In the United States, healthcare and medical privacy laws seek to protect the patient’s privacy while providing flexibility for any uses of the data that could be beneficial, such as for medical research purposes. Central to the regulation of healthcare-related privacy is the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).1 Under HIPAA, the US Department of Health and Human Services has promulgated both a Privacy Rule2 and a Security Rule.3
The HIPAA Privacy Rule governs the handling of protected health information (PHI) by covered entities, typically healthcare providers and insurers, and their service providers, referred to as business associates. These definitions are crucial, as health information in the hands of a covered entity or business associate is regulated as PHI under HIPAA, and is therefore subject to various limitations on its use and disclosure, but that same information may not be subject to HIPAA when used by another entity that does not fall within HIPAA’s scope.4
The HIPAA Security Rule applies to both covered entities and business associates, but protects only ePHI, which is defined as PHI that is created, received, maintained, or transmitted in electronic form. Therefore, the Security Rule does not apply to PHI transmitted orally or in writing.5
HIPAA is not the only law governing health-related information in the US. For example, if the entity handling the healthcare information is not a covered entity subject to HIPAA, it would still be subject to the FTC’s interpretations of Section 5 of the FTC Act in the context of healthcare and medical information.6 Likewise, states have their own versions of HIPAA that typically consist of HIPAA-like requirements, and three states—Illinois, Texas, and Washington—have biometric data laws that regulate the collection, storage, and use of biometric identifiers, such as retina scans, facial scans, and fingerprints.7
1 42 USC § 13400 et seq.
2 45 CFR §§ 160, 164(A), 164(E).
3 Id. §§ 160, 164(A), 164(C).
4 Dep’t of Health & Human Servs., Summary of the HIPAA Privacy Rule, available here (last visited Feb. 22, 2019).
6 FTC, Sharing Consumer Health Information? Look to HIPAA and the FTC Act (Oct. 2016), available here.
7 740 Ill. Comp. Stat. 14/1 et seq.; Tex. Bus. & Com. § 503.001; Wash. Rev. Code § 19.375.