Privacy laws and policy guidance
Federal and state data privacy laws require providers to protect patient health information.
On this page:
Legal requirements to protect patient privacy
Similar to in-person visits, telehealth appointments, messages, and related health and billing information are protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA requires covered health care providers to use telehealth platforms that ensure secure communications and data storage. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing HIPAA.
Some states have enacted data privacy protection laws that apply to entities not subject to HIPAA, such as in the case of third-party vendors who are not covered entities (health plans, health care clearinghouses, and most health care providers) or business associates. Also, some states are increasingly enacting or expanding digital health privacy laws to support greater patient control over their health data.
State approaches vary, but there are common themes in that they:
- Enhance transparency regarding how patient data is being collected, transmitted, and stored.
- Restrict patient health information use in the commercial marketplace where it may be sold without patients’ consent.
- Increase patients’ rights over their data.
Did you know?
42 CFR part 2 (“Part 2”) protects patient confidentiality relating to substance use disorder (SUD) treatment records. Part 2 providers may disclose Part 2 records only based on patients’ written consent, which may include a single consent for all future uses and disclosures for treatment, payment, and health care operations until revoked. See Substance Use Confidentiality Regulations and Telehealth for the Treatment of Serious Mental Illness and Substance Use Disorders.
Policy guidance for patient privacy regulations
OCR and the Federal Trade Commission (FTC) play important roles in issuing guidance, rules, and enforcement actions that aim to protect patient privacy and ensure the secure handling of health data.
Some key guidance from OCR on patient privacy includes:
- Requiring providers to implement reasonable safeguards to protect patient health data, including access controls and audit controls.
- Emphasizing the minimum necessary standard, which limits the use and disclosure of patient health data to only what is necessary for the intended purpose.
The FTC is responsible for enforcing consumer protection laws, including those related to health privacy and data security. Key guidance from the FTC on patient privacy includes:
- Requiring health care providers and organizations to follow reasonable data security practices to protect consumer health information.
- Enforcing the Health Breach Notification Rule, which is where patients must be notified if there is a breach of their personal health records.
More information
Guidance on HIPAA and audio-only telehealth — Office for Civil Rights
HIPAA and telehealth — Office for Civil Rights
HIPAA guidance materials — Office for Civil Rights
Health information privacy law and policy — Office of the National Coordinator for Health Information Technology
Privacy and liability issues — National Consortium of Telehealth Resource Centers