AHIMA supports the use of policy to address existing privacy, confidentiality, and security gaps in the protection of health information held by Health Insurance Portability and Accountability Act (HIPAA) non-covered entities. Federal privacy and security baseline standards should be developed for the protection of health information held by data holders outside of the scope of HIPAA. Standards should take into account the data holder’s size, scope, activities, and sensitivity of the health information collected, used, and maintained as well as risk of inappropriate disclosure and misuse.
Health information (HI) professionals have extensive expertise in ensuring the privacy, confidentiality, and security of an individual’s health information. AHIMA has developed a set of privacy principles below to help inform its ongoing advocacy efforts in this area. The principles envision the privacy, confidentiality, and security of health information throughout its entire lifecycle. In this context, AHIMA intends “health information” to refer to “electronic health information” as defined at 45 CFR 171.102.2 The principles are intended to be technology agnostic and adaptable to differing technologies and platforms. The principles are also intended for data holders that are not covered by HIPAA and are not intended to supersede, alter, or affect entities currently covered by HIPAA. To ensure the confidentiality, privacy, and security of individuals’ health information, AHIMA believes that policy must:
Policy must guarantee that individuals have access to their health information regardless of where it travels.
Policy must ensure that data holders develop, document, communicate, assign, and are held accountable for their privacy policies and procedures.
Policy must ensure data holders communicate what information will be collected and maintained and generally how the data may be processed and disclosed, including whether data will be sold or commercialized.
Policy must ensure data holders limit the amount of health information collected, used, and disclosed to the minimum necessary.
Policy approaches must encourage the completeness, accuracy, and integrity of health information.
Risks include breaches and unauthorized disclosures.
Policy should safeguard that health information is retained no longer than necessary by data holders.
Policy should facilitate the proper disposition and destruction of health information.
Policy must clearly designate and adequately fund oversight and enforcement responsibilities.
The state of health data privacy in the US is rapidly evolving as the digitization of the healthcare sector accelerates. Historically, the US has followed a patchwork approach, applying a sector-specific approach to data privacy versus a single data privacy regime. As a result, absent sector-specific requirements, certain technologies, applications, products and services, are not bound by or required to abide by robust privacy protections.
HIPAA governs health privacy in traditional healthcare settings. However, an increasing number of consumer-facing technologies, applications, products, and services that access, produce and manage health information are not bound by or required to abide by the rules established under HIPAA because they are not considered “covered entities” or “business associates.” Rather, the privacy practices of such applications, products and services are generally regulated by state law and/or the Federal Trade Commission (FTC) Act. However, unlike sector-specific data protections, the FTC Act does not prescribe specific privacy requirements but rather prohibits unfair or deceptive acts or practices in or affecting commerce. This kind of oversight does not provide the same type or level of protections for consumers as HIPAA, which offers such safeguards as notice of privacy practices; security; restrictions on the sale, use, and reuse of PHI by third parties; and the individual right of access.
AHIMA offers the following policy recommendations to ensure that entities not covered by HIPAA are held accountable for the privacy and security of health information.
Individuals have the right to access their health information regardless of where that information travels. Individuals have the right to access, at a minimum, their health information as defined in 45 CFR 164.501.
Data holders should maintain health information no longer than necessary while taking into account legal, regulatory, fiscal, and operational requirements. Data holders should develop a health information retention schedule specifying what information must be retained and for what length of time.
Data holders should in the normal course of business regularly provide secure and appropriate disposition of health information no longer required to be maintained by applicable laws and the organization’s policies.
Oversight and enforcement of entities not covered by HIPAA should be assigned to a single federal agency, such as the FTC. Adequate resources including funding and tools; a clear congressional mandate must also be provided to ensure appropriate oversight and enforcement.
Want to read the full statement or share it with your colleagues?
January 5, 2021
AHIMA calls for the incoming administration to consider the implications of health information as they begin to implement new health policies in 2021.
AHIMA Advocacy in Action - Health Information Held by HIPAA Non-Covered Entities
December 10, 2020
“We are pleased to see the long-awaited release of the Office of Civil Rights’ (OCR) proposed modification to the HIPAA Privacy Rule that aims to empower patients and enhance care coordination."
August 20, 2020
AHIMA submitted comments on aspects of the Federal Trade Commission’s Health Breach Notification Rule.
June 25, 2020
In a letter to Senator Lamar Alexander, AHIMA urged Congress to take swift action to address the issue of patient misidentification and its implications for public health data and described the need for a national strategy to prioritize what social determinants of health data is relevant for public health purposes.