorized, cleared, or approved any smartwatch or smart ring that is intended to measure or estimate blood glucose values on its own,” the agency wrote in a safety communication, and asked consumers, patients, and caregivers to stay away from such devices.

Meta is testing cross-posts from Facebook to Threads

Meta is testing a feature that allows users to post to both Facebook and Threads at the same time.

FTC concludes Twitter didn’t violate data security rules, in spite of Musk's orders

The Federal Trade Commission (FTC) concluded Elon Musk ordered Twitter employees to take actions that would have violated a 2022 FTC consent decree regarding consumers’ data privacy and security.

Xbox's Hi-Fi Rush is coming to PS5 on March 19

Microsoft has now confirmed all four games that it's bringing to Nintendo Switch and/or PlayStation. Hi-Fi Rush is coming to PS5 on March 19 and Sea of Thieves will land on Sony's console on April 30.

The Borderlands movie trailer has all the nuance of a Borderlands game

The first trailer for the upcoming Borderlands movie is upon us. The film’s directed by Eli Roth and stars Cate Blanchett, Kevin Hart and Jack Black.

Logitech keyboards, mice and webcams are up to 25 percent off

A number of Logitech mice, keyboards and webcams are on sale at Amazon right now, with up to 25 percent off.

Elden Ring expansion 'Shadow of the Erdtree' arrives on June 21

Bandai Namco and FromSoftware have revealed that Elden Ring expansion Shadow of the Erdtree will arrive on June 21. A gameplay trailer shows new bosses, weapons, locations and more.

The best wireless earbuds for 2024

It's safe to say the wireless earbuds space is pretty saturated. We've tested and reviewed dozens of models; these are our top picks.

Mother 3 is coming to Switch Online in Japan, but not the US

Nintendo is bringing classic RPG Mother 3 to Switch Online, but only in Japan. It has never released the RPG outside of its homeland.

Google's Duet AI for businesses is now called Gemini too

Google revealed that its Duet AI for enterprises has been rebranded to Gemini.

Former Xbox exclusive Pentiment is coming to Switch on February 22

Pentiment, a former Xbox console exclusive, is coming to Nintendo Switch on February 22 (that's tomorrow, fact fans). Fellow Xbox title Grounded is also

Watch the first Nintendo Direct of 2024 here at 9AM ET

Nintendo's about to kick off its first event of the year with the Direct Partner Showcase focused on upcoming third-party games for Switch.

Apple Sports puts real-time scores on your iPhone lock screen

Apple Sports will make it easier to get real-time data in your lock screen.

Appeals court overturns $1 billion copyright lawsuit against Cox

An appeals court has blocked a $1 billion copyright verdict against US internet service provider Cox Communications and ordered a retrial.

Google introduces a lightweight open AI model called Gemma

Google says Gemma is its contribution to the open community and is meant to help developers "in building AI responsibly."

The best laptops for 2024

Picking your next laptop can be a daunting task. The Engadget team has tested and reviewed dozens of laptops and these are our favorites.

The Morning After: Fujifilm updates its TikTok-famous compact camera

The biggest news stories this morning: Apple Music debuts a monthly version of its annual Replay feature, Tinder is bringing its advanced ID verification system to the US and UK, Apple says the iPhone 15’s battery has double the promised lifespan.

Uber Eats expands its autonomous food delivery service to Japan

Uber Eats will soon be offering autonomous food delivery service in Tokyo, Japan — its first outside the US.

FuboTV accuses Disney, Fox and Warner Bros. of antitrust practices over joint streaming service

FuboTV has filed filed an antitrust lawsuit against Disney, Fox and Warner Bros. Discovery after they announced launching a joint sports streaming service.

Signal usernames will keep your phone number private

You'll soon be able to create a unique username on Signal, which you can share with others via a link or QR code, instead of your phone number.

This is a potential security issue, you are being redirected to https://csrc.nist.gov .

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock Locked padlock icon ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-66 Rev. 2

Implementing the health insurance portability and accountability act (hipaa) security rule: a cybersecurity resource guide.

    Documentation     Topics

Date Published: February 2024

Supersedes: SP 800-66 Rev. 1 (10/23/2008)

See NIST’s Cybersecurity and Privacy Reference Tool ( CPRT ) for the following content:

  • Key activities, descriptions, and sample questions from the tables in Section 5
  • Mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls
  • Listings of NIST publications relevant to each HIPAA Security Rule standard

Jeffrey Marron (NIST)

The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI and better understand the security concepts discussed in the HIPAA Security Rule.

Control Families

None selected

Documentation

Publication: https://doi.org/10.6028/NIST.SP.800-66r2 Download URL

Supplemental Material: Appendix F: HIPAA Security Rule Resources (pdf) Browse and search the CPRT dataset

Document History: 04/29/21: SP 800-66 Rev. 2 (Draft) 07/21/22: SP 800-66 Rev. 2 (Draft) 02/14/24: SP 800-66 Rev. 2 (Final)

risk management

Health Insurance Portability and Accountability Act

U.S. flag

An official website of the United States government

The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  • Publications
  • Account settings
  • Browse Titles

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.

Cover of Beyond the HIPAA Privacy Rule

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

  • Hardcopy Version at National Academies Press

2 The Value and Importance of Health Information Privacy

Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals’ dignity. At the same time, health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The intent of this chapter 1 is to define privacy and to delineate its importance to individuals and society as a whole. The value and importance of health research will be addressed in Chapter 3 .

  • CONCEPTS AND VALUE OF PRIVACY

Definitions

Privacy has deep historical roots (reviewed by Pritts, 2008 ; Westin, 1967 ), but because of its complexity, privacy has proven difficult to define and has been the subject of extensive, and often heated, debate by philosophers, sociologists, and legal scholars. The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and confusion persists over the meaning, value, and scope of the concept of privacy. At its core, privacy is experienced on a personal level and often means different things to different people (reviewed by Lowrance, 1997 ; Pritts, 2008 ). In modern society, the term is used to denote different, but overlapping, concepts such as the right to bodily integrity or to be free from intrusive searches or surveillance. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention and cultural expectations ( Nissenbaum, 2004 ; NRC, 2007b ).

Our report, and the Privacy Rule itself, are concerned with health informational privacy. In the context of personal information, concepts of privacy are closely intertwined with those of confidentiality and security. However, although privacy is often used interchangeably with the terms “confidentiality” and “security,” they have distinct meanings. Privacy addresses the question of who has access to personal information and under what conditions. Privacy is concerned with the collection, storage, and use of personal information, and examines whether data can be collected in the first place, as well as the justifications, if any, under which data collected for one purpose can be used for another (secondary) 2 purpose. An important issue in privacy analysis is whether the individual has authorized particular uses of his or her personal information ( Westin, 1967 ).

Confidentiality safeguards information that is gathered in the context of an intimate relationship. It addresses the issue of how to keep information exchanged in that relationship from being disclosed to third parties ( Westin, 1976 ). Confidentiality, for example, prevents physicians from disclosing information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are breaches of confidentiality ( Gostin and Hodge, 2002 ; NBAC, 2001 ).

Security can be defined as “the procedural and technical measures required (a) to prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) to prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm” ( Turn and Ware, 1976 ). Security helps keep health records safe from unauthorized use. When someone hacks into a computer system, there is a breach of security (and also potentially, a breach of confidentiality). No security measure, however, can prevent invasion of privacy by those who have authority to access the record ( Gostin, 1995 ).

The Importance of Privacy

There are a variety of reasons for placing a high value on protecting the privacy, confidentiality, and security of health information (reviewed by Pritts, 2008 ). Some theorists depict privacy as a basic human good or right with intrinsic value ( Fried, 1968 ; Moore, 2005 ; NRC, 2007a ; Terry and Francis, 2007 ). They see privacy as being objectively valuable in itself, as an essential component of human well-being. They believe that respecting privacy (and autonomy) is a form of recognition of the attributes that give humans their moral uniqueness.

The more common view is that privacy is valuable because it facilitates or promotes other fundamental values, including ideals of personhood ( Bloustein, 1967 ; Gavison, 1980 ; Post, 2001 ; Solove, 2006 ; Taylor, 1989 ; Westin, 1966 ) such as:

  • Personal autonomy (the ability to make personal decisions)
  • Individuality
  • Dignity and worth as human beings

The bioethics principle nonmaleficence 3 requires safeguarding personal privacy. Breaches of privacy and confidentiality not only may affect a person’s dignity, but can cause harm. When personally identifiable health information, for example, is disclosed to an employer, insurer, or family member, it can result in stigma, embarrassment, and discrimination. Thus, without some assurance of privacy, people may be reluctant to provide candid and complete disclosures of sensitive information even to their physicians. Ensuring privacy can promote more effective communication between physician and patient, which is essential for quality of care, enhanced autonomy, and preventing economic harm, embarrassment, and discrimination ( Gostin, 2001 ; NBAC, 1999 ; Pritts, 2002 ). However, it should also be noted that perceptions of privacy vary among individuals and various groups. Data that are considered intensely private by one person may not be by others ( Lowrance, 2002 ).

But privacy has value even in the absence of any embarrassment or tangible harm. Privacy is also required for developing interpersonal relationships with others. Although some emphasize the need for privacy to establish intimate relationships ( Allen, 1997 ), others take a broader view of privacy as being necessary to maintain a variety of social relationships ( Rachels, 1975 ). By giving us the ability to control who knows what about us and who has access to us, privacy allows us to alter our behavior with different people so that we may maintain and control our various social relationships ( Rachels, 1975 ). For example, people may share different information with their boss than they would with their doctor.

Most discussions on the value of privacy focus on its importance to the individual. Privacy can be seen, however, as also having value to society as a whole ( Regan, 1995 ). Privacy furthers the existence of a free society ( Gavison, 1980 ). For example, preserving privacy from widespread surveillance can be seen as protecting not only the individual’s private sphere, but also society as a whole: Privacy contributes to the maintenance of the type of society in which we want to live ( Gavison, 1980 ; Regan, 1995 ).

Privacy can foster socially beneficial activities like health research. Individuals are more likely to participate in and support research if they believe their privacy is being protected. Protecting privacy is also seen by some as enhancing data quality for research and quality improvement initiatives. When individuals avoid health care or engage in other privacy-protective behaviors, such as withholding information, inaccurate and incomplete data are entered into the health care system. These data, which are subsequently used for research, public health reporting, and outcomes analysis, carry with them the same vulnerabilities ( Goldman, 1998 ).

The bioethics principle of respect for persons also places importance on individual autonomy, which allows individuals to make decisions for themselves, free from coercion, about matters that are important to their own well-being. U.S. society also places a high value on individual autonomy, and one way to respect persons and enhance individual autonomy is to ensure that people can make the choice about when, and whether, personal information (particularly sensitive information) can be shared with others.

Public Views of Health Information Privacy

American society places a high value on individual rights, personal choice, and a private sphere protected from intrusion. Medical records can include some of the most intimate details about a person’s life. They document a patient’s physical and mental health, and can include information on social behaviors, personal relationships, and financial status ( Gostin and Hodge, 2002 ). Accordingly, surveys show that medical privacy is a major concern for many Americans, as outlined below (reviewed by Pritts, 2008 ; Westin, 2007 ). As noted in Chapter 1 , however, there are some limits to what can be learned from surveys ( Tourangeau et al., 2000 ; Wentland, 1993 ; Westin, 2007 ). For example, how the questions and responses are worded and framed can significantly influence the results and their interpretation. Also, responses are biased when respondents self-report measures of attitudes, behavior, and feelings in such a way as to represent themselves favorably.

In a 1999 survey of consumer attitudes toward health privacy, three out of four people reported that they had significant concerns about the privacy and confidentiality of their medical records ( Forrester Research, 1999 ). In a more recent survey, conducted in 2005 after the implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 67 percent of respondents still said they were concerned about the privacy of their medical records, suggesting that the Privacy Rule had not effectively alleviated public concern about health privacy. Ethnic and racial minorities showed the greatest concern among the respondents. Moreover, the survey showed that many consumers were unfamiliar with the HIPAA privacy protections. Only 59 percent of respondents recalled receiving a HIPAA privacy notice, and only 27 percent believed they had more rights than they had before receiving the notice ( Forrester Research, 2005 ). One out of eight respondents also admitted to engaging in behaviors intended to protect their privacy, even at the expense of risking dangerous health effects. These behaviors included lying to their doctors about symptoms or behaviors, refusing to provide information or providing inaccurate information, paying out of pocket for care that is covered by insurance, and avoiding care altogether ( Forrester Research, 2005 ).

A series of polls conducted by Harris Interactive suggest, however, that the privacy of health information has improved since implementation of the Privacy Rule. Prior to its creation, a 1993 survey by Harris Interactive showed that 27 percent of Americans believed their personal medical information had been released improperly in the past 3 years. In contrast, 14 percent and 12 percent of respondents believed this had happened to them in 2005 and 2007, respectively ( Harris Interactive, 2005 Harris Interactive, 2007 ). In the 2005 survey, about two-thirds of respondents reported having received a HIPAA privacy notice, and of these people, 67 percent said the privacy notice increased their confidence that their medical information is being handled properly ( Harris Interactive, 2005 ).

Responses to other questions on recent public opinion polls conducted by Harris Interactive only partially corroborate these findings. In one survey, 70 percent of respondents indicated that they are generally satisfied with how their personal health information is handled with regard to privacy protections and security. Nearly 60 percent of the respondents reported that they believe the existing federal and state health privacy pro tection laws provide a reasonable level of privacy protection for their health information ( Harris Interactive, 2005 ). Nonetheless, half of the respondents also believed that “[P]atients have lost all control today over how their medical records are obtained and used by organizations outside the direct patient health care such as life insurers, employers, and government health agencies.” In another survey, 83 percent of respondents reported that they trust health care providers to protect the privacy and confidentiality of their personal medical records and health information ( Westin, 2007 ). However, in that survey, 58 percent of respondents believed the privacy of personal medical records and health information is not protected well enough today by federal and state laws and organizational practices.

A number of studies suggest that the relative strength of privacy, confidentiality, and security protections can play an important role in people’s concerns about privacy (reviewed by Pritts, 2008 ). When presented with the possibility that there would be a nationwide system of electronic medical records, one survey found 70 percent of respondents were concerned that sensitive personal medical record information might be leaked because of weak data security, 69 percent expressed concern that there could be more sharing of medical information without the patient’s knowledge, and 69 percent were concerned that strong enough data security will not be installed in the new computer system.

Confidentiality is particularly important to adolescents who seek health care. When adolescents perceive that health services are not confidential, they report that they are less likely to seek care, particularly for reproductive health matters or substance abuse ( Weddle and Kokotailo, 2005 ). In addition, the willingness of a person to make self-disclosures necessary to mental health and substance abuse treatment may decrease as the perceived negative consequences of a breach of confidentiality increase ( Petrila, 1999 ; Roback and Shelton, 1995 ; Taube and Elwork, 1990 ). These studies show that protecting the privacy of health information is important for ensuring that individuals seek and obtain quality care.

