What guidance does HIPAA offer to providers considering familial risk notification and cascade genetic testing?

Background It is unclear how the Health Insurance Portability and Accountability Act (HIPAA) should be interpreted in the context of sharing of genomic information between family members. Methods The authors analyzed the HIPAA Privacy Rule, reviewed the literature and constructed a clinical scenario to inform how HIPAA can be interpreted for multiple forms of patient- and provider-mediated genetic risk notification. Results Under HIPAA, healthcare providers can lawfully notify relatives to recommend genetic risk assessment using multiple approaches, including supporting the patient telling their own relatives, contacting relatives directly with the patient’s authorization, or contacting a relative’s provider directly. Conclusions Multiple forms of patient- or provider-mediated contact of relatives are already legally permissible under HIPAA, are consistent with ethical obligations of care to patients and their families, and could result in improved population health through identification of clinically actionable disease risk. Unanswered questions remain about implementation and impacts of provider-mediated programs.

Changes in the office for civil rights enforcement policy on telehealth remote communications in response to COVID-19

The novel coronavirus, the cause of COVID-19, has sent shockwaves throughout the world, shuttered many businesses essentially overnight, and has left billions living worldwide in quarantine. Not surprisingly, the health care industry has been significantly affected by the COVID-19 pandemic. This article focuses on how COVID-19 has influenced the Office for Civil Rights’ (OCR’s) enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as they relate to telehealth remote communications, and opines about whether the COVID-19-related changes to HIPAA Privacy Rule and Security Rule enforcement might last beyond the current crisis.

The Perils of Parity: Should Citizen Science and Traditional Research Follow the Same Ethical and Privacy Principles?

The individual right of access to one’s own data is a crucial privacy protection long recognized in U.S. federal privacy laws. Mobile health devices and research software used in citizen science often fall outside the HIPAA Privacy Rule, leaving participants without HIPAA’s right of access to one’s own data. Absent state laws requiring access, the law of contract, as reflected in end-user agreements and terms of service, governs individuals’ ability to find out how much data is being stored and how it might be shared with third parties. Efforts to address this problem by establishing norms of individual access to data from mobile health research unfortunately can run afoul of the FDA’s investigational device exemption requirements.

HIPAA Breach Report for October 2017

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule uses Protected Health Information (PHI) to define the type of patient information that’s protected by law.1 PHI is an important factor for HIPAA compliance. PHI isn’t confined to medical records and test results. Any information distributed by a business associate that can identify a patient and is used or disclosed to a covered entity during the course of care is considered PHI. Even if that information doesn’t reveal a patient’s medical history, it is still considered PHI.

Biobanking Research and Privacy Laws in the United States

Privacy is protected in biobank-based research in the US primarily by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Federal Policy for Protection of Human Subjects (Common Rule). Neither rule, however, was created to function in the unique context of biobank research, and therefore neither applies to all biobank-based research. Not only is it challenging to determine when the HIPAA Privacy Rule or the Common Rule apply, but these laws apply different standards to protect privacy. In addition, many other federal and state laws may be applicable to a particular biobank, researcher, or project. US law also does not directly address international sharing of data or specimens outside of the EU–US Safe Harbor Agreement, which only applies to receipt of data by certain US entities from EU countries, and is in the process of revision. Although new rules would help clarify privacy protections in biobanking, any implemented changes should be studied to determine the sufficiency of the protections as well as its ability to facilitate or hinder international collaborations.

The End of the HIPAA Privacy Rule?

The HIPAA Privacy Rule is notoriously weak because of its incomplete coverage, numerous exclusions and exemptions, and limited rights for individuals. The three areas in which it provides the most protection are fundraising, marketing, and research. Provisions of the 21st Century Cures Act, pending in Congress, and the Notice of Proposed Rulemaking to amend the federal research regulations (Common Rule), awaiting final regulatory action, would weaken the privacy protections for research. If these measures are adopted, the HIPAA Privacy Rule would have so little value that it might not be worth the aggravation and burden.