FOUR THINGS EVERYONE SHOULD KNOW ABOUT HEALTH INFORMATION PRIVACY

In the past few years COVID-19 related privacy concerns and the implications of the Dobbs vs. Jackson Women's Health Organization decision have heightened concerns about health information privacy and highlighted both the gaps in Health Insurance Portability and Accountability Act (HIPAA) privacy protections and the confusion surrounding health information privacy in the United States. Below are four things everyone should know about the patchwork of privacy laws that apply to identifiable health information (IHI) at the state and federal level.

1. HIPAA doesn't provide absolute privacy protection

As a preliminary matter, HIPAA does not apply to all individuals and entities that have access to IHI. HIPAA applies exclusively to two types of entities: "covered entities" and "business associates" (collectively, "Regulated Entities"). Covered entities include health care providers that bill third-party payers, health plans, health insurers, and health care clearinghouses (essentially information switches that translate and format data flowing between providers and plans) and are generally responsible for complying with all HIPAA regulations. Business associates are typically contractors and vendors who have access to or handle "protected health information" (further discussed in the next paragraph) when acting on behalf of other Regulated Entities and are directly subject to HIPAA security regulations and certain privacy regulations.

Further, HIPAA only protects protected health information (PHI) which is IHI held or maintained by a covered entity (directly or by its business associates), excluding certain education records and employment records. If HIPAA does apply, there are a multitude of exceptions that allow Regulated Entities to share PHI with third parties without an individual's permission. Commonly used exceptions include: treatment, obtaining payment for services, health care operations, disclosures required by law, and certain judicial and administrative proceedings. For example, subject to certain requirements and limitations covered entities may share PHI with third parties in conducting quality improvement activities, responding to court orders and subpoenas, and as necessary to comply with state law. As a result, even when HIPAA applies it does not act as a complete barrier to third party access to PHI nor does it afford individuals complete control over such access.

2. Many other laws can protect health information

Other federal laws can apply to IHI. For example 42 C.F.R. Part 2 provides more stringent protections than HIPAA for substance abuse treatment records, the Family Educational Rights and Privacy Act protects student records, the Children 's Online Privacy Protection Rule protects the data of minors, and the Gramm Leach Bliley Act protects consumer financial data. More broadly, the Federal Trade Commission Act (FTCA) prohibits unfair and deceptive practices affecting consumers, including misrepresenting privacy and security practices relevant to the privacy of identifiable consumer information. Recently, the Federal Trade Commission has been taking health information privacy related enforcement actions against companies that collect IHI but are not subject to HIPAA.

Additionally, many states have their own laws protecting IHI. In some states, comprehensive consumer privacy protection laws exist which apply to IHI when HIPAA does not apply. Many states also have health information specific statutes which in some cases impose more stringent protections (e.g., IHI may only be shared with third parties with patient permission or pursuant to a court order) for sensitive information such as substance abuse treatment, mental health information, HIV test results, genetic information, and reproductive health. Even if HIPAA applies, the more stringent provisions of these laws generally apply as well.

3. Why you should read website privacy policies

It is common for companies to have website privacy policies, and some state laws require that consumers receive notice regarding the types of consumer information collected, what information is shared with third parties, and how consumers can request changes to certain information. While the FTCA does not impose specific privacy policy requirements, it does require that such policies are accurate and not misleading.

Covered entities, however, are required by HIPAA to provide individuals with a "Notice of Privacy Practices" that explains how PHI is used and disclosed, among other things, which must be posted on the covered entity's website.

As a result, in many cases consumers should be able to tell whether their IHI is protected by HIPAA, as well as determine how their personally identifiable information will be used and disclosed, by reviewing website privacy documents.

4. "De-identified" data is generally not protected

PHI can be "de-identified" so that it is no longer subject to HIPAA's protections using two different methods. One method provides a "safe harbor" for data when personal identifiers specified in HIPAA regulations are removed. The other involves removing identifiers to create a data set that an expert determines poses a "very small risk" of identifying an individual. Notably, HIPAA does not directly prohibit re-identification by recipients of de-identified data, but does require that those relying on the safe harbor for sharing data have no reason to believe the data will be re-identified.

Many state privacy laws, but not all, will not apply to IHI that has been de-identified in accordance with HIPAA. Other states have specific de-identification standards that must be met to avoid privacy law applicability.

Once de-identified in accordance with applicable law, generally information derived from IHI may be shared with third parties without an individual's permission.

In short, some level of privacy protection for IHI usually exists even if HIPAA doesn't apply, but the level of protection varies depending on who holds the data, what kind of information is involved, and the state where the individual is located. While some laws do afford significant protections, no privacy law in the United States acts as a complete barrier to sharing IHI (or data that could be used in combination to create IHI) with third parties without an individual's consent.

Lara Compton is a member in the Health Care Practice at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.