The potential for economic harm resulting from discrimination in health insurance and employment is also a concern for many people (reviewed by Pritts, 2008 ). Polls consistently show that people are most concerned about insurers and employers accessing their health information without their permission ( Forrester Research, 2005 ; PSRA, 1999 ). This concern arises from fears about employer and insurer discrimination. Concerns about employer discrimination based on health information, in particular, increased 16 percent between 1999 and 2005, with 52 percent of respondents in the later survey expressing concern that their information might be seen by an employer and used to limit job opportunities ( Forrester Research, 2005 ; PSRA, 1999 ). Reports alleging that major employers such as Wal-Mart base some of their hiring decisions on the health of applicants suggest that these concerns may be justified ( Greenhouse and Barbaro, 2005 ).

Studies show that individuals are especially concerned about genetic information being used inappropriately by their insurers and employers (reviewed by Pritts, 2008 ). Even health care providers appear to be affected by these concerns. In a survey of cancer-genetics specialists, more than half indicated that they would pay out of pocket rather than bill their insurance companies for genetic testing, for fear of genetic discrimination ( Hudson, 2007 ). Although surveys do not reveal a significant percentage of individuals who have experienced such discrimination, geneticists have reported that approximately 550 individuals were refused employment, fired, or denied life insurance based on their genetic constitution ( NBAC, 1999 ). In addition, a study in the United Kingdom suggested that life insurers in that country do not have a full grasp on the meaning of genetic information and do not assess or act in accord with the actuarial risks presented by the information ( Low et al., 1998 ). There is, therefore, some legitimate basis to individuals’ concerns about potential economic harm and the need to protect the privacy of their genetic information. Recent passage of the Genetic Information Nondiscrimination Act in the United States will hopefully begin to address some of these concerns. 4

Patient Attitudes About Privacy in Health Research

Ideally, there would be empirical evidence regarding the privacy value of all the specific Privacy Rule provisions that impact researchers, but there are only limited data on this topic from the consumer/patient perspective. A few studies have attempted to examine the public’s attitudes about the use of health information in research. However, few have attempted to do so with respect to the intricacies of the protections afforded by the Privacy Rule or the Common Rule , 5 which are likely not well known to the public.

A review by Westin of 43 national surveys with health privacy questions fielded between 1993 and September 2007 identified 9 surveys 6 with one or more questions about health research and privacy ( Westin, 2007 ). In some, the majority of respondents were not comfortable with their health information being provided for health research except with notice and express consent. But in others, a majority of respondents were willing to forgo notice and consent if various safeguards and specific types of research were offered. For example, a recent Harris Poll found that 63 percent of respondents would give general consent to the use of their medical records for research, as long as there were guarantees that no personally identifiable health information would be released from such studies ( Harris Interactive, 2007 ). This is similar to the percentage of people willing to participate in a “clinical research study” ( Research!America, 2007 ; Woolley and Propst, 2005 ) (see also Chapter 3 ). A 2006 British survey also found strong support for the use of personally identifiable information without consent for public health research and surveillance, via the National Cancer Registry ( Barrett et al., 2007 ).

Westin noted that opinions varied in the surveys according to developments on the health care scene and with consumer privacy trends. He concluded from this review that the majority of consumers are positive about health research, and if asked in general terms, support their medical information being made available for research. However, he also noted that most of these surveys presented the choice in ways that did not articulate the key permission process, and that there was much ambiguity in who “researchers” are, what kind of “health research” is involved, and how the promised protection of personal identities would be ensured ( Westin, 2007 ).

Reviewing the handful of detailed studies examining patient views of the use of their medical information in research through surveys, structured interviews, or focus groups, Pritts determined that a number of common themes emerge (reviewed by Pritts, 2008 ):

  • Patients were generally very supportive of research provided safeguards are established to protect the privacy and security of their medical information ( Damschroder et al., 2007 ; Kass et al., 2003 ; Robling et al., 2004 ; Westin, 2007 ; Willison et al., 2007 ).
  • Patients were much more comfortable with the use of anonymized data (e.g., where obvious identifiers have been removed) than fully identifiable data for research ( Damschroder et al., 2007 ; Kass et al., 2003 ; Robling et al., 2004 ; Whiddett et al., 2006 ).
  • Patients were less comfortable with sharing information about “sensitive” conditions such as mental health with researchers ( Damschroder et al., 2007 ; Robling et al., 2004 ).

In studies where patients were able to provide unstructured comments, they expressed concern about the potential that anonymized data would be reidentified. They were also concerned that insurers or employers or others who could discriminate against subjects could potentially access informa tion maintained by researchers ( Damschroder et al., 2007 ; Kass et al., 2003 ; Robling et al., 2004 ). Some feared that researchers would sell information to drug companies or other third parties ( Damschroder et al., 2007 ).

Although supportive of research, the majority of patients in these studies expressed a desire to be consulted before their information was released for research ( Damschroder et al., 2007 ; Kass et al., 2003 ; Robling et al., 2004 ; Westin, 2007 ; Whiddett et al., 2006 ; Willison et al., 2007 ). Some surveys also show that even if researchers would receive no directly identifying information (e.g., name, address, and health insurance number), the majority of respondents still wanted to have some input before their medical records were disclosed ( Damschroder et al., 2007 ; Robling et al., 2004 ; Willison et al., 2007 ). For example, in a 2005 Australian survey, 67 percent of respondents indicated they would be willing to allow their deidentified health records to be used for medical research purposes, but 81 percent wanted to be asked first ( Flannery and Tokley, 2005 ).

Studies indicate that public support for research and willingness to share health information can vary with the purpose or type of activity being conducted (reviewed by Pritts, 2008 ). Studies have found there was less support for activities that were primarily for a commercial purpose, or that might be used in a manner that would not help patients ( Damschroder et al., 2007 ; Willison et al., 2007 ). Some participants expressed concern that some researchers were motivated by monetary rewards and that decision makers would act out of self-interest ( Damschroder et al., 2007 ).

One recent study suggests that the biggest predictor of whether patients are willing to share their medical records with researchers is the patients’ trust that their information will be kept private and confidential ( Damschroder et al., 2007 ). In this study, the patients who most trusted the Veterans Affairs system to keep their medical records private were more likely to accept less stringent requirements for informed consent. Thirty-four percent of veterans who participated in intensive focus groups using deliberative democracy were willing to allow researchers associated with the Veterans Health Administration to use their medical records without any procedures for patient input, subject to Institutional Review Board (IRB) approval, and another 17 percent reported that patients should have to ask for their medical records to be excluded from research studies (opt-out).

But participants in focus groups also have expressed a desire to be informed of how their health information was used for research. This desire was tied to a sense of altruism—they wanted to know that their information was useful and that they may have contributed to helping others by allowing their medical records to be used for research ( Damschroder et al., 2007 ; Robling et al., 2004 ). The veterans also recommended methods to give research participants more control over how their medical records are used in research. These recommendations included requiring that participants are fully informed about how their medical records are being used in research; providing assurances that the research being conducted will benefit fellow veterans; updating research participants about findings and ongoing research; and setting out clear and consistent consequences for anyone who violates a patient’s privacy ( Damschroder et al., 2007 ).

The recent Harris poll 7 commissioned by the Institute of Medicine (IOM) committee for this study found that 8 percent of respondents had been asked to have their medical information used in research, but declined. When asked why, 30 percent indicated they were concerned about the privacy and confidentiality of their personal information, but many other reasons were also commonly cited (ranging from 5 to 24 percent of respondents), including worry that participation would be risky, painful, or unpleasant; lack of trust in the researchers; or belief that it would not help their condition or their family ( Westin, 2007 ).

Some studies also suggest that individuals’ attitudes toward the use of their medical records in research may be influenced by a person’s state of health. Although the commissioned Harris Poll found that people who are in only fair health, who have a disability, or who had taken a genetic test were slightly more concerned than the public about health researchers seeing their medical records (55 percent versus 50 percent), other data suggest that people with health concerns may be more supportive of using medical records in research. For example, qualitative market research by the National Health Council showed that individuals with chronic conditions have a very favorable attitude toward the implementation of electronic personal health records (EPHRs). During the focus group discussions, participants noted that EPHRs could be very advantageous in medical research and were supportive of this use even though many had expressed concern about the privacy and confidentiality of EPHRs ( Balch et al., 2005 , 2006 ). Although the Council did not specifically ask about attitudes toward health research and privacy, these results suggest that individuals with chronic conditions may be more likely to grant researchers access to their medical records, and to place less emphasis on protecting privacy than members of the general population.

Also, a Johns Hopkins University survey of patients having, or at risk for, serious medical conditions examined these patients’ attitudes about the use of their medical records in research, and compared those results to polls from the general population. Thirty-one percent of respondents stated that medical researchers should have access to their medical records without their permission if it would help to advance medical knowledge.

In contrast, the recent Harris poll of the public found that 19 percent of respondents would be willing to forgo consent to use personal medical and health information, as long as the study never revealed their identity and it was supervised by an IRB ( Westin, 2007 ). An additional 8 percent indicated they would be willing to give general consent in advance to have personally identifiable medical or health information used in future research projects without the researchers having to contact them, and 1 percent said researchers should be free to use their personal medical and health information without their consent at all. Thus, 28 percent of respondents would be willing to grant researchers access to their medical records without giving specific consent for each research project. Thirty-eight percent believed they should be asked to consent to each research study seeking to use their personally identifiable medical or health information, and 13 percent did not want researchers to contact them or to use their personal or health information under any circumstances. However, those who preferred not to be contacted at all were actually less likely than those who would grant conditional permission to have declined participating in a research study. Notably, 20 percent of respondents were unsure how to respond to the question about notice and consent for research.

Among the 38 percent who said they wanted notice and consent, 80 percent indicated that they would want to know the purpose of the research, and 46 percent wanted to know specifically whether the research could help their health condition or those of family members. Sixty-two percent indicated that knowing about the specific research study and who would be running it would allow the respondent to decide whether to trust the researchers. A little more than half of the respondents (54 percent) said they would be worried that their personally identifiable information may be disclosed outside the study. Among those 54 percent, three-quarters agreed with the statement “I would feel violated and my trust in the researchers betrayed.” Between 39 and 67 percent were concerned about discrimination in a government program, by an employer, or in obtaining life or health insurance ( Westin, 2007 ).

However, about 70 percent of all respondents indicated that they trusted health researchers to protect the privacy and confidentiality of the medical records and health information they obtain about research participants. Furthermore, among respondents who had participated in health research, only 2 percent reported that any of their personally identifiable medical information used in a study was given to anyone outside the research staff, and half of those disclosures were actually made to other researchers or research institutions ( Westin, 2007 ).

In summary, very limited data are available to assess the privacy value of the Privacy Rule provisions that impact researchers. Surveys indicate that the public is deeply concerned about the privacy and security of personal health information, and that the HIPAA Privacy Rule has perhaps reduced—but not eliminated—those concerns. Patients were generally very supportive of research, provided safeguards were established to protect the privacy and security of their medical information, although some surveys indicate that a significant portion of the public would still prefer to control access to their medical records via consent, even if the information is anonymized. Studies indicate that public support for research and willingness to share health information varies with health status and the type of research conducted, and depends on the patients’ trust that their information will be kept private and confidential. An understanding the public’s attitude toward privacy is important throughout the rest of this report, because many of the IOM committee’s recommendations affect the nature of the privacy protections afforded by the federal health research regulations.

  • HISTORICAL DEVELOPMENT OF LEGAL PROTECTIONS OF HEALTH INFORMATION PRIVACY

The medical community has long recognized the importance of protecting privacy in maintaining public trust in doctors and researchers, and codes of medical ethics reflect a desire to increase this public trust. Since the time of Hippocrates, physicians have pledged to keep information about their patients private and confidential ( Feld and Feld, 2005 ). The Hippocratic Oath states, “What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself….” This pledge to privacy has been included in the code of ethics of nearly all health care professionals in the United States. For example, the first Code of Ethics of the American Medical Association in 1847 included the concept of confidentiality ( OTA, 1993 ).

The value of health information privacy has also been recognized by affording it protection under the law (reviewed by Pritts, 2008 ). The rules for protecting the privacy of health information in the clinical care and health research contexts developed along fairly distinct paths until the promulgation of the federal privacy regulations under HIPAA. 8 Prior to HIPAA, health information in the clinical setting was protected primarily under a combination of federal and state constitutional law, as well as state common law and statutory protections ( Box 2-1 ).

Overview of Privacy Protections in the Law. Constitutional Protections Both federal and state constitutions generally afford citizens some protection for the privacy of their health information. However, with limited exceptions, (more...)

In contrast, research practices have been governed largely by federal regulations called the Common Rule , which have historically focused on protecting individuals from physical and mental harm in clinical trials (see subsequent sections of this chapter). Although the standards apply to research that uses personally identifiable health information, the protection of information is not their primary focus.

Principles of Fair Information Practice

The framework in which detailed statutory and regulatory protections of privacy originated was in the 1973 report of an advisory committee to the U.S. Department of Health, Education and Welfare (HEW), “designed to call attention to issues of recordkeeping practice in the computer age that may have profound significance for us all” ( HEW, 1973 ). The principles were intended to “provide a basis for establishing procedures that assure the individual a right to participate in a meaningful way in decisions about what goes into records about him and how that information shall be used” ( HEW, 1973 ). In addition to affording individuals the meaningful right to control the collection, use, and disclosure of their information, the fair information practices also impose affirmative responsibilities to safeguard information on those who collect it (reviewed by Pritts, 2008 ).

The fundamental principles of fair information practice articulated in the report have since been amplified and adopted in various forms at the international, federal, and state levels ( Gelman, 2008 ). The fair information practices endorsed by the Organisation for Economic Co-operation and Development (OECD), which have been widely cited, include the following principles ( OECD, 1980 ):

  • Collection Limitation There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  • Data Quality Personal data should be relevant to the purposes for which they are to be used, and to the extent necessary for those purposes, should be accurate, complete, and kept updated.
  • Purpose Specification The purposes for which personal data are collected should be specified not later than at the time of data collection, and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes, and as are specified on each occasion of change of purpose.
  • with the consent of the data subject; or
  • by the authority of law.
  • Security Safeguards Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
  • Openness There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
  • Individual Participation An individual should have the right to know whether a data controller has data relating to him/her, to obtain a copy of the data within a reasonable time in a form that is intelligible to him/her, to obtain a reason if the request for access is denied, to challenge such a denial, to challenge data relating to him/her, and, if the challenge is successful, to have the data erased, rectified, completed, or amended.
  • Accountability A data controller should be accountable for complying with measures, which give effect to the principles stated above.

These principles have been adopted at the federal and state levels to varying degrees. The United States has taken a sector-driven approach toward adopting the principles of fair information practices, with the federal and state governments promulgating statutes and regulations that apply only to specific classes of record keepers or categories of records. 9 , 10

At the federal level, the fair information practices were first incorporated into the Privacy Act of 1974, which governs the collection, use, and disclosure of personally identifiable data held by the federal government and some of its contractors. Hospitals operated by the federal government and health care or research institutions operated under federal contract are subject to the Privacy Act, while other health care entities remained outside its scope ( Gostin, 1995 ). Nevertheless, the Privacy Act afforded perhaps the broadest protection for health information at the federal level until the promulgation of the HIPAA Privacy Rule.

