AHIMA’s Position
AHIMA supports the use of policy to address existing privacy, confidentiality, and security gaps in the protection of health information held by Health Insurance Portability and Accountability Act (HIPAA) non-covered entities. Federal privacy and security baseline standards should be developed for the protection of health information held by data holders outside of the scope of HIPAA. Standards should take into account the data holder’s size, scope, activities, and sensitivity of the health information collected, used, and maintained as well as risk of inappropriate disclosure and misuse.
Health information (HI) professionals have extensive expertise in ensuring the privacy, confidentiality, and security of an individual’s health information. AHIMA has developed a set of privacy principles below to help inform its ongoing advocacy efforts in this area. The principles envision the privacy, confidentiality, and security of health information throughout its entire lifecycle. In this context, AHIMA intends “health information” to refer to “electronic health information” as defined at 45 CFR 171.102.2 The principles are intended to be technology agnostic and adaptable to differing technologies and platforms. The principles are also intended for data holders that are not covered by HIPAA and are not intended to supersede, alter, or affect entities currently covered by HIPAA. To ensure the confidentiality, privacy, and security of individuals’ health information, AHIMA believes that policy must:
Guarantee individuals’ access to their health information.
Policy must guarantee that individuals have access to their health information regardless of where it travels.
Policy must ensure that data holders develop, document, communicate, assign, and are held accountable for their privacy policies and procedures.
Enhance communication and transparency.
Policy must ensure data holders communicate what information will be collected and maintained and generally how the data may be processed and disclosed, including whether data will be sold or commercialized.
Limit the collection, use, and disclosure of health information.
Policy must ensure data holders limit the amount of health information collected, used, and disclosed to the minimum necessary.
Ensure the accuracy and integrity of health information.
Policy approaches must encourage the completeness, accuracy, and integrity of health information.
Prioritize the protection of health information against various privacy and security risks.
Risks include breaches and unauthorized disclosures.
Address health information retention concerns.
Policy should safeguard that health information is retained no longer than necessary by data holders.
Facilitate disposition and destruction of health information.
Policy should facilitate the proper disposition and destruction of health information.
Assign appropriate oversight and enforcement responsibilities.
Policy must clearly designate and adequately fund oversight and enforcement responsibilities.
The state of health data privacy in the US is rapidly evolving as the digitization of the healthcare sector accelerates. Historically, the US has followed a patchwork approach, applying a sector-specific approach to data privacy versus a single data privacy regime. As a result, absent sector-specific requirements, certain technologies, applications, products and services, are not bound by or required to abide by robust privacy protections.
HIPAA governs health privacy in traditional healthcare settings. However, an increasing number of consumer-facing technologies, applications, products, and services that access, produce and manage health information are not bound by or required to abide by the rules established under HIPAA because they are not considered “covered entities” or “business associates.” Rather, the privacy practices of such applications, products and services are generally regulated by state law and/or the Federal Trade Commission (FTC) Act. However, unlike sector-specific data protections, the FTC Act does not prescribe specific privacy requirements but rather prohibits unfair or deceptive acts or practices in or affecting commerce. This kind of oversight does not provide the same type or level of protections for consumers as HIPAA, which offers such safeguards as notice of privacy practices; security; restrictions on the sale, use, and reuse of PHI by third parties; and the individual right of access.
AHIMA offers the following policy recommendations to ensure that entities not covered by HIPAA are held accountable for the privacy and security of health information.
Individuals have the right to access their health information regardless of where that information travels. Individuals have the right to access, at a minimum, their health information as defined in 45 CFR 164.501.
Collection, Use and Disclosure
Data holders should maintain health information no longer than necessary while taking into account legal, regulatory, fiscal, and operational requirements. Data holders should develop a health information retention schedule specifying what information must be retained and for what length of time.
Data holders should in the normal course of business regularly provide secure and appropriate disposition of health information no longer required to be maintained by applicable laws and the organization’s policies.
Oversight and enforcement of entities not covered by HIPAA should be assigned to a single federal agency, such as the FTC. Adequate resources including funding and tools; a clear congressional mandate must also be provided to ensure appropriate oversight and enforcement.
January 5, 2021
AHIMA calls for the incoming administration to consider the implications of health information as they begin to implement new health policies in 2021.
AHIMA Advocacy in Action - Health Information Held by HIPAA Non-Covered Entities
August 20, 2020
AHIMA submitted comments on aspects of the Federal Trade Commission’s Health Breach Notification Rule.
June 25, 2020
In a letter to Senator Lamar Alexander, AHIMA urged Congress to take swift action to address the issue of patient misidentification and its implications for public health data and described the need for a national strategy to prioritize what social determinants of health data is relevant for public health purposes.