You are currently viewing Health data protection in the US : what is the HIPAA ?
Health data certainly counts among the most intimate data of natural persons. Considered sensitive data in the EU’s GDPR, it simultaneously benefits from a specific  US piece of legislation : the HIPAA.

The “Health Insurance Portability and Accountability Act”, or HIPAA in short, is a federal statute meant to safeguard the Protected Health Information of private individuals. Passed in the US on August 21st,1996, it has since then updated by additional laws.


I. What does the HIPAA apply to ?

The HIPAA creates the notion of Protected Health Information, which it protects by imposing obligations on Covered Entities and their Business Associates.

– Protected Health Information, or PHI, is any health-related information, paired with an identifying information which matches a specific individual. This identifier can be direct, such as a name or surname, but also as indirect as a photograph, IP address, or date of medical visit.

– A Covered Entity is generally any doctor, health insurance plan or data processing organism which handles PHI. Meanwhile, Business Associate designate “a person or entity that performs certain functions that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity (1)”. Business associates are somewhat similar to data processors under the GDPR.


II. What are the obligations created by the HIPAA ?

The HIPAA consists of three main sets of rules : the Privacy Rule, Security Rule, and Breach Notification Rule.

The Privacy Rule is arguably the HIPAA’s main component. It creates a privacy framework for PHI, regulating how, why and by whom it can be used and disclosed. It additionally lays down a principle of use and disclosure minimization, creates a number of rights for affected persons, and imposes administrative requirements on covered entitites to facilitate the enforcement of these rules.

The Security Rule is meant to make the protections contained in the Privacy Rule effective, by ensuring appropriate protection of electronic PHI. In order to comply with this Rule, covered entities first have to organize regular risk analyses, then “set security measures that reduce risks and vulnerabilities to a reasonable and appropriate level“. Covered entities must therefore implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity and availability of PHI. In this implementation, each covered entity has to consider its capabilities, infrastructure, the likelihood and possible impact of e-PHI breach and the costs of security measures to attain a “reasonable and appropriate level of risk” (2).

The Breach Notification Rule is composed of two elements. First, it specifies how does an impermissible use or disclosure becomes a Breach, and thus has to be notified. Secondly, it establishes the notification thresholds and media of Breaches, to both the affected persons and health authorities.


Conclusion : A strong and protective corpus for health data

These requirements create an overall quite solid data protection corpus, although limited to health data.This sectorial approach to data protection has long been the one pursued by the US, in stark contrast with the GDPR’s generalist scope. While this tactical divergence renders uneasy any global analogy, a sectorial comparison between EU and US data protection would likely be most interesting.

(1) 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)

(2) 45 CFR 164.308(a)(1)(ii)(B)

A propos de Martin Deloy