For their part, states have adopted (and continue to adopt) laws that not only mirror the Privacy Act in protecting government-held records, but also that afford broader protections for personally identifiable health information held by private parties. However, these principles have not been adopted uniformly among states, resulting in a patchwork of state health privacy laws that provide little consistency from entity to entity or from state to state.

For example, the states have enacted the fair information practice restriction on use and disclosure of information in varying ways (reviewed by Pritts, 2008 ). Some allow the disclosure of health information for research without the individual’s permission and others require such permission. Others only require such permission to release only certain types of information for research. Similarly, state statutes vary widely in how they have applied the accountability principle, both in the way they provide remedies for breaches in confidentiality and security and with respect to the standard imposed for initiating a suit. Also, only a few states have statutorily required providers to undertake security measures to ensure that health information is used and disclosed properly.

  • SECURITY OF HEALTH DATA

Protecting the security of data in health research is important because health research requires the collection, storage, and use of large amounts of personally identifiable health information, much of which may be sensitive and potentially embarrassing. If security is breached, the individuals whose health information was inappropriately accessed face a number of potential harms. The disclosure of personal information may cause intrinsic harm simply because that private information is known by others ( Saver, 2006 ). Another potential danger is economic harm. Individuals could lose their job, health insurance, or housing if the wrong type of information becomes public knowledge. Individuals could also experience social or psychological harm. For example, the disclosure that an individual is infected with HIV or another type of sexually transmitted infection can cause social isolation and/or other psychologically harmful results ( Gostin, 2008 ). Finally, security breaches could put individuals in danger of identity theft ( Pritts, 2008 ).

Protecting the privacy of research participants and maintaining the confidentiality of their data have always been paramount in research and a fundamental tenet of clinical research. However, several highly publicized examples of stolen or misplaced computers containing health data have heightened the public’s concerns about the security of health data (for a list of security breaches in health research, see Table 2-2 ). The extent to which these breaches have caused tangible harm to the individuals involved is difficult to quantify ( Pritts, 2008 ). A Government Accountability Office (GAO) report studying major security breaches involving nonmedical personal information concluded that most security breaches do not result in identity theft ( GAO, 2007 ). However, the lack of identity theft resulting from past breaches is no guarantee that future breaches will not result in more serious harm. A recent report from the Identity Theft Resources Center found that identity theft is up by 69 percent for the first half of 2008, compared to the same time period in 2007 ( ITRC, 2008 ). Also, regardless of actual harm, security breaches are problematic for health research because they undermine public trust, which is essential for patients to be willing to participate in research ( Hodge et al., 1999 ). A recent study found patients believe that requiring researchers to have security plans encourages researchers to take additional precautions to protect data ( Damschroder et al., 2007 ). Moreover, data security is important to protect because it is a key component of comprehensive privacy practices.

TABLE 2-2. Research Security Breaches: 2006–2008.

Research Security Breaches: 2006–2008.

  • The HIPAA Security Rule and Its Limitations

The goals of security are threefold: to ensure that (1) only authorized individuals see stored data; (2) they only see the data when they need to use it for an authorized purpose; and (3) what they see is accurate. Traditionally, these goals have been pursued through protections intended to make data processing safe from unauthorized access, alteration, deletion, or transmission. The HIPAA Security Rule employs this traditional solution to protecting security, and sets a floor for data security standards within covered entities ( Box 2-2 ). 11

The HIPAA Security Rule. The final HIPAA Security Standards were adopted on February 20, 2003. Covered entities were required to be in compliance with the regulation on April 21, 2005 (and April 21, 2006, for small health plans). In designing the HIPAA (more...)

The HIPAA Security Rule has several major gaps in security protection. First, like the HIPAA Privacy Rule, the HIPAA Security Rule only applies to covered entities. Many researchers who rely on protected health information (PHI) 12 to conduct health research are not covered entities, and thus are not required to implement any of the security requirements outlined in the Security Rule. Although federal research regulations include protections of privacy, there are no other laws that specifically require researchers to implement security protections for research data. Second, the HIPAA Security Rule only protects electronic medical records; it does not require covered entities to implement any security protections for health information stored in paper records. There is an ongoing effort to implement electronic health records. However, many health records now exist only in paper form and may not be securely protected.

Third, many covered entities apparently are not yet in full compliance with all the requirements of the HIPAA Security Rule, based on surveys 13 of health care privacy officers and other individuals responsible for implementing the HIPAA regulations conducted by the American Health Information Management Association (AHIMA). The surveys found that although the percentage of respondents who believe their facilities are in full compliance with the HIPAA Security Rule is increasing yearly, the number is still not 100 percent. In 2006, 1 year after implementation of the HIPAA security regulations, 25 percent of respondents described themselves as fully compliant with the Security Rule, and 50 percent described themselves as 85 to 95 percent compliant (compared to 17 percent of respondents in 2005 reporting they were fully compliant, and 43 percent describing themselves as 85 to 95 percent compliant). More than half—54 percent—of respondents reported that their covered entity had upgraded its electronic software system to comply with the HIPAA Security Rule. All the respondents reported that their covered entity has an individual responsible for assessing data protection needs and implementing solutions and staff training (compared to 89 percent in 2005), but the number of facilities reporting that they have an entire committee or task related to security decreased from 2005 (59 percent versus 78 percent) ( AHIMA, 2006 ).

The Centers for Medicare & Medicaid Services (CMS) has the authority to enforce the HIPAA Security Rule, and has received 378 security complaints as of 2008 without issuing any fines or penalties. A recent report issued by the HHS Office of Inspector General evaluated CMS’s oversight and enforcement of the HIPAA Security Rule and “found that CMS had taken limited steps to ensure that covered entities adequately implement security protections” ( OIG, 2008 ). However, a 2008 Resolution Agreement entered into by the U.S. Department of Health and Human Services (HHS) and CMS with Seattle-based Providence Health & Services for breaches of the HIPAA Privacy and Security Rules may indicate that CMS is starting to take a more affirmative approach to enforcement. The agreement requires Providence Health & Services to pay $100,000 and to implement a corrective action plan to ensure electronic patient information is appropriately safeguarded against future security breaches ( OCR, 2008 ). In addition, CMS has recently partnered with PricewaterhouseCoopers to conduct security audits of covered entities to examine how well they are implementing the requirements of the HIPAA Security Rule. Ten to 20 assessments are planned for 2008 ( Conn, 2008 ). Together these actions may have a positive effect on the percentage of covered entities fully compliant with the HIPAA Security Rule.

Regardless of whether the HIPAA Security Rule is actively enforced, the other gaps in the HIPAA Security Rule’s protection of personal health information are problematic because enhanced security is necessary to reduce the risk of data theft and to reinforce the public’s trust in the research community by diminishing anxiety about the potential for unintentional disclosure of information. Thus, the IOM committee recommends that all institutions (both covered entities and non-covered entities) in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information take strong measures to safeguard the security of health data. Given the differences among the missions and activities of institutions in the health research community, some flexibility in the implementation of specific security measures will be necessary.

Examples of measures that institutions should implement include appointment of a security officer on IRBs and Privacy Boards to be responsible for assessing data protection needs and implementing solutions and staff training; use of encryption and encoding techniques, especially for laptops and removable media containing personally identifiable health information; and implementation of a breach notification requirement, so that patients may take steps to protect their identity in the event of a breach ( IOM, 2000 ). More generally, institutions should implement layers of security protections, so that if security fails at one layer the breach will likely be stopped by another layer of security protection. The publication of best practices combined with a cooperative approach to compliance with security standards—such as self-evaluation, security audits, and certification programs—would also promote progress in this area. Research sponsors could play a role in the adoption of best practices in data security, by requiring researchers to implement appropriate security measures prior to providing funding. In addition, the federal government should support the development of technologies to enhance the security of health information.

Examples of security standards and guidelines already exist in some sectors, but they are not widely applied in health research. For instance, the National Institute of Standards and Technology has developed standards and guidance for the implementation of the Federal Information Security Management Act of 2002, which was meant to bolster computer and network security within the federal government and affiliated parties (e.g., government contractors). These include standards for minimum security requirements for information and information systems, as well as guidance for assessing and selecting appropriate security controls for information systems, for determining security control effectiveness, and for certifying and accrediting information systems (NIST, 2007). However, two recent GAO reports found that although the federal government is improving information security performance, a number of significant information security control deficiencies remain ( GAO, 2008a ). HHS, working through its Office of the National Coordinator for Health Information Technology, 14 could play an important role in developing or adapting standards for health research applications, and then encourage and facilitate broader use of such standards in the health research community.

  • POTENTIAL TECHNICAL APPROACHES TO HEALTH DATA PRIVACY AND SECURITY

The security of data will continue to grow in importance as the health care industry moves toward greater implementation of electronic health records, and Congress has already proposed numerous bills to facilitate and regulate that transition (see also Chapter 6 ). Advances in information technology will likely make it easier to implement such measures as audit trails and access controls in the future. Although the committee does not recommend a specific technology solution, there are at least four technological approaches to enhancing data privacy and security that have been proposed by others as having the potential to be particularly influential in health research: (1) Privacy -preserving data mining and statistical disclosure limitation, (2) personal electronic health record devices, (3) independent consent management tools, and (4) pseudonymisation. Each seeks to minimize or eliminate the transfer of personally identifiable data ( Burkert, 2001 ). The advantages, limitations, and current feasibility of each are described briefly below.

Privacy -preserving data mining and statistical disclosure limitation. In recent years, a number of techniques have been proposed for modifying or transforming data in such a way so as to preserve privacy while statistically analyzing the data (reviewed in Aggarwal and Yu, 2008 ; NRC, 2000 , 2005 , 2007b ). Typically, such methods reduce the granularity of representation in order to protect confidentiality. There is, however, a natural trade-off between information loss and the confidentiality protection because this reduction in granularity results in diminished accuracy and utility of the data, and methods used in their analysis. Thus, a key issue is to maintain maximum utility of the data without compromising the underlying privacy constraints. In addition, there are a very large number of definitions of privacy and its protection in the statistical disclosure limitation and the privacy-preserving data mining literatures, in part because of the varying goals.

Examples of statistical disclosure limitation and privacy-preserving data mining methods include perturbation methods such as noise addition, which attempts to mask the identifiable attributes of individual records, aggregation methods such as k-anonymity, which attempts to reduce the granularity of representation of the data in such a way that a given record cannot be distinguished from at least (k – 1) other records, the release of summary statistics that can be used for actual statistical analyses such as marginal totals from contingency tables, and various approaches to the generation of synthetic data. Several of these are reviewed in Aggarwal and Yu (2008) .

Other technologies include cryptographic methods for distributive privacy protection, which operate by allowing researchers to query various databases online using cryptographic algorithms (Brands, 2007; reviewed in Aggarwal and Yu, 2008 ), query auditing techniques, and output perturbation using methodology known as differential privacy (many of these techniques are reviewed in Aggarwal and Yu, 2008 , and Dwork, 2008 ). These technologies aim to protect privacy by minimizing the outflow of information to researchers, as the providers of the databases do not make any of the actual data available to the researchers. The principal drawback of many of these methods relates to the potentially limited utility of the released information, especially for secondary analyses not planned in advance.

Each of the methods referred to above have strengths and weaknesses for specific kinds of statistical analyses. Precisely how this body of developing methodologies may be effectively used in the types of health research of the sort envisioned in this report remains an open question and this is an area of active research. Thus, alternative mechanisms for data protection going beyond the removal of obvious identifiers and the application of limited modifications of data elements are required. These mechanisms need to be backed up by legal penalties and sanctions.

Personal electronic health record devices. The use of personal electronic health record devices requires that all individuals possess a personal electronic device, such as a personal digital assistant (PDA) or personal computer, to manage their health information. The electronic device is intended to be used by individuals to aggregate all of their health information into one location (i.e., the electronic device). The infrastructure for implementing this privacy-enhancing technology exists, but there are several serious problems with relying on this technology in health research. First, it is unclear who would provide individuals with the devices, how they would be maintained, and who would bear the cost of the maintenance. Second, it is impossible for researchers to query every single individual for permission to access his/her personal electronic health record device in order to determine if he/she meets the criteria for the relevant study. Only individuals who are on the Internet and are involved in health research could easily be queried. Third, the use of personal electronic devices would make it almost impossible to aggregate data because of the difficulty of accessing data from multiple sources. These problems are sufficiently serious that the use of this technology is unlikely to offer a satisfactory solution to the privacy and security concerns in health research (Brands, 2007).

Independent consent management tools. The independent consent manage ment tool (or infomediary) relies on a health trust to store all of an individual’s health data. When researchers are interested in accessing an individual’s health information for a study, the researchers must contact the health trust. The health trust will then approach the individual and asks whether he/she is willing to give consent for the research. Examples of this technology include Microsoft’s HealthVault, Google Health, and Revolution Health.

Independent consent management tools allow individuals to make blanket consents for their health information to be released for certain types of researchers. For example, an individual can have a standing consent that his/her information can be released to all researchers at the Mayo Clinic, or for all research on cancer, etc. Thus, the use of a health trust allows an individual to have the power of consent for all uses of his/her health information, but does not require a specific consent in all instances (Brands, 2007). Some privacy advocates are very favorable about the use of this technology because they see it as a way to give patients complete control over who can see and use their health information ( PPR, 2008 ).

However, the use of this technology in health research has several major problems. The first problem is that the health trust in this system becomes a “honey pot” (i.e., the health trust holds ALL of an individual’s data). This creates serious trust and security issues because a person’s entire health record is stored in a single entity (Brands, 2007). A 2006 survey of global financial services institutions found that respondents reported that nearly 50 percent of all security breaches were a result of an internal failure (e.g., a virus or worm originating inside the organization, insider fraud, or inadvertent leakage of consumer data) ( Melek and MacKinnon, 2006 ). Many security breaches in health care are likely also a result of internal failures. In addition, these organizations are currently not regulated by the HIPAA Privacy Rule, so there are no legal federal privacy restrictions preventing these entities from releasing individuals’ data to the government, marketing companies, or others, and no mandatory data security requirements. New legislation or regulation making health trusts liable for security breaches may be necessary before the public is willing to trust these organizations to store personal health data ( Metz, 2008 ).

The second major impediment to the widespread adoption of independent consent management tools is the difficulty of providing individuals with secure online access to view their health information. The companies marketing this technology need to develop a mechanism where individuals can access their medical information held by the health trust without endangering its security and privacy. The current methods for individual authentication online do not work well ( NRC, 2003 ), but the use of a strong authentication system in a single domain may solve this problem. The companies will also need to address the fact that a significant portion of the population does not have online access at all (Brands, 2007).

The final problem with using independent consent management systems in health research is the inability to ensure the authenticity and integrity of responses. There is no existing method for the health trusts to provide the researchers with a guarantee that the information contained in their database is accurate. If data are authenticated using existing methods, such as through the use of digital signing, then it is impossible to truly protect the privacy of the individuals’ information being disclosed ( NRC, 2003 ). Cryptographic selective disclosure techniques may be able to solve this problem, but the technology does not exist yet (Brands, 2007).

