Data Protection

Health Privacy


Sensitive health data is now collected and used ubiquitously and protections must be put in place to address these new risks.


Since the creation of the Hippocratic Oath around 400 B.C., protecting the privacy of patients has been a key component of the physicians’ code of conduct. However, over time, health information use has expanded into many organizations and individuals who are not subject to medical ethics codes, including employers, insurers, government program administrators, attorneys, and others. Additionally, advancements in technology have given rise to fitness trackers, wearable devices, extended reality technology, and other new gadgets that collect, process, and make inferences relating to health information. There are few settled rules regarding the sharing and use of health data collected and used for these purposes. 

As the use of health data has spread across more industries and technologies, regulatory protections for this highly sensitive and deeply personal information have grown fragmented and complex. For example, there are some protections that apply only to information held by government agencies, and others that apply to specific groups, such as school children. Some protections also apply to specific medical conditions or types of information, such as information related to HIV/AIDS or substance abuse treatment. 

The Health Insurance Portability and Accountability Act (HIPAA)

The first comprehensive set of federal regulations regarding health information, the Health Insurance Portability and Accountability Act (HIPAA), came into effect in April 2003. HIPAA includes portions dedicated specifically to the privacy and security of health data. The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the “federal floor” of privacy protection for health information in the United States, while also allowing more protective state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. It includes individually identifiable health information related to a past, present, or future physical or mental health or condition, the provision of health care to an individual, and the past, present, or future payment for the provision of health care to an individual. The rights of an individual related to their PHI include:

  • Right to access, inspect, and copy PHI held by hospitals, clinics, health plans, and other “covered entities,” with some exceptions
  • Right to request amendments to PHI held by “covered entities”
  • Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
  • Right to request restrictions on uses or disclosures, although the “covered entity” receiving the request is not obligated to agree to the request

In addition to the Privacy Rule, the complementary Security Rule includes standards for the protection of health information from misuse. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 also introduced modifications to the HIPAA standards. For one, the HITECH Actcreated a breach notification program for unsecured, electronic PHI. 

While these standards provide some protection for individuals, they are also limited in scope. HIPAA only applies to entities providing medical services, so several entities using health information for other purposes are not covered. 

Privacy and the COVID-19 Pandemic

In response to the COVID-19 pandemic, governments and businesses have used a wide range of digital tools and techniques in an attempt to limit the spread of the virus, presenting an array of new privacy and safety challenges. From expanded systems of data collection to digital contact tracing and location tracking, there are many pandemic tracking techniques that could potentially undermine democratic values and erode privacy. Many of the online web portals and telehealth systems that have been used during the pandemic are also not covered under HIPAA, and transferring data to third parties that may not be HIPAA-compliant creates serious risks to privacy. 

Thus, it is essential for government agencies and private companies to implement standards to safeguard privacy. The World Health Organization has also recognized this and spoken out for data protection. In March 2020, Dr. Michael Ryan of the WHO stated that the organization was working to ensure that “all of the initiatives we’re involved with, while aiming to develop good public health information, in no way interfere with the individual rights to privacy and protections under the law.” Privacy and public health are complementary goals and privacy enhancing technologies can be deployed to both serve the public interest and also protect individual rights. 

In May 2020, Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), and Suzan DelBene (WA-01), and U.S. Senators Richard Blumenthal (D-CT) and Mark Warner (D-VA) introduced the Public Health Emergency Privacy Act. The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes and provides for both public and private enforcement.

It is crucial that governments, companies, and other entities collecting personal data ensure that the systems they use are necessary, effective, lawful, and protective of privacy. 

EPIC’S Work on Health Privacy

Through advocacy, oversight, and litigation, EPIC has been working to ensure that the public and private sector responses to COVID-19 safeguard the civil liberties of all people. In April 2020, EPIC filed a FOIA request for a memo outlining a nationwide COVID-19 surveillance system sought by then-White House senior advisor Jared Kushner. As Senator Ed Markey (D-MA) stated at the time, the administration is not “capable of creating or maintaining a massive health data network in a manner that doesn’t undermine our fundamental right to privacy.” EPIC also pursued other FOIA requests with the Department of Justice and the Office of Science and Technology Policy about efforts to track and monitor Americans during the pandemic. In addition to filing these records requests, EPIC submitted a statement to the U.S. House Committee on Energy and Commerce, emphasizing that “[i]t is essential that use of tracking technologies in response to the pandemic are carried out strictly in line with civil liberties and human rights.”

Outside of work around the COVID-19 pandemic, EPIC has long advocated for strong privacy protections for health data. This includes working to restrict the collection of genetic material and EPIC has filed several amicus briefs challenging DNA collection practices. In Maryland v. King, EPIC filed a brief arguing that law enforcement’s warrantless collection of DNA was unconstitutional. In 2004, EPIC filed a brief in Maryland v. Raines, a precursor to Maryland v. King involving an incarcerated felon who was forced to submit to a DNA test. EPIC argued that the DNA Collection Act violated both the Fourth Amendment and Article 26 of the Maryland Declaration of Rights, Maryland’s state constitutional equivalent. 

In May 2021, EPIC submitted comments to the Health and Human Services Department, opposing proposed changes to the HIPAA Privacy Rule that would reduce restrictions on disclosing patients’ PHI. The proposed rule would expand the entities that can receive PHI without patient consent and weaken other protections, which EPIC argued would expose patients to greater risk of data breaches.

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.