Law and Regulations Overview
HIPAA (1996) and the HITECH Act (2009) prescribe when and where health entities and their business associates may disclose individually identifiable health information. The FTC Act (1914), on the other hand, creates privacy protection mandates for other kinds of businesses. For example, a period tracker mobile application that promises data privacy to their users would be in violation of the FTC Act if it then sold the data to a third party.
Further information on these laws and their associated federal regulations is below.
Laws
Public Law 104-191
Health Insurance Portability and Accountability Act (HIPAA)
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The Act was part of an effort by the federal government to facilitate the health care industry’s transition to electronic payment (42 USC 1320d note). The Administrative Simplification provisions of HIPAA introduced electronic health record standards and attempted to address information security concerns. In particular, the law restricts when and how certain health care professionals may disclose individually identifiable health information (IIHI).
Initially, HIPAA privacy regulations applied solely to entities that acted as direct custodians of health records, such as hospital, pharmacies, and health insurance agencies. The HITECH Act expanded some of these protections in 2009.
Public Law 111-5
Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act, which is a portion of the American Recovery and Reinvestment Act of 2009, expands HIPAA privacy rules to include "business associates" of health entities. Additionally, the Act requires that health entities or their business associates must notify affected individuals when they discover a data breach. Breaches that affect more than 500 people are posted to an online portal hosted by the U.S. Department of Health and Human Services.
Public Law 93-153
The Federal Trade Commission (FTC) Act
The FTC Act of 1914 established the Federal Trade Commission to protect consumers from "unfair or deceptive acts or practices in or affecting commerce." The FTC provides this protection by imposing penalties for such actions and recovering damages for injured parties.
In this context, "deceptive acts" are not just cases where business are found to be explicitly lying to customers; implying untrue things without stating them explicitly, as well as lying by omission, also qualifies. Furthermore, in cases where a business is not deceiving customers, they can still violate the FTC Act by engaging in "unfair practices," i.e., practices that bring substantial harm to consumers without bringing enough benefit to justify the harm. The FTC website suggests that one example of an unfair practice would be a business that does not take reasonable precautions to keep health information safe (Collecting, Using, or Sharing Consumer Health Information?, 2023).
Regulations
89 FR 32976
HIPAA Privacy Rule to Support Reproductive Health Care Privacy
On April 26, 2024, the Department of Health and Human Services published a new regulation that will go into effect on June 25 of this year. Several significant provisions of the rule are as follows:
- Part V Section B Part 2: The rule prohibits the disclosure of protected health information based on the purpose of disclosure (rather than, for instance, the category of health data). Prohibited purposes would include investigating reproductive health care that is legally obtained. This is true even if there is a state law that requires an entity to disclose protected health information for such investigations, because HIPAA would preempt state law. Moreover, in the absence of actual, factual evidence that reproductive health care was obtained unlawfully, covered entities are required to presume that the act was lawful.
- Part V Section E: The rule requires that notices of privacy practices now include not just information about when health information is allowed to be disclosed, but also information about prohibited disclosures. Under previous HIPAA rules, covered entities were required to provide notices of privacy practices when becoming a custodian of someone's protected health information, but this rule clarifies additional details that must be in these notices.
- Part V Section A Part 1 and Part 2: The rules clarifies a couple relevant definitions: The term "person" in HIPAA refers to a "natural person," i.e. "a human being who is born alive." So, for instance, when HIPAA rules allow covered entities to disclose protected health information in order to "avert a serious threat to health or safety," this refers to the health or safety of a natural person. Additionally, the term "public health activities" does not include investigations to impose penalties on people for seeking health care. Thus, where HIPAA allows covered entities to disclose protected health information for "public health" activities, such investigations are not included in this permission.
65 FR 82462
Standards for Privacy of Individually Identifiable Health Information aka "2000 Privacy Rule"
The Department of Health and Human Services published this federal regulation in 2000 to implement HIPAA privacy requirements. In addition to the rule language itself, the document provides context highlighting the importance of trust in healthcare:
While privacy is one of the key values on which our society is built, it is more than an end in itself. It is also necessary for the effective delivery of health care, both to individuals and to populations... In short, the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers.
78 FR 5566
Omnibus HIPAA Rulemaking
In accordance with the provisions of the HITECH Act, 78 FR 5566 expands HIPAA privacy regulations:
- HIPAA now covers "business associates" of the health organizations already covered previously.
- The rule introduces new language to limit marketing-related disclosures.
- The rule increases individual's rights to their own health information in the form of electronic copies.
CFR Title 16 - Chapter I
Commercial Practices - Federal Trade Commission
Title 16, Chapter I of the CFR establishes the Federal Trade Commission. Per 41 FR 54483, the Federal Trade Commission
is responsible for the administration of a variety of statutes -which, in general, are designed to promote competition and to protect the public from unfair and deceptive acts and practices in the advertising and marketing of goods and services.
Among other areas of commerce, the Federal Trade Commission regulates health information privacy in the context of entities that are not covered by HIPAA. 16 CFR 318, for instance, establishes the "Health Breach Notification Rule." Under this rule, vendors which handle personal health records are required to notify individuals when the vendor experiences a breach in the security of that data.