Pseudonymization. Pseudonymization is a method “used to replace the true identities (nominative) of individuals or organizations in databases by pseudo-identities (pseudo-IDs) that cannot be linked directly to their corresponding nominative identities” ( Claerhout and De Moor, 2005 ). The benefit of using pseudonymization in health research is that it protects individuals’ identities while allowing researchers to link personal data across time and place by relying on the pseudo-IDs.

Most pseudonymization methods use a trusted third party to perform the pseudonymization process. This results in at least three entities being involved in the creation of each database. There is the data source that has access to nominative personal data (e.g., PHI), the trusted third party, and the data register that uses the pseudonymized data for research.

Two methods of pseudonymization are the batch data collection and the interactive data collection. In the batch data collection, the data supplier splits the data into two parts: (1) the identifiers that relate to a specific person (e.g., Social Security number, name), and (2) the payload data, which includes all the nonidentifiable data associated with each individual. The data are prepseudonymized at the data source and transferred to the trusted third party, which converts the prepseudonyms data into a final pseudo-ID. Both the final pseudo-ID and payload data are transferred to the data register, where they are stored and used for research; no data are stored with the trusted third party. Privacy concerns are minimized because the only version of the data that is available to researchers is pseudonymized data.

The interactive data collection is used in situations where neither the data supplier nor the data register has a need for local storage of the data. All the data is stored by a trusted third party in pseudonymous form. Both the data supplier and the data register must query the trusted third party to access the data ( Claerhout and De Moor, 2005 ; De Moor et al., 2003 ).

It is unclear how technologies relying on pseudonymization would be implemented under the requirements of the HIPAA Privacy Rule. In order for information to be considered deidentified, the HIPAA Privacy Rule specifically states that covered entities can assign a code or other means of record identification (such as a pseudo-ID), but the code cannot be derived from, or related to, information about the subject of the information. 15 This means that any pseudo-IDs created using this technology must be based entirely on nonpersonal information. Alternatively, any researchers using the pseudonymized data must go through the normal IRB/ Privacy Board review process.

  • CONCLUSIONS AND RECOMMENDATIONS

Based on its review of the information described in this chapter, the committee agreed on an overarching principle to guide the formation of recommendations. The committee affirms the importance of maintaining and improving the privacy of health information. In the context of health research, privacy includes the commitment to handle personal information of patients and research participants with meaningful privacy protections, including strong security measures, transparency, and accountability. 16 These commitments extend to everyone who collects, uses, or has access to personally identifiable health information of patients and research participants. Practices of security, transparency, and accountability take on extraordinary importance in the health research setting: Researchers and other data users should disclose clearly how and why personal information is being collected, used, and secured, and should be subject to legally enforceable obligations to ensure that personally identifiable information is used appropriately and securely. In this manner, privacy protection will help to ensure research participation and public trust and confidence in medical research.

As part of the process of implementing this principle into the federal oversight regime of health research, the committee recommends that all institutions in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information should take strong measures to safeguard the security of health data. For example, institutions could:

  • Appoint a security officer responsible for assessing data protection needs and implementing solutions and staff training.
  • Make greater use of encryption and other techniques for data security.
  • Include data security experts on IRBs.
  • Implement a breach notification requirement, so that patients may take steps to protect their identity in the event of a breach.
  • Implement layers of security protection to eliminate single points of vulnerability to security breaches.

In addition, the federal government should support the development and use of:

  • Genuine privacy-enhancing techniques that minimize or eliminate the collection of personally identifiable data.
  • Standardized self-evaluations and security audits and certification programs to help institutions achieve the goal of safeguarding the security of personal health data.

Effective health privacy protections require effective data security measures. The HIPAA Security Rule (which entails a set of regulatory provisions separate from the Privacy Rule) already sets a floor for data security standards within covered entities, but not all institutions that conduct health research are subject to HIPAA regulations. Also, the survey data presented in this chapter show that neither the HIPAA Privacy Rule nor the HIPAA Security Rule have directly improved public confidence that personal health information will be kept confidential. Therefore, all institutions conducting health research should undertake measures to strengthen data protections. For example, given the recent spate of lost or stolen laptops containing patient health information, encryption should be required for all laptops and removable media containing such data. However, in general, given the differences among the missions and activities of institutions in the health research community, some flexibility in the implementation of specific security measures will be necessary.

Enhanced security would reduce the risk of data theft and reinforce the public’s trust in the research community by diminishing anxiety about the potential for unintentional disclosure of information. The publication of best practices and outreach to all stakeholders by HHS, combined with a cooperative approach to compliance with security standards, such as self-evaluation and audit programs, would promote progress in this area. Research sponsors could also play a roll in fostering the adoption of best practices in data security.

  • Aggarwal CC, Yu PS, editors. Privacy-preserving data mining: Models and algorithms. Boston, MA: Kluwer Academic Publishers; 2008.
  • AHIMA (American Health Information Management Association). The state of HIPAA privacy and security compliance. 2006. [accessed April 20, 2008]. http://www ​.ahima.org ​/emerging_issues/2006StateofHIPAACompliance.pdf .
  • Allen A. Genetic privacy: Emerging concepts and values. In: Rothstein M, editor. Genetic secrets: Protecting privacy and confidentiality in the genetic era. New Haven, CT: Yale University Press; 1997. pp. 31–59.
  • Balch GI, Doner L, Hoffman MK, Macario E. An exploration of how patients and family caregivers think about counterfeit drugs and the safety of prescription drug retail outlets for the National Health Council. Oak Park, IL: Balch Associates; 2005.
  • Balch GI, Doner LMA, Hoffman MK, Merriman MP, Monroe-Cook E, Rathjen G. Concept and message development research on engaging communities to promote electronic personal health records for the National Health Council. Oak Park, IL: Balch Associates; 2006.
  • Barrett G, Cassell JA, Peacock JL, Coleman MP. National survey of British public’s view on use of identifiable medical data by the National Cancer Registry. British Medical Journal. 2007; 332 (7549):1068–1072. [ PMC free article : PMC1458550 ] [ PubMed : 16648132 ]
  • Bloustein E. Privacy as an aspect of human dignity: An answer to Dean Prosser. New York Law Review. 1967; 39 :34.
  • Bodger JA. Note, taking the sting out of reporting requirements: Reproductive health clinics and the constitutional right to informational privacy. Duke Law Journal. 2006; 56 :583–609. [ PubMed : 17302004 ]
  • Burkert H. Privacy-enhancing technologies: Typology, critique, vision. In: Agre PE, Rotenberg M, editors. Technology and privacy: The new landscape. Cambridge, MA: The MIT Press; 2001. pp. 125–142.
  • Claerhout B, De Moor GJE. Privacy protection for clinical and genomic data: The use of privacy-enhancing techniques in medicine. Journal of Medical Informatics. 2005; 74 :257–265. [ PubMed : 15694632 ]
  • Conn J. CMS’ HIPAA watchdog presents potential conflict. Modern Healthcare. 2008. [accessed July 28, 2008]. http://www ​.modernhealthcare.com . [ PubMed : 18273966 ]
  • Damschroder LJ, Pritts JL, Neblo MA, Kalarickal RJ, Creswell JW, Hayward RA. Patients, privacy and trust: Patients’ willingness to allow researchers to access their medical records. Social Science & Medicine. 2007; 64 (1):223–235. [ PubMed : 17045717 ]
  • De Moor GJE, Claerhout B, De Meyer F. Privacy enhancing techniques: The key to secure communication and management of clinical and genomic data. Methods of Information in Medicine. 2003; 42 :148–153. [ PubMed : 12743651 ]
  • Dwork CS. An ad omnia approach to defining and achieving private data analysis, proceedings of the first sigkdd international workshop on privacy, security, and trust in kdd (invited). Lecture Notes in Computer Science. 2008:4890.
  • Feld AD, Feld AD. The Health Insurance Portability and Accountability Act (HIPAA): Its broad effect on practice. American Journal of Gastroenterology. 2005; 100 (7):1440–1443. [ PubMed : 15984962 ]
  • Flannery J, Tokley J. AMA poll shows patients are concerned about the privacy and security of their medical records. Australian Medical Association; 2005. [accessed December 10, 2007]. http://www ​.ama.com.au/web ​.nsf/doc/WEEN-6EG7LY .
  • Forrester Research. National survey: Confidentiality of medical records. 1999. [accessed February 12, 2007]. http://www ​.chcf.org .
  • Forrester Research. National consumer health privacy survey 2005. 2005. [accessed February 12, 2007]. http://www ​.chcf.org/topics/view ​.cfm?itemID=115694 .
  • Fried C. Privacy. Yale Law Journal. 1968; 77 :475–493.
  • GAO (Government Accountability Office). Personal information: Data breaches are frequent, but evidence of resulting identity theft is limited. Washington, DC: GAO; 2007.
  • GAO. Although progress reported, federal agencies need to resolve significant deficiencies: Statement of Gregory C. Wilshusen, Director, Information Security Issues. Washington, DC: GAO; 2008a.
  • GAO. Information security: Progress reported, but weaknesses at federal agencies persist: Statement of Gregory C. Wilshusen, Director, Information Security Issues. Washington, DC: GAO; 2008b.
  • Gavison R. Privacy and the limits of the law. Yale Law Journal. 1980; 89 :421–471.
  • Gelman R. Fair information practices: A basic history. 2008. [accessed April 15, 2008]. http://bobgellman ​.com ​/rg-docs/rg-FIPshistory.pdf .
  • Goldman J. Protecting privacy to improve health care. Health Affairs. 1998; 17 (6):47–60. [ PubMed : 9916354 ]
  • Gostin LO. Health information privacy. Cornell Law Review. 1995; 80 :101–184. [ PubMed : 11660159 ]
  • Gostin L. Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis. 2001; 9 :321. [ PubMed : 11794835 ]
  • Gostin L. Public health law: Power, duty, restraint. Berkeley, CA: University of California Press; 2008. Surveillance and public health research: Personal privacy and the “right to know.”
  • Gostin LO, Hodge JG. Personal privacy and common goods: A framework for balancing under the national health information Privacy Rule. Minnesota Law Review. 2002; 86 :1439. [ PubMed : 15174439 ]
  • Greenhouse S, Barbaro M. Walmart memo suggests ways to cut employee benefit costs. The New York Times. 2005. [accessed April 14, 2008]. http://www ​.nytimes.com ​/2005/10/26/business/26walmart ​.ready.html?pagewanted ​=1&_r=1 .
  • Harris Interactive. Health Information Privacy (HIPAA) notices have improved public’s confidence that their medical information is being handled properly. 2005. [accessed April 3, 2007]. http://www ​.harrisinteractive ​.com/news/printerfriend/index ​.asp?NewsID=849 .
  • Harris Interactive. Many U.S. adults are satisfied with use of their personal health information. 2007. [accessed May 15, 2007]. http://www ​.harrisinteractive ​.com/harris_poll/index ​.asp?PID=743 .
  • HEW (Department of Health, Education and Welfare). Records, computers and the rights of citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems. 1973. [accessed July 12, 2008]. http://aspe ​.hhs.gov/datacncl ​/1973privacy/tocprefacemembers ​.htm .
  • Hodge JG Jr, Gostin LO, Jacobson PD. Legal issues concerning electronic health information: Privacy, quality, and liability. JAMA. 1999; 282 (15):1466–1471. [ PubMed : 10535438 ]
  • Hudson KL. Prohibiting genetic discrimination. New England Journal of Medicine. 2007; 356 :2021. [ PubMed : 17507700 ]
  • IOM (Institute of Medicine). Protecting data privacy in health services research. Washington, DC: National Academy Press; 2000. [ PubMed : 25057723 ]
  • ITRC (Identity Theft Resource Center). 2006 disclosures of U.S. Data incidents. 2006. [accessed July 7, 2008]. http: ​//idtheftmostwanted ​.org/ITRC%20Breach%20Report%202006 ​.pdf .
  • ITRC. 2007 breach list. 2007. [accessed July 7, 2008]. http: ​//idtheftmostwanted ​.org/ITRC%20Breach%20Report%202007 ​.pdf .
  • ITRC. Security breaches. 2008. [accessed July 22, 2008]. http://www ​.idtheftcenter ​.org/artman2/publish ​/lib_survey/ITRC ​_2008_Breach_List_printer.shtml .
  • Kass NE, Natowicz MR, Hull SC, Faden RR, Plantinga L, Gostin LO, Slutsman J. The use of medical records in research: What do patients want? Journal of Law, Medicine & Ethics. 2003; 31 :429–433. [ PMC free article : PMC4816216 ] [ PubMed : 14626550 ]
  • Low L, King S, Wilkie T. Genetic discrimination in life insurance: Empirical evidence from a cross sectional survey of genetic support groups in the United Kingdom. British Medical Journal. 1998; 317 :1632–1635. [ PMC free article : PMC28743 ] [ PubMed : 9848905 ]
  • Lowrance WW. Privacy and health research: A report to the U.S. Secretary of Health and Human Services. 1997. [accessed May 10, 2008]. http://aspe ​.hhs.gov/DATACNCL/PHR.htm .
  • Lowrance WW. Learning from experience, privacy and the secondary use of data in health research. London: The Nuffield Trust; 2002.
  • Magnussen R. The changing legal and conceptual shape of health care privacy. The Journal of Law, Medicine & Ethics. 2004; 32 :681. [ PubMed : 15807356 ]
  • Melek A, MacKinnon M. Deloitte global security survey. 2006. [accessed July 23, 2008]. http://www ​.deloitte.com ​/dtt/cda/doc/content ​/us_fsi_150606globalsecuritysurvey(1).pdf .
  • Metz R. Google makes health service publicly available. Associated Press; 2008. [accessed August 13, 2008]. http://biz ​.yahoo.com ​/ap/080519/google_health.html .
  • Moore A. Intangible property: Privacy, power and information control. In: Moore A, editor. Information ethics: Privacy, property, and power. Seattle, WA: University of Washington Press; 2005.
  • NBAC (National Bioethics Advisory Commission). Research involving human biological materials: Ethical issues and policy guidance, report and recommendations. Vol. 1. Rockville, MD: NBAC; 1999.
  • NBAC. Ethical and policy issues in research involving human participants. Rockville, MD: NBAC; 2001.
  • NCSL (National Conference of State Legislatures). Privacy protections in state constitutions. 2008. [accessed June 10, 2008]. http://www ​.ncsl.org/programs ​/lis/privacy/stateconstpriv03 ​.htm .
  • Nissenbaum H. Privacy as Contextual Integrity. Washington Law Review. 2004; 79 :101–139.
  • NRC (National Research Council). Improving access to and confidentiality of research data: Report of a workshop. Washington, DC: National Academy Press; 2000.
  • NRC. Who goes there?: Authentication through the lens of privacy. Washington, DC: The National Academies Press; 2003.
  • NRC. Expanding access to research data: Reconciling risks and opportunities. Washington, DC: The National Academies Press; 2005.
  • NRC. Engaging privacy and information technology in a digital age. Washington, DC: The National Academies Press; 2007a.
  • NRC. Privacy and information technology in a digital age. Washington, DC: The National Academies Press; 2007b.
  • NRC. Putting people on the map: Protecting confidentiality with linked social-spatial data. Washington, DC: The National Academies Press; 2007c.
  • OCR (Office for Civil Rights). HIPAA compliance and enforcement. 2008. [accessed August 13, 2008]. http://www ​.hhs.gov/ocr ​/privacy/enforcement/
  • OECD. Guidelines on the protection of privacy and transborder flows of personal data. 1980. [accessed August 13, 2008]. http://www ​.oecd.org/document ​/0,2340,en_2649 ​_34255_1815186_1_1_1_1,00.html .
  • OIG (Office of Inspector General). Nationwide review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 oversight. Washington, DC: Department of Health and Human Services; 2008.
  • OTA (Office of Technology Assessment). Protecting privacy in computerized medical information. Washington, DC: OTA; 1993.
  • Petrila J. Medical records confidentiality: Issues affecting the mental health and substance abuse systems. Drug Benefit Trends. 1999; 11 :6–10.
  • Post R. Three concepts of privacy. Georgetown Law Journal. 2001; 89 :2087–2089.
  • PPR (Patient Privacy Rights). Press release: Microsoft raises the bar for privacy in electronic health record solutions. October 4, 2008. [accessed August 13, 2008]. http://www ​.patientprivacyrights ​.org/site ​/PageServer?pagename ​=HealthVault_PressRelease/
  • PRC (Privacy Rights Clearinghouse). A chronology of data breaches. 2008. [accessed July 8, 2008]. http://www ​.privacyrights ​.org/ar/ChronDataBreaches.htm .
  • Pritts JL. Altered states: State health privacy laws and the impact of the federal health Privacy Rule. Yale Journal of Health Policy, Law & Ethics. 2002; 2 (2):327–364. [ PubMed : 12669317 ]
  • Pritts J. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research. 2008. [accessed March 15, 2008]. http://www ​.iom.edu/CMS/3740/43729/53160 ​.aspx .
  • Privacy Protection Study Commission. Personal privacy in an information society. 1977. [accessed April 21, 2008]. http://epic ​.org/privacy/ppsc1977report/
  • PSRA (Princeton Survey Research Associates). Medical privacy and confidentiality survey. 1999. [accessed August 11, 2008]. http://www ​.chcf.org/topics/view ​.cfm?itemID=12500 .
  • Rachels J. Why privacy is important. Philosophy and Public Affairs. 1975; 4 :323–333.
  • Regan P. Legislating privacy: Technology, social values, and public policy. Chapel Hill, NC: University of North Carolina Press; 1995.
  • Research!America. America speaks: Poll summary. Vol. 7. Alexandria, VA: United Health Foundation; 2007.
  • Richards NM, Solove DJ. Privacy’s other path: Recovering the law of confidentiality. Georgetown Law Journal. 2007; 96 :124.
  • Roback H, Shelton M. Effects of confidentiality limitations on the psychotherapeutic process. Journal of Psychotherapy Practice and Research. 1995; 4 :185–193. [ PMC free article : PMC3330397 ] [ PubMed : 22700249 ]
  • Robling MR, Hood K, Houston H, Pill R, Fay J, Evans HM. Public attitudes towards the use of primary care patient record data in medical research without consent: A qualitative study. Journal of Medical Ethics. 2004; 30 :104–109. [ PMC free article : PMC1757117 ] [ PubMed : 14872086 ]
  • Saver R. Medical research and intangible harm. University of Cincinnati Law Review. 2006; 74 :941–1012.
  • Solove DJ. A taxonomy of privacy. University of Pennsylvania Law Review. 2006; 154 :516–518.
  • Taube DO, Elwork A. Researching the effects of confidentiality law on patients’ self-disclosures. Professional Psychology: Research and Practice. 1990; 21 :72–75. [ PubMed : 12186093 ]
  • Taylor C. Sources of the self: The making of modern identity. Cambridge, MA: Harvard University Press; 1989.
  • Terry NP, Francis LP. Ensuring the privacy and confidentiality of electronic health records. University of Illinois Law Review. 2007; 2007 (2):681–736.
  • Tourangeau R, Rips LJ, Rasinski K. The psychology of survey response. Cambridge, UK: Cambridge University Press; 2000.
  • Turn R, Ware WH. The RAND Paper Series. Santa Monica, CA: The RAND Corporation; 1976. Privacy and security issues in information systems.
  • Weddle M, Kokotailo P. Confidentiality and consent in adolescent substance abuse: An update. Virtual Mentor, American Medical Association Journal of Ethics. 2005. [accessed August 1, 2008]. http: ​//virtualmentor ​.ama-assn.org/2005/03/pdf/pfor1-0503.pdf . [ PubMed : 23249493 ]
  • Wentland EJ. San Diego, CA: Academic Press; 1993. Survey responses: An evaluation of their validity.
  • Westin A. Science, privacy and freedom. Columbia Law Review. 1966; 66 (7):1205–1253.
  • Westin A. Privacy and freedom. New York: Atheneum; 1967.
  • Westin A. Computers, health records, and citizen rights. 1976. [accessed July 30, 2008]. http://eric ​.ed.gov/ERICWebPortal ​/custom/portlets ​/recordDetails/detailmini ​.jsp?_nfpb ​=true&_&ERICExtSearch_SearchValue_0 ​=ED143358&ERICExtSearch_SearchType_0 ​=no&accno ​=ED143358 .
  • Westin A. How the public views privacy and health research. Institute of Medicine; 2007. [accessed November 11, 2007]. http://www ​.iom.edu/Object ​.File/Master/48 ​/528/%20Westin%20IOM ​%20Srvy%20Rept%2011-1107.pdf .
  • Whiddett R, Hunter I, Engelbrecht J, Handy J. Patients’ attitudes towards sharing their health information. International Journal of Medical Informatics. 2006; 75 (7):530–541. [ PubMed : 16198142 ]
  • Willison DJ, Schwartz L, Abelson J, Charles C, Swinton M, Northrup D, Thabane L. Alternatives to project-specific consent for access to personal information for health research. What do Canadians think?. Paper presented at 29th International Conference of Data Protection and Privacy Commissioners; Montreal, Canada. September 25–28. 2007.
  • Woolley M, Propst SM. Public attitudes and perceptions about health related research. JAMA. 2005; 294 :1380–1384. [ PubMed : 16174697 ]

