Annals of Health Law - Vol. 26 Issue 1

A. United States

Many Americans are concerned about health privacy, particularly as more data becomes available electronically.114 In the United States, the security and privacy of health data is governed mainly by two federal laws. First, the Health Insurance Portability and Accountability Act (HIPAA)115 provides the foundation for health privacy in the United States.116 Under HIPAA, HHS promulgated two major rules on the privacy and security of health data: the Privacy Rule regulates when “covered entities”117 and “business associates”118 can disclose “personal health information” (PHI),119 and the Security Rule regulates how covered entities secure such data.120 Covered entities include health plans, healthcare clearinghouses, and healthcare providers that transmit health information in electronic form.121 HIPAA also applies to a covered entity’s business associates, individuals, or businesses that help the covered entity perform certain functions or activities that require the use or disclosure of PHI.122 PHI can include names, medical record numbers, social security numbers, and medical record information.123

Under the Privacy Rule, covered entities may use and disclose PHI without an authorization for uses such as “treatment, payment, or health care

114. See, e.g., Schick, supra note 111, at 178.

115. Health Insurance Portability and Accountability (HIPAA) Act, Pub. L. No. 104–191, 110 Stat. 1936 (1996).

116. For a greater discussion of state privacy laws, see Drabiak-Syed, supra note 40, at 47 and following (“States vary with regard to how they define terms such as medical record or medical information, to whom this information can be disclosed, for what purposes, what an individual’s consent to disclose this information must contain, and the nature of exceptions for disclosure without consent.”); Sane & Edelstein, supra note 99, at 4, 8 (“In the United States public health laws regarding data sharing vary from state to state, and in some instances, while the law provided opportunities for data sharing, these were restricted by health department policies that had not been updated to reflect new legislation.”); see also Janlori Goldman, THE STATE OF HEALTH PRIVACY (2d ed. 2002), https://www.cdt.org/files/ pdfs/The%20State%20of%20Health%20Privacy% 20(Volume%201).pdf.

117. 45 C.F.R. § 164.104 (2013).

118. 45 C.F.R. § 160.103 (2014).

119. Id.

120. 45 C.F.R. § 164.306 (2013).

121. 45 C.F.R. § 164.104; Are you a covered entity?, CTRS. FOR MEDICARE & MEDICAID SERVS. (Jun. 21, 2016, 6: 31 PM), https://www.cms.gov/Regulations-and-Guidance/Admin istrative-Simplification/HIPAA-ACA/ AreYouaCoveredEntity.html.

122. Summary of the HIPAA Privacy Rule, U.S. DEP’T HEALTH & HUMAN SERVS., http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (last visited Nov. 20, 2016) [hereinafter HIPAA Privacy Rule]; see also Business Associates, U.S. DEP’T HEALTH & HUMAN SERVS., http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/bus iness-associates/ (last visited Oct. 16, 2016).