The Law and Medical Privacy

Many laws regulate the privacy of medical information. Although they offer some protection, on the whole they operate more for the benefit of ensuring the flow of information throughout the health care industry than ensuring the privacy of individuals.

Also, these laws usually only apply to personal medical information in the hands of specific types of entities, like your doctor or other health care entity. Thus, for instance, information you give to a social network or search engine, a chat room or website discussion about a disease, is often not protected by existing medical privacy laws.

The Health Insurance Portability and Accountability Act (HIPAA) is the baseline set of federal regulations governing medical information. It does three things:

  • Creates a structure for how personal health information may be disclosed and establishes the rights individuals have concerning their health information.
  • Sets out security standards for maintaining and transmitting electronic patient information.
  • Requires a common format and data structure for the electronic exchange of health information.

HIPAA only regulates the health industry, and thus only applies to what the law considers "covered entities" and their "business associates." The categories of covered entity are: health care provider, health plan (health insurer or HMO), and health care clearinghouse. A business associate (BA) handles protected health information (PHI) on behalf of a covered entity. If you disclose your medical information to anyone else, HIPAA will not apply.

In addition, there are numerous exceptions for disclosure of medical information without your consent, which can also mean without your knowledge.

  • The requirement for written consent to disclose mental health and substance abuse treatment information applies only at federally funded facilities, not at private ones.
  • Personal medical information is disclosed without consent for many permitted and mandatory public health reporting purposes, like disease monitoring and in cases of child and elder abuse and domestic violence.
  • Health information may be disclosed in judicial and administrative proceedings by subpoena or as part of a discovery process in litigation.
  • There are exceptions for law enforcement, for health information requested by subpoena or court order, or as part of an investigation or reporting of a crime.
  • Disclosures are permitted for specialized government functions, including national security and intelligence operations.
  • Health information may be disclosed to an employer who pays for employees’ health coverage, but it must be strictly segregated from all other employee records.
  • Personal health information can’t be sold without your consent, subject to exceptions involving public health, research, or as part of the sale, transfer, merger or consolidation of the covered entity that has the data.
  • Inmates’ non-prison health information may be disclosed to a prison where they are incarcerated.
  • Personal health information may be disclosed if you apply for a public benefit.
  • Health information may be disclosed in the process of applying for worker’s compensation.

The portion of HIPAA that deals with information privacy is called the Privacy Rule. It authorizes broad, unconsented disclosures of personal health data for treatment, payment, and routine health care operations, while requiring written consent for information considered sensitive, like outpatient psychotherapy notes. Your consent is also necessary for your health information to be used for any kind of marketing other than prescription drug reminders.

You do have some rights under HIPAA. You have the right to be notified what your rights are concerning your own medical information. You also have the right to access and receive copies of your records, request corrections, and be notified of data breaches. Information about treatments that you pay for out of pocket may not be disclosed to insurers. Currently you can only learn to whom your health information has been disclosed for purposes other than treatment, payment, and health care operations.

Federal regulations that are stricter than HIPAA—known as "Part 2" [pdf]—apply to the disclosure and use of alcohol and drug abuse patient records maintained in connection with the performance of any federally assisted alcohol and drug abuse program.

GINA (the Genetic Information Non-discrimination Act) prohibits genetic discrimination in health and life insurance and employment. However, GINA has some major loop-holes: it does not cover long-term care or auto insurance with health benefits, for example. HIPAA recently designated genetic information as PHI, so it now has the additional protections—and exceptions—that HIPAA offers. Learn more about genetic information privacy.

The Common Rule applies to federally funded research on human subjects; private research institutions may voluntarily agree to comply with federal standards. Among other things, the Common Rule sets out explicit standards for informed consent by research subjects, although an ethics board may waive these requirements. How far written consent by a research subject extends is muddled; the consent can be either for a specific project or broad enough to include a range of future research projects, as long as the subject is “adequately” informed about such future research.

California-Specific Laws

California’s medical privacy laws, primarily the Confidentiality of Medical Information Act (CMIA), the data breach sections of the Civil Code, and sections of the Health and Safety Code, provide HIPAA-like protections although the terminology is different. HIPAA creates a federal "floor" and applies where there is a gap in California law. HIPAA also expressly provides that more stringent state laws will override or trump HIPAA.

California law is stronger in requiring authorization for disclosure of data about STDs (although positive AIDS tests must be reported), substance abuse treatment, and outpatient psychotherapy notes.

California’s medical privacy laws apply to vendors of an individual's personal health record (PHR), while HIPAA applies only if the vendor is a business associate of a covered entity.

Federal law grants no individual right to sue in the event of a data breach (only an attorney general may bring an action), but California law does.

This means that California law sets a higher standard for medical privacy, and individuals in California enjoy stronger legal protections and more ways to hold entities that violate their medical privacy accountable.

Other California laws that give some additional protection to medical information:

  • The Insurance Information and Privacy Protection Act (IPPA) prohibits unauthorized disclosure of personal information, including medical records, collected in connection with insurance applications and claims resolution. Insurers must give you a notice of privacy practices that tells you with whom your information may be shared and your rights to restrict sharing.
  • The Information Practices Act (IPA) applies to state agencies. It limits their collection, maintenance, and distribution of personal information, which includes medical information. It also gives individuals the right to review personal information held in state agency records, to find out who has accessed it, and to request changes to inaccurate or irrelevant information. 
  • The Online Privacy Protection Act applies to websites that collect personally identifiable information of any kind, including medical information. "Protection" is a misnomer here, since the act's primary requirement is that the websites "conspicuously" post a privacy policy that notifies users what data the site collects and with whom it shares data. Read more.

For more on federal and California laws concerning the privacy of medical information see the CalOHII (California Office of Health Information Integrity) overview regarding State and Federal Health Laws Relating to Records, Privacy, Security and Patient Right to Access.

Because the regulations that cover health information are directed more at who handles the data (covered entities) than at the data itself, medical data that lands outside the walls of HIPAA and other related laws generally has no specific medical privacy protections.

A great deal of exposure comes from individuals’ online activities. This can include information you make public yourself through chat or participation in affinity groups based on diseases or medical conditions, or through social media. This is an increasingly serious issue as technology makes it easier for individuals to share and store medical information.

Many health and fitness applications (mobile and online) also collect medical or medical-like data and facilitate and encourage sharing it.

There is also constant, infinitesimally calibrated behavioral targeting that may, without your knowledge, connect de-identified click data with identifiable medical information.

The end result? A patchwork of laws that too often leave sensitive medical information unprotected.

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Privacy is a human right: Data retention violates that right | @AmerQuarterly https://eff.org/r.irnm

Aug 29 @ 11:12am

Court buys government's shell game blocking Klayman case plaintiffs from challenging NSA spying: https://eff.org/r.8hi0

Aug 29 @ 9:25am

How China is strong-arming coders to abandon their open source projects: https://eff.org/r.wso1

Aug 28 @ 4:20pm
JavaScript license information