Sections of this chapter were adapted from a background paper by Pritts (2008) .

The National Committee on Vital and Health Statistics has noted that the term “secondary uses” of health data is ill defined and therefore urged abandoning it in favor of precise description of each use. Consequently, the IOM committee has chosen to minimize use of the term in this report.

The ethical principle of doing no harm, based on the Hippocratic maxim, primum non nocere, first do no harm.

The Genetic Information Nondiscrimination Act of 2008 establishes some protections to prevent discrimination based on a patient’s genetic background.

The “ Common Rule ” is the term used by 18 federal agencies who have adopted the same regulations governing the protection of human subjects of research. See Chapter 3 for a detailed description of the rule.

These surveys were undertaken by a wide range of sponsors (Markle Foundation, Equifax, Institute for Health Freedom, Geneforum, Privacy Consulting Group) and a wide range of surveyors (Harris Interactive, Public Opinion Strategies, Genetics and Public Policy Center).

The survey was conducted online by Harris Interactive between September 11 and 18, 2007, with 2,392 respondents. The methodology for the survey is described in Appendix B .

Health Insurance Portability and Accountability Act, Public Law 104–191 (1996) (most relevant sections codified at 42 U.S.C. §§ 1320(d)–1320(d)(8).

The original 1973 HEW Advisory Committee contemplated and rejected the creation of a centralized, federal approach to regulating the use of all automated personal data systems (see HEW, 1973 ).

Europe, in contrast, has adopted fair information practices in a broad, more uniform fashion by incorporating them into the European Union (EU) Directive, which protects individuals with regard to the processing of any personal data and on the free movement of such data. The EU Directive applies to personal data of many types, including medical and financial, and widely applies to all who process such data, resulting in protections ( Gelman, 2008 ).

Security Standards, 45 C.F.R. parts 160, 162, and 164 (2003). The final standards were adopted on February 20, 2003. Covered entities were required to be in compliance with the regulation on April 21, 2005 (and April 21, 2006, for small health plans).

Protected health information (PHI) refers to all personally identifiable health information maintained by a HIPAA covered entity. 45 C.F.R. § 160.103 (2002).

Since 2004, the American Health Information Management Association has annually surveyed health care privacy officers and others whose jobs related to the HIPAA privacy function to gain an understanding of where health care organizations stand with regard to implementing the Privacy and Security Rules required by HIPAA ( AHIMA, 2006 ).

See http://www ​.hhs.gov/healthit/onc/mission/ .

Standards for Privacy of Individually Identifiable Health Information : Final Rule, 67 Fed. Reg. 53182, 53232 (2002).

This is derived from the principles of fair information practices (see Chapter 2 for more detail).

  • Cite this Page Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 2, The Value and Importance of Health Information Privacy.
  • PDF version of this title (1.6M)
  • Disable Glossary Links

In this Page

Other titles in this collection.

  • The National Academies Collection: Reports funded by National Institutes of Health

Related information

  • PMC PubMed Central citations
  • PubMed Links to PubMed

Recent Activity

  • The Value and Importance of Health Information Privacy - Beyond the HIPAA Privac... The Value and Importance of Health Information Privacy - Beyond the HIPAA Privacy Rule

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

Connect with NLM

National Library of Medicine 8600 Rockville Pike Bethesda, MD 20894

Web Policies FOIA HHS Vulnerability Disclosure

Help Accessibility Careers

statistics

Institutional Review Board Guidance from OCR

Clinical Research and the HIPAA Privacy Rule HTML version - Posted February 5, 2004 (Last edited 06/22/04) View PDF version of entire document - Posted February 5, 2004 (Last edited 06/22/04) View RTF version of entire document - Posted February 5, 2004 (Last edited 06/22/04) Clinical Research and the HIPAA Privacy Rule Researchers who conduct interventional clinical research have questioned how the Privacy Rule will affect their research activities. Even before the Privacy Rule, of course, physician-investigators have been concerned about the privacy of the medical and research-related information of their patients and subjects. In fact, many have been required under the Department of Health and Human Services (HHS) or the Food and Drug Administration (FDA) Protection of Human Subjects Regulations (45 CFR part 46 or 21 CFR parts 50 and 56, respectively) to take measures to protect such personal health information from inappropriate use or disclosure. Moreover, in clinical research, physician-investigators often stand in dual roles to the subject: As a treating physician and as a researcher. For the treating physician, duties of confidentiality have long been established under well-known legal and ethical standards. The Privacy Rule adds to these existing obligations. Where a covered entity conducts clinical research involving protected health information (PHI), physician-investigators need to understand the Privacy Rule's restrictions on the use and disclosure of PHI for research purposes. As the Federal privacy standards are implemented throughout the country, one benefit is that many clinical researchers and hospitals may adhere to a common set of national standards for protecting the privacy of patients and clinical research subjects. This fact sheet discusses the Privacy Rule and its impact on covered entities that conduct clinical research. It places specific emphasis on the Authorization that is generally required for research uses and disclosures of PHI by covered entities. Additional information about the Privacy Rule's potential impact on other research activities, such as repositories, databases, health services research, Institutional Review Boards (IRBs), and Privacy Boards can be found in related publications, including: Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule Health Services Research and the HIPAA Privacy Rule Research Repositories, Databases, and the HIPAA Privacy Rule Institutional Review Boards and the HIPAA Privacy Rule Privacy Boards and the HIPAA Privacy Rule Introduction to the Privacy Rule In response to a congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HHS issued regulations entitled Standards for Privacy of Individually Identifiable Health Information . For most covered entities, compliance with these regulations, known as the Privacy Rule, was required as of April 14, 2003. The Privacy Rule is a response to public concern over potential abuses of the privacy of health information. The Privacy Rule establishes a category of health information, referred to as PHI, which may be used or disclosed to others only in certain circumstances or under certain conditions. PHI is a subset of what is termed individually identifiable health information . With certain exceptions, the Privacy Rule applies to individually identifiable health information created or maintained by a covered entity. Covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries. Researchers are not themselves covered entities, unless they are also health care providers and engage in any of the covered electronic transactions. If, however, researchers are employees or other workforce members of a covered entity (e.g., a hospital or health insurer), they may have to comply with that entity's HIPAA privacy policies and procedures. Researchers who are not themselves covered entities, or who are not workforce members of covered entities, may be indirectly affected by the Privacy Rule if covered entities supply their data. In addition, it should be noted that the HHS and FDA's Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively) may also apply to clinical research. Overview of the Privacy Rule's Impact on Clinical Research PHI includes what physicians and other health care professionals typically regard as a patient's personal health information, such as information in a patient's medical chart or a patient's test results, as well as an individual's billing information for medical services rendered, when that information is held or transmitted by a covered entity. PHI also includes identifiable health information about subjects of clinical research gathered by a researcher who is a covered health care provider. The Privacy Rule permits a covered entity to use or disclose PHI for research under the following circumstances and conditions: If the subject of the PHI has granted specific written permission through an Authorization that satisfies section 164.508 For reviews preparatory to research with representations obtained from the researcher that satisfy section 164.512(i)(1)(ii) of the Privacy Rule For research solely on decedents' information with certain representations and, if requested, documentation obtained from the researcher that satisfies section 164.512(i)(1)(iii) of the Privacy Rule If the covered entity receives appropriate documentation that an IRB or a Privacy Board has granted a waiver of the Authorization requirement that satisfies section 164.512(i) If the covered entity obtains documentation of an IRB or Privacy Board's alteration of the Authorization requirement as well as the altered Authorization from the individual If the PHI has been de-identified in accordance with the standards set by the Privacy Rule at section 164.514(a)-(c) (in which case, the health information is no longer PHI) If the information is released in the form of a limited data set, with certain identifiers removed and with a data use agreement between the researcher and the covered entity, as specified under section 164.514(e) Under a "grandfathered" informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or Authorization or other express legal permission to use or disclose the information for research as specified under the transition provisions of the Privacy Rule at section 164.532(c) Note that the Privacy Rule also permits covered entities to use and disclose PHI for purposes of treatment, payment, and health care operations without Authorization. The Privacy Rule also permits disclosures to business associates. Business associates are persons or entities that perform certain functions or services on behalf of the covered entity that require the use or disclosure of PHI, provided certain arrangements to safeguard the PHI are in place between the covered entity and the business associates. The Privacy Rule also permits, without Authorization, covered entities to make a number of other disclosures of PHI, including disclosures that are required by law, disclosures to public health authorities authorized by law to collect or receive such information for public health activities, and disclosures for adverse event reporting to certain persons subject to the jurisdiction of the FDA (e.g., clinical trial drug sponsors). (See section 164.512 for a description of other disclosures for which Authorization is not required.) For a more detailed discussion of permitted uses or disclosures of PHI for research under the Privacy Rule, refer to Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule ; Research Repositories, Databases, and the HIPAA Privacy Rule ; Institutional Review Boards and the HIPAA Privacy Rule; and Privacy Boards and the HIPAA Privacy Rule . Authorization for PHI Uses and Disclosures A valid Privacy Rule Authorization is an individual's signed permission that allows a covered entity to use or disclose the individual's PHI for the purpose(s) and to the recipient(s) stated in the Authorization. When an Authorization is obtained for research purposes, the Privacy Rule requires that it pertain only to a specific research study, not to future, unspecified projects. If an Authorization for research is obtained, a covered entity's uses and disclosures must be consistent with what is stated in the Authorization. An Authorization differs from an informed consent in that an Authorization is an individual's permission for a covered entity to use or disclose PHI for a certain purpose, such as a research study. An informed consent, on the other hand, is the individual's permission to participate in the research. An informed consent provides research subjects with a description of the study and of its anticipated risks and/or benefits, and a description of how the confidentiality of records will be protected, among other things. An Authorization can be combined with an informed consent document or other permission to participate in research. Whether combined with an informed consent or separate, an Authorization must contain the specific core elements and required statements stipulated in the Privacy Rule. A related publication, Sample Authorization Language , demonstrates the inclusion of core elements and required statements for Authorizations. Authorization Core Elements
  • A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner
  • The names or other specific identification of the person or persons (or class of persons) authorized to make the requested use or disclosure
  • The names or other specific identification of the person or persons (or class of persons) to whom the covered entity may make the requested use or disclosure
  • A description of each purpose of the requested use or disclosure
  • Authorization expiration date or expiration event that relates to the individual or to the purpose of the use or disclosure ("end of the research study" or "none" are permissible for research, including for the creation and maintenance of a research database or repository)
  • Signature of the individual and date. If the individual's legally authorized representative signs the Authorization, a description of the representative's authority to act for the individual must also be provided
Authorization Required Statements
  • A statement of the individual's right to revoke Authorization and how to do so, and, if applicable, the exceptions to the right to revoke Authorization or reference to the corresponding section of the covered entity's notice of privacy practices.
  • Whether treatment, payment, enrollment, or eligibility of benefits can be conditioned on Authorization, including research-related treatment and consequences of refusing to sign the Authorization, if applicable.
  • A statement of the potential risk that PHI will be re-disclosed by the recipient and no longer protected by the Privacy Rule. This may be a general statement that the Privacy Rule may no longer protect health information disclosed to the recipient.
Limits on Using and Disclosing PHI if Authorization is Revoked

