A. United States
Many Americans are concerned about health privacy, particularly as more
data becomes available electronically.114 In the United States, the security
and privacy of health data is governed mainly by two federal laws. First, the
Health Insurance Portability and Accountability Act (HIPAA)115 provides the
foundation for health privacy in the United States.116 Under HIPAA, HHS
promulgated two major rules on the privacy and security of health data: the
Privacy Rule regulates when “covered entities”117 and “business
associates”118 can disclose “personal health information” (PHI),119 and the
Security Rule regulates how covered entities secure such data.120 Covered
entities include health plans, healthcare clearinghouses, and healthcare
providers that transmit health information in electronic form.121 HIPAA also
applies to a covered entity’s business associates, individuals, or businesses
that help the covered entity perform certain functions or activities that require
the use or disclosure of PHI.122 PHI can include names, medical record
numbers, social security numbers, and medical record information.123
Under the Privacy Rule, covered entities may use and disclose PHI without
an authorization for uses such as “treatment, payment, or health care
114. See, e.g., Schick, supra note 111, at 178.
115. Health Insurance Portability and Accountability (HIPAA) Act, Pub. L. No. 104–191,
110 Stat. 1936 (1996).
116. For a greater discussion of state privacy laws, see Drabiak-Syed, supra note 40, at
47 and following (“States vary with regard to how they define terms such as medical record
or medical information, to whom this information can be disclosed, for what purposes, what
an individual’s consent to disclose this information must contain, and the nature of exceptions
for disclosure without consent.”); Sane & Edelstein, supra note 99, at 4, 8 (“In the United
States public health laws regarding data sharing vary from state to state, and in some instances,
while the law provided opportunities for data sharing, these were restricted by health
department policies that had not been updated to reflect new legislation.”); see also Janlori
Goldman, THE STATE OF HEALTH PRIVACY (2d ed. 2002), https://www.cdt.org/files/
117. 45 C.F.R. § 164.104 (2013).
118. 45 C.F.R. § 160.103 (2014).
120. 45 C.F.R. § 164.306 (2013).
121. 45 C.F.R. § 164.104; Are you a covered entity?, CTRS. FOR MEDICARE & MEDICAID
SERVS. (Jun. 21, 2016, 6: 31 PM), https://www.cms.gov/Regulations-and-Guidance/Admin
122. Summary of the HIPAA Privacy Rule, U.S. DEP’T HEALTH & HUMAN SERVS.,
http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (last visited
Nov. 20, 2016) [hereinafter HIPAA Privacy Rule]; see also Business Associates, U.S. DEP’T
HEALTH & HUMAN SERVS., http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/bus
iness-associates/ (last visited Oct. 16, 2016).
123. HIPAA Privacy Rule, supra note 122.