Protecting Privacy Outside of HIPAA

Dec 20, 2012 | Labs Blog

HIPAA privacy protections, whatever their adequacy, apply only to a set of “covered entities,” largely within the realm of health care treatment and payment for it.  The vast realms of public health data, health information entered into individually-maintained personal health records, health information shared in social networking sites or web searches, to take some of the more important examples, are outside of the protections of HIPAA, although in some cases they are at least protected by the Federal Trade Commission’s prohibition of unfair or deceptive trade practices. 

The National Committee on Vital and Health Statistics (on which I should disclose that I serve) is the federal advisory committee to the Secretary of HHS on health data.  NCVHS has directed considerable efforts to developing privacy protections for health information outside of the scope of HIPAA.  For example, NCVHS issued a letter on protecting the privacy and security of information in personal health records in 2009.

Over the last year, NCVHS has been studying the ways that health information may be used to promote community health.  While these initiatives are admirable and present important opportunities for improvement, they also pose risks to individuals and communities if data are misused.  NCVHS has just issued its initial recommendations with respect to data stewardship when health information is used to promote community health.  The recommendations are in the form of a letter to the Secretary of HHS, outlining a stewardship framework for community health data uses.  This letter is a critical first step in understanding the importance of shared data protection practices, including communication with communities, specification of the purposes of data use, and attention to risks posed by integration of data sets.  NCVHS is planning much further work in the area, and I would welcome readers’ thoughts about the letter.

Reprinted with permission from HealthLawProf Blog