Although an Authorization for research uses and disclosures need not expire, a research subject has the right to revoke, in writing, Authorization at any time. The individual's revocation is effective when the covered entity receives the written revocation, except to the extent that the covered entity has taken action in reliance upon the Authorization. For example, a covered entity is not required to retrieve information that it disclosed under a valid Authorization before receiving the revocation. For research uses and disclosures, the reliance exception would permit the continued use and disclosure of PHI already obtained pursuant to the Authorization to the extent necessary to protect the integrity of the research-for example, to account for a subject's withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.

Activities Preparatory to Research

Covered entities may permit researchers to review PHI in medical records or elsewhere during reviews preparatory to research. These reviews allow the researcher to determine, for example, whether there is a sufficient number or type of records to conduct the research. Importantly, the covered entity may not permit the researcher to remove any PHI from the covered entity. To permit the researcher to conduct a review preparatory to research, the covered entity must receive from the researcher representations that:

  • The use or disclosure is sought solely to review PHI as necessary to prepare the research protocol or other similar preparatory purposes.
  • No PHI will be removed from the covered entity during the review.
  • The PHI that the researcher seeks to use or access is necessary for the research purposes.

Additional information on activities preparatory to research can be found in the booklet, Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule.

Identifying Research Participants

Under the "preparatory to research" provision, covered entities may use or disclose PHI to researchers to aid in study recruitment. The covered entity may allow a researcher, either within or outside the covered entity, to identify, but not contact, potential study participants under the "preparatory to research" provision. However, before permitting this activity, a covered entity must receive proper representation, as described above, from the researcher. Under the "preparatory to research" provision, no PHI may leave the covered entity.

Contacting Research Participants

Under the "preparatory to research" provision, covered entities may use and disclose PHI to researchers to aid in study recruitment. They may allow a researcher to identify, but not contact, potential study participants. To contact potential study participants, a researcher may do so, without Authorization from the individual, under the following circumstances:

  • If the researcher is a workforce member of a covered entity, the researcher may contact the potential study participant, as part of the covered entity's health care operations, for the purposes of seeking Authorization. In addition, a covered health care provider may discuss treatment alternatives, which may include participating in a clinical trial, with the patient as part of the patient's treatment or the covered entity's health care operations. Alternatively, the covered entity may contract with a business associate�who may be a researcher�to assist in contacting individuals on behalf of the covered entity to obtain their Authorizations.
  • If the covered entity obtains documentation that an IRB has partially waived the Authorization requirement to disclose PHI to a researcher for recruitment purposes, the covered entity could disclose to the researcher that PHI necessary for the researcher to contact the individual.

Research Uses and Disclosures Under Permissions Obtained Prior to the Privacy Rule's Compliance Date

Sections 164.532(a) and (c) of the Privacy Rule provide that, after the compliance date (for most covered entities, April 14, 2003), a covered entity may use or disclose an individual's PHI without an Authorization, or waiver or alteration of the Authorization requirement, in connection with research, if specific conditions are met. For many such uses and disclosures of PHI in connection with research, a covered entity may rely on any one of the following that was obtained prior to the compliance date:

  • An Authorization or other express legal permission from an individual to use or disclose PHI for research
  • The informed consent of the individual to participate in the research
  • A waiver by an IRB of informed consent in accordance with applicable laws and regulations governing informed consent, unless a new informed consent document is sought after the compliance date

The transition provisions do not apply if any change is made after the compliance date to an informed consent, express legal permission, or IRB waiver for the research obtained before the compliance date that would invalidate these prior permissions. In such cases, an Authorization that complies with section 164.508 of the Privacy Rule is required unless the activity is otherwise permitted by the Privacy Rule without Authorization (e.g., through a waiver of Authorization).

In some instances, express legal permissions, informed consents, or IRB-approved waivers of informed consents are not study specific. These permissions for research and waivers, if obtained before the compliance date, are grandfathered by the transition provisions even if provided for future unspecified research, subject to the conditions described above.

Frequently Asked Questions and Answers

Q: What is the relationship between the Privacy Rule and the HHS and FDA Protection of Human Subjects Regulations?

A: There are two main differences. First, the HHS and FDA Protection of Human Subjects Regulations are concerned with the risks associated with participation in research. These may include, but are not limited to, the risks associated with investigational products and the risks of experimental procedures or procedures performed for research purposes, and the confidentiality risks associated with the research. The Privacy Rule is concerned with the risk to the subject's privacy associated with the use and disclosure of the subject's PHI.

Second, the scope of the HHS and FDA Protection of Human Subjects Regulations differs from that of the Privacy Rule. The FDA regulations apply only to research over which the FDA has jurisdiction, primarily research involving investigational products. The HHS Protection of Human Subjects Regulations apply only to research that is conducted or supported by HHS, or conducted under an applicable Office for Human Research Protections (OHRP)-approved assurance where a research institution, through their Multiple Project Assurance (MPA) or Federal-Wide Assurance (FWA), has agreed voluntarily to follow the HHS Protection of Human Subjects Regulations for all human subjects research conducted by that institution regardless of the source of support. By contrast, the Privacy Rule applies to a covered entity's use or disclosure of PHI, including for any research purposes, regardless of funding or whether the research is regulated by the FDA.

Q: Under certain circumstances, the "preparatory to research" provision at section 164.512(i)(1)(ii) of the Privacy Rule permits covered entities to use or disclose PHI for purposes preparatory to research. What kinds of activities are considered "preparatory to research"?

A: Covered entities that obtain certain required representations from a researcher may use and disclose PHI for activities "preparatory to research" that include, but are not limited to, the following:

  • Preparing a research protocol
  • Assisting in the development of a research hypothesis
  • Aiding in research recruitment, such as identifying prospective research participants who would meet the eligibility criteria for enrollment into a research study

Under this provision, no PHI may be removed from the covered entity during the course of the review.

Q: When do the requirements under HHS regulations at 45 CFR part 46 related to IRB review and informed consent apply to "preparatory to research" activities as permitted by the Privacy Rule at section 164.512(i)(1)(ii)?

A: HHS Protection of Human Subjects Regulations at 45 CFR part 46 do not reference "preparatory to research" activities.

HHS regulations at 45 CFR 46.102(d) define "research" as "a systematic investigation, including research development , testing and evaluation, designed to develop or contribute to generalizable knowledge."

HHS regulations at 45 CFR 46.102(f) define "human subject" as

a living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual or (2) identifiable private information... Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.

When a "preparatory to research" activity (i) involves human subjects research, as defined above; (ii) is conducted or supported by HHS or conducted under an applicable OHRP-approved assurance; and (iii) does not meet the criteria for exemption under HHS regulations at 45 CFR 46.101(b), the research must be reviewed and approved by an IRB in accordance with HHS regulations at 45 CFR 46.109(a). In addition, informed consent of the subjects must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively. However, under HHS Protection of Human Subjects Regulations at 45 CFR 46.116(c) and (d), an IRB may approve a consent procedure for such a "preparatory to research" activity that does not include, or that alters, some or all of the elements of informed consent, or may waive the requirements to obtain informed consent for such a "preparatory to research" activity if certain criteria are satisfied.

The Privacy Rule permits, under section 164.512(i)(1)(ii), a covered entity to provide investigators with access to PHI for purposes preparatory to research, such as for purposes of identifying potential human subjects to aid in study recruitment, among other things. Such access is permitted provided that the covered entity receives certain required representations from the researcher and the researcher does not remove any PHI from the covered entity during the course of the review.

Activities in which an investigator obtains and records individually identifiable health information for purposes of identifying potential human subjects to aid in study recruitment, among other things, would involve human subjects research under the HHS regulations at 45 CFR part 46 and would not satisfy the criteria for any exemption under HHS regulations at 45 CFR 46.101(b). As a result, if such activities are conducted or supported by HHS or conducted under an applicable OHRP-approved assurance, the research activities must be reviewed and approved by an IRB in accordance with HHS regulations at 45 CFR 46.109(a). In addition, informed consent of the subjects, about whom identifiable private information (e.g., health information) is being obtained, must be sought and documented in accordance with, and to the extent required by, HHS regulations at 45 CFR 46.116 and 46.117, respectively.

For example, if an investigator who is covered by an applicable OHRP-approved assurance obtains and records identifiable private information from medical records for the purpose of contacting these individuals to determine if they would be interested in participating in a research study, this activity constitutes human subjects research and thus would require either (1) that subjects' informed consent be sought as required by the HHS regulations at 45 CFR 46.116 or (2) that the IRB approve an informed consent procedure that does not include or that alters some or all of the elements of informed consent, or waive the requirement to obtain informed consent in accordance with the provisions of the HHS regulations at 45 CFR 46.116(c) or (d). Informed consent also must be documented in accordance with, and to the extent required by, the HHS regulations at 45 CFR 46.117.

Similarly, if such an investigator obtains and records identifiable private information to develop a database of potential research subjects for future research studies, this activity is also human subjects research as defined in 45 CFR part 46 and thus must meet the requirements of the HHS regulations as discussed above.

The above interpretation does not conflict in any way with OCR's interpretation of the Privacy Rule. It should be noted that Authorization for use or disclosure of PHI provided for under the Privacy Rule and legally effective informed consent for research provided for under HHS regulations at 45 CFR 46.116 and 46.117 are not the same.

Furthermore, the Privacy Rule does not override any requirements of 45 CFR part 46, and vice versa. In situations where both 45 CFR part 46 and the Privacy Rule apply, institutions must adhere to both sets of regulations.

Q: If, under the "preparatory to research" provisions, a researcher identifies subjects that meet the study's eligibility criteria, how can the researcher contact the potential participant to obtain Authorization after identifying these individuals?

A: Under the "preparatory to research" provision, covered entities may use and disclose to researchers PHI to aid in study recruitment. They may allow a researcher to identify, but not contact, potential study participants. In order to contact potential study participants, a researcher may do so, without Authorization from the individual, under the following circumstances:

  • If the researcher is a workforce member of a covered entity, the researcher may contact the potential study participant, as part of the covered entity's health care operations, for the purposes of seeking Authorization. Alternatively, the covered entity may contract with a researcher as a business associate to assist in contacting individuals on behalf of the covered entity to obtain their Authorizations.

Q: Is a covered entity required to account for disclosures made pursuant to an IRB or Privacy Board's alteration of the Authorization requirement?

A: Yes. Covered entities are required to account for disclosures made pursuant to an altered Authorization. Where an Authorization has been altered, pursuant to the process provided for by section 164.512(i) of the Privacy Rule, it is no longer an "authorization as provided in section 164.508" and thus, no longer exempt from the accounting requirements pursuant to section 164.528(a)(1)(iv). However, where a covered entity discloses the records of 50 or more individuals for a particular research purpose during the period covered by the accounting, the Privacy Rule permits the covered entity to provide a more general accounting to the requestor. See section 164.528(b)(4) of the Privacy Rule. The period covered by the accounting is no more than 6 years prior to the date on which the accounting is requested (or less than 6 years if requested by the individual) but does not include disclosures made prior to the compliance date-usually April 14, 2003.

Q: When must an IRB review and approve the language of an Authorization for use or disclosure of PHI related to human subjects research activities regulated by HHS Protection of Human Subjects Regulations at 45 CFR part 46 and FDA Protection of Human Subjects Regulations at 21 CFR parts 50 and 56?

A: The HHS and FDA Protection of Human Subjects Regulations do not expressly require that Privacy Rule Authorizations be reviewed or approved by an IRB. However, under HHS regulations at 45 CFR 46.117(a) and FDA regulations at 21 CFR 50.27(a), IRB review and approval is required for any document that contains the required informed consent document for human subjects research. Therefore, if the Authorization language is part of the informed consent document, such as when the Authorization form is combined with an informed consent form, the IRB is required to review such language.

Generally, neither HHS regulations at 45 CFR part 46 nor FDA regulations at 21 CFR parts 50 and 56 require that stand-alone Authorizations (i.e., Authorizations that are not incorporated into the informed consent document) for use or disclosure of PHI be reviewed and approved by the IRB. However, FDA regulations at 21 CFR 56.108(a) would require such review if required by the IRB's written procedures. In the exercise of ongoing enforcement discretion, however, with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval.

The Privacy Rule does not require IRBs to review or approve Authorizations used for research or other disclosures; it only requires that the Authorization comply with the requirements of the Rule at section 164.508. For Office for Civil Rights (OCR) guidance on this topic, see http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf .

Q: Does the Privacy Rule require IRBs to review and/or approve Authorizations, either as stand-alone documents (i.e., Authorizations that are not combined with informed consent documents) or when combined with informed consent?

Q: Do FDA regulations require IRBs to review and/or approve stand-alone Authorizations, i.e., Authorizations that are not combined with informed consent documents?

