Lgpd na Saúde - Ed. 2021

2. Phi Protection Under Hipaa: An Overall Analysis - Parte I - Contextualização da Proteção de Dados de Saúde: Perspectiva Internacional e Legislativa

Entre no Jusbrasil para imprimir o conteúdo do Jusbrasil

Acesse: https://www.jusbrasil.com.br/cadastro


Bonnie Kaplan

with appendix by Artur Pericles Lima Monteiro


As 1 Brazil, with its new General Data Protection Law ( LGPD), joins the nations with overarching data privacy protection, it is helpful to consider what may be learned from other countries’ experiences and approaches. The new law is based on the Fair Information Practice Principles (FIPs) that form the foundation for privacy laws and related policies in the many countries, including for the European Union’s General Data Protection Regulation (GDPR) and legislation in the United States (United States Government Department of Health and Human Services Office of the National Coordinator for Health Information Technology, 2008, @p. 3; Koontz, 2013). The FIPs are meant to maintain the same level of privacy when using information technology as when not (Caine and Hanania, 2013). US data privacy law embodies many of the same principles as the GDPR and LGPD, but there are differences. Unlike Brazil or the EU, the US takes a sectoral approach to privacy and data protection. An individual’s health, financial, and educational records all are governed separately, as are specific other kinds of data, such as data pertaining to video rentals or genetics.

This chapter discusses the predominant national regulatory privacy protections for health data in the US. It focuses primarily on the Health Insurance and Portability and Accountability Act (HIPAA), the best-known federal health data privacy legislation, and on those aspects related to privacy rather than to security. It includes a summary of HIPAA and other federal regulations, and what they cover and what they do not. In addition to how the Department of Health and Human Services administers HIPAA, the chapter also provides a brief overview of responsibilities of other federal regulatory agencies in regards to health data. It then discusses gaps and limitations in health data privacy policy.

It is harder to detect and document HIPAA’s benefits than its shortcomings and harms they can generate. HIPAA undoubtedly has affected health data privacy for the better, even if it is difficult to describe just how. HIPAA’s limitations, on the other hand, have been widely discussed. This, in itself, has been a benefit; identifying shortcomings can lead to improvement. As new data and privacy protections are considered, what has been learned from HIPAA can influence regulatory initiatives in addition to other approaches that may fill gaps characterizing any regulation. Therefore, the chapter includes an Appendix that compares some of the most important provisions of the HIPAA framework and the LGPD as a starting point for considering what can be learned from HIPAA.

This chapter joins other scholarship and commentary in pointing out inadequacies in US health data privacy and in hoping for better approaches that maintain privacy and security for all data while making available data for public good and improving life.

1.1.US Health Data Regulation

The US federal government has no omnibus data regulation. Instead, there is a patchwork of law and regulation so that data protection depends on the kind of data and how and where collected. Sector-specific laws cover areas such as financial, school, and healthcare records. In addition, different governmental units and jurisdictions regulate different aspects of health data collection, use, and privacy. Each state has its own laws and regulations, as do federal governmental agencies responsible for healthcare for the military, Indian Health Service, and Department of Veterans Affairs. Different categories of health-related data are protected differently. Some kinds of data are especially protected, including data pertaining to children, genetics, and mental illness. Other data are subject to disclosure requirements for public health purposes, such as data pertaining to sexually transmitted diseases, gunshot wounds, and dog bites. Data obtained through medical research and data from clinical care are governed differently even though there may be no clear division between the research and clinical aspects of treating a patient.

These distinctions can overlap in the environment enabled by health information technology (Goldstein, 2010). Moreover, personal health records, mobile health devices and smartphone applications (apps), social media postings and Internet health-related services, implantables, ingestibles, and wearables such as watches that monitor vital signs, all include health-related data and may feed data into health records. All these technologies further contribute to blurring distinctions between what is regulated as health data and what is not. Because data from these many sources can be used as health data, so that all data can be health data, data may become available outside of a patient’s or clinician’s expectations, yet not be protected by HIPAA (Kaplan, 2020). Big Data, the Internet of Things (IoT), social media, and on-line searches have further changed what counts as health data (Zarsky, 2018; Tschider, 2019) though data generated through these technologies fall outside HIPAA’s protection.

These complications make it so that “ health information privacy is incredibly complex and challenging [emphasis in original]” (Koontz, 2013, @p. xi). It is therefore no wonder that privacy has been an issue for some while. Surveys show a high level of public concern about health data privacy and little trust that doctors, hospitals, health plans, or insurers, will keep data safe, whether or not they use electronic health records (Ancker et al., 2013; Donovan, 2018). People trust on-line search and social media platforms even less (Minemyer, 2019). This skepticism is despite the multiple laws that govern health data privacy in the United States.

1.2.Historical Background

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. According to the Department of Health and Human Services (HSS), where the Office for Civil Rights (OCR) enforces HIPAA privacy regulations, the law was meant to protect individuals’ health information while providing for sharing that information to ensure quality care (United States Government Department of Health and Human Services Office for Civil Rights, 2013b). HIPAA set standards that, for the first time, were intended to protect health information. It specified who is covered, what information is protected, and how protected health information can be used and disclosed (United States Government Department of Health and Human Services Office for Civil Rights, 2015d).

Although …

Uma experiência inovadora de pesquisa jurídica em doutrina, a um clique e em um só lugar.

No Jusbrasil Doutrina você acessa o acervo da Revista dos Tribunais e busca rapidamente o conteúdo que precisa, dentro de cada obra.

  • 3 acessos grátis às seções de obras.
  • Busca por conteúdo dentro das obras.
Ilustração de computador e livro
20 de Maio de 2022
Disponível em: https://thomsonreuters.jusbrasil.com.br/doutrina/secao/1250396545/2-phi-protection-under-hipaa-an-overall-analysis-parte-i-contextualizacao-da-protecao-de-dados-de-saude-perspectiva-internacional-e-legislativa-lgpd-na-saude-ed-2021