Health Data Privacy: Understanding the Rules and Regulations

View all blog posts under Articles | View all blog posts under Health Informatics

A medical facility administrator opens a patient file folder on a shelf.Health data privacy refers to the laws, regulations, and protocols that help patients control who sees their sensitive medical information. Health data privacy also involves the processes and procedures to keep this information out of the hands of hackers and cybercriminals.

Health care data breaches are all too common. More than 90% of health care organizations lose data due to breaches, according to Becker’s Hospital Review.

Patient data breaches expose millions of individual records. Hospital systems and health insurance providers are frequent targets.

What can be done? Federal rules and regulations issue guidelines for health organizations to keep confidential records secure. Consumers, health information technology (IT) professionals, and health informatics specialists alike benefit from understanding the rules and regulations surrounding health data privacy.

Rules and Regulations of Health Data Privacy

Health IT and health informatics practices are governed by core principles, including a major patient privacy law, the Health Insurance Portability and Accountability Act (HIPAA); laws that specifically govern electronic health records (EHRs); and regulations pertaining to telehealth and other technology.


HIPAA, passed in 1996, created a set of nationwide standards to ensure that patients’ sensitive health information remains confidential and is never disclosed without their clear authorization.

The HIPAA Privacy Rule gives patients control over how their personal health records are used. The Privacy Rule’s goal is to ensure that patients have a say in who gets to view their personal health records, while also allowing for those records to be used efficiently during the diagnostic or treatment processes. For example, patients can give express permission for their primary care doctor and any necessary specialists to view their records, but no one else.

The HIPAA Security Rule requires health organizations to anticipate any potential cyberthreats or data breaches and to do their due diligence in keeping patient records safe and secure. The Security Rule governs patient information that’s transmitted electronically, but not orally or in writing.

To learn more about HIPAA and its implications for health informatics professionals, consider these resources:

Regulations for Electronic Health Records

HIPAA rules directly affect EHRs. For example, HIPAA allows patients to set limits on the use and release of their EHRs. It penalizes medical organizations that fail to uphold basic privacy guidelines.

Related legislation is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The act offers financial incentives to health organizations that adopt EHR systems and maintain rigorous privacy and security measures, including those that align with HIPAA.

For more information, consider these resources:

Telehealth and Other Technology

The HIPAA Privacy Rule has significant telehealth implications. Essentially, providers must obtain express patient consent for any treatment received, as well as for any records transmitted. A provider may not “cut and paste” authorization from one form or application onto another.

During the COVID-19 pandemic, the U.S. Department of Health and Human Services relaxed some telehealth stipulations, including communication between doctors and patients via phone or videoconference, but only in “good faith” instances of telehealth diagnosis and treatment.

For more information, check out these resources:

Health Informatics and Health Care Data Privacy

Health informatics professionals play a significant role in mediating the risk of data breaches.


Health informatics and health IT departments can consider the strategies described in the following sections for securing health data privacy.

Strategic Spending

An important step in allocating budgetary resources is to ensure sufficient support for advanced, up-to-date cybersecurity protocols.

Auditing Risk

Health informatics specialists can play a vital role in conducting organizationwide audits, analyzing the health IT ecosystem for potential vulnerabilities.

Separating Patient Information

Another approach is to create dual networks in the same organization, one that’s strictly for patient files and another that’s for public/common use.

Securely Destroying Information

Health organizations can also partner with secure document shredding services to dispose of records that are no longer needed.

Protecting Key Systems

To ensure health data privacy, the right technology is key. Specifically, health informatics departments must have up-to-date cybersecurity programs that guard any patient-facing portals where information is input. This includes websites as well as mobile apps. Additionally, cybersecurity precautions are paramount for any internal systems or databases where patient medical records or financial data is stored.

The Role of Training

Another critical aspect of maintaining health data privacy is training employees on how to steer clear of potential cybercriminal activity. In any organization, 90% of data breaches are due to employee error, according to a TechRadar report.

Specifically, health IT teams can offer ongoing employee training on how to:

  • Create strong, secure passwords
  • Identify and avoid phishing scams
  • Keep personal devices secured

Staying Current with New Regulations

A key focus for health IT and health informatics professionals is staying current on new regulations that pertain to health data privacy. Not only is this important for ensuring legal compliance, but it also clarifies the consensus strategies for protecting sensitive information. Staying current is ultimately in the best interests of patients as well as the organization itself.

Additional Resources

To learn more about the steps health IT professionals can take to maintain health data privacy, consult the following resources:

Why Health Data Privacy Matters

Safeguarding health data privacy, while a potentially significant undertaking, is also highly consequential, with important implications for organizations and patients.

Types of Data

A key reason to secure health data is that many personal medical records contain highly sensitive information that patients don’t want to be exposed. Some types of data stored include the following:

  • Full patient medical histories
  • Information about any ongoing or chronic conditions
  • Payment data, including credit card or bank draft numbers
  • Personally identifiable information, such as Social Security numbers

Uses of Data

Health data privacy is important not only because of patient confidentiality but also because this data may be used in wide-ranging applications. For example, health informatics professionals may analyze patient data for use in clinical testing, community health projections and other ongoing research programs. Such important work requires that data not be compromised.

Consequences of Data Loss

Health organizations care about safeguarding patient data with good reason. In addition to legal and compliance issues, as well as a general interest in the well-being of patients, organizations can experience significant financial losses due to breached data. Data losses not only often result in lawsuits but also erode consumer trust.

Simply put, patients are less likely to trust a health organization with a known history of data loss. According to a HIT Consultant report, nearly half of all patients said they’d consider switching health providers in the event of a data breach.

Additional Resources

To learn more about the importance of maintaining health data privacy, consider these resources:

Health Data Privacy: A Top Priority in Health Informatics

For health informatics professionals, patient data provides an invaluable resource for improving operational and clinical efficiencies. Along with this sensitive information, however, comes a significant responsibility to take the necessary steps toward data security.