A: No. FDA regulations do not specifically require IRBs to review and/or approve stand-alone Authorizations. However, FDA regulations governing IRBs require, in pertinent part, that IRBs adopt and follow written procedures for reviewing clinical research. See 21 CFR 56.108(a). Pursuant to this provision, IRBs that have written procedures requiring them to review all written materials provided to potential research subjects would have to review and approve stand-alone Authorizations, even though such review is not otherwise required under the Privacy Rule, HHS Protection of Human Subjects Regulations, or FDA regulations governing IRBs. However, in the exercise of ongoing enforcement discretion with respect to the requirements of 21 CFR 56.108(a), to the extent that an IRB's written procedures require the review and/or approval of stand-alone Authorizations, FDA will not take enforcement action against an IRB for failing to review them even when the IRB's written procedures otherwise would require such review and/or approval. For OCR guidance on this topic, see http://www.hhs.gov/ocr/hipaa/privguideresearch.pdf .

Q: Do international guidelines (the ICH Good Clinical Practice Guidelines) require IRBs to review and/or approve stand-alone Authorizations, i.e., Authorizations that are not combined with informed consent documents?

A: No. The International Conference on Harmonisation (ICH) Good Clinical Practice: Consolidated Guideline (E6) states, for example, "Before initiating a trial, the investigator/institution should have written and dated approval/favourable opinion from the IRB/IEC [Independent Ethics Committee] for the trial protocol, written informed consent form, consent form updates, subject recruitment procedures (e.g., advertisements), and any other written information to be provided to subjects ." (Emphasis added.) (See ICH E6 4.4.1.) This language recommends, but does not require, such review. In general, the ICH Good Clinical Practice guidelines are recommendations, not legal requirements. As such, they are not subject to enforcement by U.S. authorities.

Q: May a covered health care provider discuss with a patient his or her enrollment in clinical research without the patient's Authorization? What if the individual is not a patient of the covered provider?

A: Yes. These types of conversations may arise under a variety of circumstances. For example, a physician may for treatment purposes discuss treatment alternatives with the individual, which may include the option of enrolling in a clinical trial. In addition, a physician may speak to the individual about a clinical trial as part of asking the individual to sign an Authorization to permit the covered provider to use or disclose the individual's PHI for the research study. Also, the Privacy Rule generally permits a covered entity to communicate with individuals and to disclose their PHI to them. Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient Authorization, regardless of whether the individual is a patient of the covered provider, and without an IRB or Privacy Board waiver of the Authorization. However, the covered health care provider must obtain the individual's Authorization or an IRB or Privacy Board waiver of Authorization, or meet certain other conditions, before using or disclosing the individual's PHI as part of the research study.

Similarly, if a physician knows of a study in which his or her patient might enroll that is being conducted by others, the physician may discuss such a trial with the patient and give the patient the researcher's contact information so the patient may contact the researcher directly. However, the physician may only contact the researchers about the patient so long as de-identified information is disclosed, the individual's Authorization or IRB or Privacy Board waiver of Authorization is obtained, or other conditions that satisfy the Privacy Rule are met. For example, it is acceptable to give a clinical summary of a patient to a researcher to determine if the patient might meet enrollment criteria, if such discussions omit the patient's name, address, medical record number, and any other identifying information set forth in section 164.514(a)-(c) of the Privacy Rule.

Q: May a covered entity obtain an individual's Authorization to include his or her PHI in a clinical research recruitment database of possible research participants, such as a pre-screening log?

A: Yes. The Privacy Rule permits a covered entity to include an individual's PHI in a clinical research recruitment database and permit researchers access to the recruitment database, provided the individual has given permission through a written Authorization. The Authorization must inform the individual of the purpose for which (e.g., for the pre-screening log for one or more clinical trials) and what PHI will be used and meet the other requirements at section 164.508 of the Privacy Rule. Alternatively, a covered entity may provide a researcher access to the PHI for reviews preparatory to research, provided the required representations are obtained. See section 164.512(i) of the Privacy Rule. Unless otherwise permitted by the Privacy Rule, a subsequent Authorization must be obtained from the individual before a covered entity may use or disclose the individual's PHI for the clinical trial itself.

Q: One common method for recruiting research participants involves organizing a call center for potential research participants to contact in response to advertisements about the research. Would a call center be required to obtain the individual's Authorization before speaking to the individual about the trial?

A: Call centers in many cases will not be part of a covered entity (health plan, health care clearinghouse, certain health care providers), and thus, are not required to comply with the Privacy Rule. A call center for research is an entity established to receive and answer calls from interested individuals about a research project. Commonly, a call center will collect identifiable information about a caller who may be interested in the research study and then transmit such information to researchers involved in the study or send information about a study directly to callers.

If a call center is part of a covered entity, e.g., part of a covered health care provider that is also a researcher, it may speak with an individual without Authorization for purposes of communicating about the research study or obtaining the individual's Authorization to use or disclose his or her PHI for the study. However, any use or disclosure of the individual's PHI for the research study itself or other purposes is subject to the conditions set forth in the Privacy Rule.

Q: Is a covered health care provider that conducts clinical research required to provide the Notice of Privacy Practices to participants of that trial?

A: Maybe. The Privacy Rule requires covered health care providers that have a direct treatment relationship with the individuals to provide to individuals the Notice of Privacy Practices in accordance with section 164.520(c)(2). A direct treatment relationship means a treatment relationship between an individual and a health care provider that is not an indirect treatment relationship. An indirect treatment relationship between an individual and a health care provider is one in which:

  • The health care provider delivers health care to the individual based on the orders of another health care provider.
  • The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products to the individual.

Where a covered health care provider does not have a direct treatment relationship with the individual, the Privacy Rule does not require that provider to give to the individual the Notice of Privacy Practices. However, the covered provider is still responsible for making its Notice of Privacy Practices available to any person that requests it, and prominently posting and making available its Notice of Privacy Practices on any Web site it maintains that provides information about its customer services or benefits.

Q: How does the written Authorization required under the Privacy Rule differ from the written informed consent required under the HHS and FDA Protection of Human Subjects Regulations?

A: Under the Privacy Rule, a patient's Authorization is for the use and disclosure of PHI, which can include use or disclosure for research purposes. In contrast, an individual's informed consent, as required by the HHS or FDA Protection of Human Subjects Regulations, is a consent to participate in the research study as a whole, not simply a consent for the research use or disclosure of PHI. While there are important differences between the Privacy Rule's requirements for individual Authorization, and HHS' or FDA's Protection of Human Subjects Regulations requirements for informed consent, the Privacy Rule's Authorization elements are compatible with the informed consent elements of the HHS Protection of Human Subjects Regulations. Thus, both sets of requirements can be met by use of a single, combined form, which is permitted by the Privacy Rule. For example, the Privacy Rule allows the Authorization for research to state that the Authorization will be valid until the conclusion of the research study, or to state that the Authorization will not have an expiration date or event. This is compatible with HHS' Protection of Human Subjects Regulations requirement for an explanation of the expected duration of the research subject's participation in the study. It should be noted that where the Privacy Rule, the HHS Protection of Human Subjects Regulations, and/or FDA's Protection of Human Subjects Regulations apply, each applicable regulation must be followed.

Q: May the Authorization required under the Privacy Rule be part of the informed consent document required under the HHS and FDA Protection of Human Subjects Regulations?

A: Yes. The two documents may be combined, or they may be separate.

Q: If an Authorization to use or disclose PHI for research is combined with an informed consent form, does a covered entity need to obtain a signature authorizing the use or disclosure of PHI separately from a signature that may be required for informed consent under 45 CFR part 46 or 21 CFR parts 50 and 56?

A: No. Where an individual's signature is sought for a single form that combines Authorization with informed consent [also known as a compound Authorization at 164.508(b)(3)(i)], one signature satisfies the Authorization requirement at 164.508(c)(1)(vi).

Q: Do HHS regulations at 45 CFR part 46 and FDA regulations at 21 CFR parts 50 and 56 permit the IRB to review and approve the insertion of Authorization language as a single modification that applies to the informed consent documents of multiple protocols previously approved by the IRB?

A: Yes, when Authorizations for use or disclosure of PHI will be incorporated into previously approved informed consent documents for a series of protocols, and the Authorizations are composed entirely of identical template language, the IRB may approve the insertion of the Authorization language as a single modification that applies to the entire series of protocols.

However, when Authorizations for use or disclosure of PHI will be incorporated into previously approved informed consent documents for a series of protocols and the Authorization statements include protocol-specific information unique to each of the protocols, the IRB should review and approve the insertion of the Authorization language separately for each protocol.

In both cases, an expedited review procedure may be used.

Q: Do the core elements of an Authorization differ from a medical records release form?

A: Probably. A Privacy Rule Authorization may be a more detailed document than what physicians and hospitals are accustomed to using as a release of medical records. Medical records release forms usually are phrased very generally, but Authorizations are much more specific with regard to what information is being released, to whom, for what purpose, and for how long. An Authorization must also inform patients of certain rights they have in relation to their PHI. An Authorization may contain more information than required by the Privacy Rule, as long as the additional information is not inconsistent with the information required for the Authorization. See section 164.508 for the specific requirements for a Privacy Rule Authorization.

Q: Does the Authorization form need to have a termination date for research?

A: No. An Authorization for research uses and disclosures need not have a fixed expiration date or state a specific expiration event; the form can list "none" or "the end of the research project."

Q: Must a separate Authorization be obtained for each research use or disclosure of PHI?

A: No. As long as each use or disclosure is part of a specific research activity and the Authorization describes the types of uses or disclosures that will occur as part of that research activity, only one Authorization is required from each subject. That Authorization will generally be obtained at the time of enrollment in the trial itself, as part of the informed consent process. It is important, therefore, that researchers, research nurses, or others involved in informed consent discussions with subjects also understand the Authorization and its meaning so that subjects' questions and concerns can be answered accurately.

Q: Does the Privacy Rule specify who must develop the Authorization form?

A: No. The Privacy Rule does not specify who may draft the Authorization, so a researcher could draft it. However, in order to comply with the Privacy Rule, an Authorization must be written in plain language and contain the core elements and required statements specified at section 164.508 of the Privacy Rule. A covered entity may disclose PHI as specified in a valid Authorization that has been created by another covered entity or a third party, such as a researcher.

Q: When a covered entity chooses to combine the Authorization with the informed consent document for a research study, can the compound document cross-reference required elements for both permissions (i.e., to minimize redundant language)?

A: Yes. The Privacy Rule permits the compound Authorization to cross-reference relevant sections of an informed consent document, provided the compound document includes the core elements and statements required by section 164.508(c). In addition, under the HHS and FDA Protection of Human Subjects Regulations, all of the required elements for informed consent must be included in the informed consent document, unless an IRB alters or waives the requirements.

Q: How may a covered entity use or disclose PHI for the creation of a research repository or database when it is unknown at the time of collection what specific protocols will make use of the repository or database in the future?

A: There are two separate activities to consider: (1) The use or disclosure of PHI for creating a research database or repository and (2) the subsequent use or disclosure of PHI in the database for a particular research protocol.

A covered entity's use or disclosure of PHI to create a research database or repository, and use or disclosure of PHI from the database or repository for a future research purpose, are each considered a separate research activity under the Privacy Rule. In general, the Privacy Rule requires Authorization for each activity, unless, for example, an IRB or Privacy Board waives or alters the Authorization requirement. Documentation of a waiver or an alteration of Authorization to use or disclose PHI to create a research database requires, among other things, a statement that an IRB or Privacy Board has determined that the researcher has provided adequate written assurances that PHI in the database will not be further used or disclosed except as permitted by the Privacy Rule (e.g., for research uses and disclosures with an Authorization or waiver). A covered entity also could use or disclose a limited data set to create a research repository or database under conditions set forth in a data use agreement.

For subsequent use or disclosure of PHI for research purposes from a repository or database maintained by the covered entity, the covered entity may:

  • Obtain the individual's Authorization for the research use or disclosure of PHI as specified under section 164.508
  • Obtain documentation of an IRB or Privacy Board's waiver of the Authorization requirement that satisfies section 164.512(i)
  • Obtain satisfactory documentation of an IRB or Privacy Board's alteration of the Authorization requirement as well as the altered Authorization from the individual
  • Use or disclose PHI for reviews preparatory to research with representations that satisfy section 164.512(i)(1)(ii) of the Privacy Rule
  • Use or disclose PHI for research on decedents' PHI with representations that satisfy section 164.512(i)(1)(iii) of the Privacy Rule
  • Provide a limited data set and enter into a data use agreement with the recipient as specified under section 164.514(e)
  • Use or disclose PHI based on permission obtained prior to the compliance date of the Privacy Rule— informed consent of the individual to participate in the research, an IRB waiver of such informed consent, or Authorization or other express legal permission to use or disclose the information for the research as specified under section 164.532(c) of the Privacy Rule

A covered entity may also use or disclose PHI from databases and repositories for other purposes without Authorization as permitted by the Privacy Rule, such as if required by law or to a public health authority for a public health activity (e.g., disclosures to public, including state, cancer registries). Covered entities may also de-identify PHI according to standards set forth in the Privacy Rule so that its use and disclosure is not protected by the Privacy Rule.

Q: What documentation of an IRB or Privacy Board waiver or alteration of the requirement for an Authorization must a covered entity receive in order to permit a use or disclosure of PHI for research without Authorization?

A: Under the Privacy Rule at section 164.512(i), a covered entity may use or disclose PHI for a research study without Authorization (or with an altered Authorization) from the research participant if the covered entity obtains proper documentation that an IRB or Privacy Board has granted a waiver (or alteration) of the Authorization requirements. Among other requirements under section 164.512(i), a covered entity must obtain a statement that an IRB or a Privacy Board has determined that the alteration or waiver, in whole or in part, of Authorization satisfies the following three criteria in the Privacy Rule:

  • The use or disclosure of PHI involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
  • An adequate plan to protect the identifiers from improper use and disclosure.
  • An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
  • Adequate written assurances that the PHI will not be reused or disclosed except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of PHI would be permitted by the Privacy Rule.
  • The research could not practicably be conducted without the waiver or alteration.
  • The research could not practicably be conducted without access to and use of the PHI.

Clinical research will not generally qualify for a waiver of the Authorization if a clinical research participant will be asked to sign an informed consent before entering the study. We anticipate that waiver of Authorization will be more common in research that involves, for example, retrospective medical chart reviews. Additionally, when Authorization is waived for research access to medical records or other PHI, the covered entity must take reasonable steps to limit the information disclosed to that which is the minimum necessary for the research purpose. If appropriate documentation of an IRB or Privacy Board waiver or alteration of Authorization is presented to the covered entity, the covered entity may rely, if reliance is reasonable under the circumstances, upon documentation of such waiver that the request represents the minimum necessary amount of PHI for the research.

Q: Once an individual's information has been de-identified according to Privacy Rule standards, does the subject's Authorization have to be obtained for use or disclosure of that de-identified information for research?

A: No. De-identified information is not considered PHI and as such is not governed by the Privacy Rule, and no Authorization or waiver is necessary for its use or disclosure.

Q: Does a covered entity need an individual's Authorization before de-identifying the PHI or creating a limited data set?

A: No. The Privacy Rule does not require a covered entity to obtain an individual's Authorization before using or disclosing the PHI for creating de-identified health information or a limited data set. The Privacy Rule considers such activity to be a health care operation, as defined at section 164.501, of the covered entity. As such, a covered entity could contract with a business associate, including a researcher, to create de-identified data or a limited data set.

Q: What kind of information must be removed from health information in order for it to be de-identified?

A: The Privacy Rule provides two ways to de-identify PHI. One way is to remove the following identifiers of the individual and of the individual's relatives, employers, or household members: (1) Names; (2) all geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; (3) all elements of dates except year and all ages over 89; (4) telephone numbers; (5) fax numbers; (6) email addresses; (7) social security numbers; (8) medical record numbers; (9) health plan beneficiary numbers; (10) account numbers; (11) certificate or license numbers; (12) vehicle identifiers and license plate numbers; (13) device identifiers and serial numbers; (14) URLs; (15) IP addresses; (16) biometric identifiers; (17) full-face photographs and any comparable images; (18) any other unique, identifying characteristic or code, except as permitted for re-identification in the Privacy Rule.

In addition to removing these identifiers, the covered entity must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual.

Covered entities may also use statistical methods to establish de-identification instead of removing all 18 identifiers. The covered entity may obtain certification by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" that there is a "very small" risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information. The person certifying statistical de-identification must document the methods used as well as the result of the analysis that justifies the determination. A covered entity is required to keep such certification, in written or electronic format, for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later.

Q: If a subject signed an informed consent to participate in clinical research prior to the Privacy Rule compliance date (April 14, 2003), does the researcher have to get the subject to sign an Authorization in order to use or disclose that subject's PHI after April 14, 2003?

A: No. Under the transition provisions of the Privacy Rule, as long as the informed consent was signed prior to April 14, 2003, the covered entity may use or disclose that subject's data, even if the data were not generated or received until after the compliance date, consistent with any agreed upon restriction on the use or disclosure of the information. However, the transition provision does not apply to the PHI of subjects enrolled after the compliance date (usually April 14, 2003). These subjects may have to complete an Authorization form, unless, for instance, an IRB or Privacy Board has approved a waiver of the Authorization requirement.

Q: If a use or disclosure could be made under the Privacy Rule as a research activity or another permitted activity, such as a permitted public health activity, does the use or disclosure have to satisfy both sets of requirements?

A: No. There may be cases where an activity may be permitted under more than one provision of the Privacy Rule, e.g., a disclosure for public health and research, such as for adverse event reporting. In this case, disclosures may be made under either the research provisions or the public health provisions, as appropriate-the covered entity need not comply with both sets of requirements.

However, activities that are considered both public health and research under the Privacy Rule, and that also meet the definition of "research" as defined under the HHS Protection of Human Subjects Regulations, must be conducted in compliance with the HHS Protection of Human Subjects Regulations if the research is conducted or supported by HHS, or conducted under an applicable Assurance approved by the Office for Human Research Protections. Similarly, if an activity is both a public health and research activity that is subject to FDA's Protection of Human Subjects Regulations, then compliance with FDA's regulations would also be required.

Q: Would a covered entity be required to account for disclosures of PHI made pursuant to an informed consent or authorization for the research that was "grandfathered" under the transition provisions?

A: Yes, a covered entity would be required to account for such disclosures unless the consent or Authorization to participate in the research would constitute a valid Authorization under section 164.508 of the Privacy Rule.

Q: Does the Privacy Rule give subjects a right to access their research records during the course of a clinical trial?

A: The Privacy Rule does afford subjects and patients a right to inspect and obtain a copy of their PHI held by covered entities in what is termed a "designated record set." A designated record set includes any record that is maintained by the covered entity or its business associate that is a medical, billing, enrollment, or payment record or other record that is used to make decisions about the subject of the information. It may be, in some cases, that research data would not be considered part of the designated record set if, for example, the research data is not used to make decisions about the individual and not part of the medical record. In that case, the individual would not have a right to access the data, but this should be examined on a case-by-case basis with institutional officials. In the case of research that includes treatment, including clinical trials, the Privacy Rule permits a covered entity to suspend the individuals' access rights until the end of the research study, provided the individual agreed to the suspension when consenting to participate in the research and was informed that right of access would be re-instated upon completion of the research. The Privacy Rule permits the covered entity to insert in the Authorization form a statement by which the subject agrees to the suspension of right to access during the clinical trial and that informs the individual that the right to access will be reinstated upon completion of the research.

Covered entities are required to have policies and procedures for responding to access requests, and researchers that are workforce members of a covered entity may wish to coordinate any response to a subject's request with the medical records department, privacy officer, or legal counsel to ensure compliance with both the Privacy Rule and institutional policies.

Q: Does the Privacy Rule permit a researcher in a covered entity to make adverse event reports to the IRB during a research study, which includes visit dates, a subject's initials, and other identifying information?

A: The Privacy Rule permits PHI to be used or disclosed for adverse event reporting if the use or disclosure is, for example, (1) permitted by the individual's Authorization, (2) pursuant to a waiver or alteration of Authorization, (3) required by law, or (4) for permitted public health activities, which may include reports to persons who are subject to the jurisdiction of the FDA when the report concerns an FDA-regulated product for which the person has responsibility, e.g., sponsors or FDA-regulated IRBs. Where the Privacy Rule requires a covered entity to meet a minimum necessary requirement, researchers should work with their IRB, institutional officials, and research sponsors to develop an adverse event reporting process that uses as few identifiers as possible. For example, consider coding adverse event reports to de-identify data, for example, by using study numbers unrelated to the participant's name and indicating relevant dates as "day X of the study." Also note that while an Authorization need not explicitly list each of the multitude of uses and disclosures of PHI that will comprise the research study (so long as the Authorization describes the purpose of the research study and persons or classes of persons to whom the information may be disclosed in a meaningful and specific manner), covered entities may nonetheless wish to include specific language about adverse event reporting, if relevant, in the Authorization to more fully inform the individual.

Q: Does the Privacy Rule limit, to specific types of research studies, disclosures permitted as preparatory to research or for research on decedents' information?

A: No. The Privacy Rule does not limit the types of research studies that may rely upon the provisions for reviews preparatory to research or for research on decedents' information set forth at section 164.512(i). However, representations made to satisfy these provisions must include, among other requirements at sections 164.512(i)(1)(ii) and 164.512(i)(1)(iii), a statement that the use or disclosure of protected health information is "necessary for the research purposes."

Q: May a covered entity use or disclose PHI to locate or identify the whereabouts of a research participant (e.g., subjects who are "lost to follow-up")?

A: A covered entity is permitted to use or disclose PHI to identify or locate the whereabouts of a research participant during the study as long as the use or disclosure is not limited in the individual's Authorization (or "grandfathered" prior permission, if relevant) or waiver or alteration of Authorization. In addition, such use or disclosure is permissible if, for example, it is necessary for treatment of the individual or for a permissible public health purpose.

Q: Does the Privacy Rule apply to individually identifiable health information of non-U.S. citizens held or maintained by a covered entity?

A: Yes. All individually identifiable health information, including individually identifiable health information of non-U.S. citizens, is PHI when it is held by a covered entity, unless it is otherwise excepted from the definition of PHI at Section 164.501 of the Privacy Rule.

Q: I am a researcher, and my research data source is asking me to sign a business associate agreement. Is this necessary?

A: Business associates are persons who perform certain services for, or functions or activities on behalf of, the covered entity that require access to PHI, but who are not part of the workforce of the covered entity. If the data source is not a covered entity, no business associate contract is required because the Privacy Rule only applies to covered entities.

NIH Publication Number 04-5495     February 2004

IMAGES

  1. Everything You Need To Know About HIPAA Compliance

    research and hipaa privacy protections

  2. Updated HIPAA Privacy and Security Rules for 2020

    research and hipaa privacy protections

  3. PPT

    research and hipaa privacy protections

  4. HIPAA privacy rules for non-covered entities

    research and hipaa privacy protections

  5. Research and HIPAA Privacy Protections (ID 14). /Research and HIPAA

    research and hipaa privacy protections

  6. HIPAA Law: How do the security and privacy rules protect patient privacy?

    research and hipaa privacy protections

VIDEO

  1. CITI Program Course Preview

  2. HIPAA Safeguarding Patient Privacy and Health Information Security

  3. HIPAA for Research Training: Module 10D

  4. HIPAA for Research: Module 7

  5. HIPAA Privacy Rules

  6. HIPAA at the 2013 Consumer Health IT Summit

COMMENTS

  1. Research

    The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes.

  2. PDF Clinical Research and the HIPAA Privacy Rule

    Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule Health Services Research and the HIPAA Privacy Rule · Research Repositories, Databases, and the HIPAA Privacy Rule Institutional Review Boards and the HIPAA Privacy Rule Privacy Boards and the HIPAA Privacy Rule Introduction to the Privacy Rule

  3. HIPAA Privacy Rule and Its Impacts on Research

    Learn about the HIPAA Privacy Rule, the first comprehensive Federal protection for the privacy of personal health information, and its implications for research organizations and researchers. Find educational materials, resources, and guidance on the Privacy Rule and its application to research.

  4. A New Framework for Protecting Privacy in Health Research

    In this chapter, the committee recommends that the U.S. Department of Health and Human Services (HHS) exempt health research from the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and lays out the details of a bold and innovative framework for protecting privacy in health research.

  5. Research Uses and Disclosures

    Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512 (i). Read the full answer

  6. HIPAA, the Privacy Rule, and Its Application to Health Research

    This chapter provides an overview of the development of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and describes how it applies to health research. A section at the end of the chapter also describes the relationships between HIPAA and other federal and state laws.

  7. Overview of Conclusions and Recommendations

    The Institute of Medicine (IOM) Committee on Health Research and the Privacy of Health Information (the committee) was charged with two principal tasks 3: (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly to include biomedical research, epidemiological studies, and health services...

  8. HIPAA Privacy Rule and Its Impacts on Research

    If a research subject revokes his or her authorization to have protected health information used or disclosed for research, does the HIPAA Privacy Rule permit a researcher/covered health care provider to continue using the protected health information already obtained prior to the time the individual revoked his or her authorization?

  9. Summary of the HIPAA Privacy Rule

    Summary of the HIPAA Privacy Rule This is a summary of key elements of the Privacy Rule including who is covered, what information is protected, and how protected health information can be used and disclosed. Because it is an overview of the Privacy Rule, it does not address every detail of each provision. Statutory and Regulatory Background

  10. Privacy protections to encourage use of health-relevant ...

    1. Category 1. Health Care System Generated.Electronic medical record data, prescriptions, laboratory data—including molecular "omics" data, pathology images, radiography, payor claims data.

  11. PDF Privacy Protections for Biomedical Research Participants

    maximize research participation, robust privacy protections for personal health information must be in place. At the same time, data sharing capabilities among researchers maximizes the utility of participant data, which promotes scientific progress and medical discoveries. When individuals participate in federally funded research, several laws ...

  12. PDF Protecting Personal Health Information in Research ...

    Protecting Personal Health Information in Research ... - NCDHHS ... Privacy Rule.

  13. Federal Privacy Protections: Ethical ...

    In the context of medical research, there are two main sources of federal privacy protections. The first is HIPAA, which applies to medical research in which (1) the researcher is providing medical care in the course of research and transmits any health information in electronic form, or (2) the researcher is employed by a covered entity, such ...

  14. Effect of the HIPAA Privacy Rule on Health Research

    OVERVIEW OF SURVEY RESULTS. As noted in previous chapters (Chapter 1 in particular), the information gained by opinion surveys has limitations.The potential for bias exists because of the way the questions are worded and framed, and respondents may have self-motivated reasons for responding in a particular fashion.

  15. HIPAA Privacy Rule and Its Impacts on Research

    Preface. This booklet contains information about the "Privacy Rule," a Federal regulation under the Health Insurance Portability and Accountability Act (HIPAA) of ...

  16. PDF OHSP Explains HIPAA Privacy Rule

    05/07/2018 Page 5 of 5 requirements do not apply to the research. If, however, the study team is comprised of both members of the covered entity and members who are not part of the covered entity (e.g., River Campus faculty or staff), the

  17. Research and HIPAA Privacy Protections Flashcards

    Research and HIPAA Privacy Protections 5.0 (3 reviews) HIPAA protects a category of information known as protected health information (PHI). PHI includes: Click the card to flip 👆 Identifiable health information that is created or held by covered entities and their business associates. Click the card to flip 👆 1 / 15 Flashcards Learn Test Match

  18. Research and HIPAA Privacy Protections (ID 14) Flashcards

    Under HIPAA, a "disclosure accounting" is required: For all human subjects research that uses PHI without an authorization from the data subject, except for limited data sets. HIPAA's relatively new data-focused protections, which took effect starting in 2003, supplement Common Rule and FDA protections; they are not a replacement.

  19. Standards for Privacy of Individually Identifiable Health Info

    A: In enacting the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress mandated the establishment of standards for the privacy of individually identifiable health information. When it comes to personal information that moves across hospitals, doctors' offices, insurers or third party payers, and state lines, our ...

  20. PDF Implementing the Health Insurance Portability and Accountability Act

    guidelines for the cost -effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative

  21. CITI: Research and HIPAA Privacy Protections Flashcards

    HIPAA's protections for health information used for research purposes... Click the card to flip 👆 supplement those of the Common Rule and FDA. Click the card to flip 👆 1 / 5 Flashcards Learn Test Match Q-Chat Created by mendezglorivee Students also viewed Research and HIPAA Privacy Protections (ID 14) 20 terms m_sanchez0512 Preview

  22. Summary

    (the committee) was charged with two principal tasks: (1) to assess whether the HIPAA Privacy Rule is having an impact on the conduct of health research, defined broadly as "a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge"; and (2) to propose recomme...

  23. HIPAA protects health data privacy, but not in the ways most ...

    The "P" in HIPAA doesn't stand for privacy. It's one of the first things a lot of experts will say when asked to clear up any misconceptions about the health data law. Instead, it stands ...

  24. SP 800-66 Rev. 2, Implementing the Health Insurance Portability and

    The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides practical guidance and resources that can be ...

  25. Cassidy proposes ways to strengthen health data privacy

    Feb 21, 2024 - 03:35 PM. Senate Health, Education, Labor & Pensions Committee Ranking Member Bill Cassidy, R-La., Feb. 21 released a report proposing ways to modernize the existing HIPAA framework and protect health and other data not covered by HIPAA. Responding to Cassidy's request for information on the issue last year, AHA asked Congress ...

  26. HHS finalizes Part 2 substance use disorder rules enhancing privacy

    For example, while HIPAA allows for disclosures of PHI for treatment, payment, and healthcare operations without patient authorization, Part 2 records could only be disclosed with patient consent.

  27. The Value and Importance of Health Information Privacy

    Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research.

  28. HIPAA Privacy Rule and Its Impacts on Research

    The HHS Protection of Human Subjects Regulations apply only to research that is conducted or supported by HHS, or conducted under an applicable Office for Human Research Protections (OHRP)-approved assurance where a research institution, through their Multiple Project Assurance (MPA) or Federal-Wide Assurance (FWA), has agreed voluntarily to ...