WASHINGTON, the 21st of FebruaryUS health insurance plans published the following sheet:

* * *

US health insurance plans Chief Medical Officers: “Roadmap for Protecting the Privacy, Confidentiality, and Cybersecurity of Americans’ Health Information and Data”

Everyone should feel safe knowing that their personal health information is confidential and protected.

AHIP’s Chief Medical Officers Leadership Team joins the AHIP Board of Directors in its shared commitment to key guiding priorities to protect patient and consumer privacy, confidentiality and cybersecurity.


We are fully committed to championing standards and policies that improve health data governance, protect patient privacy and promote trust, and that improve consumer access to their data and promote interoperability, health equity and fair practices for the people we serve.

Health insurance providers have been a leader in developing privacy, privacy, and cybersecurity practices to protect health information. And we are committed to not only keeping pace with new trends, developments and solutions, but also leading them.

These supporting priorities outline our current policy positions and how new legislation should evolve in an age of technology and healthcare innovation.

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and clinical health (HITECH) and related regulations should remain the primary legal framework for protecting health information.

Building on these demands, we support government policies that advance the following positions:

*HIPAA or similar requirements should be extended to entities that collect, use, disclose, or store individuals’ health information but are not currently subject to the stringent privacy or security parameters demanded by our industry.

– Confidentiality requirements should be designed and enforced in all entities that retain health and health-related information to allow for appropriate communication and sharing of information without diminishing privacy protections.

– Consumer notices must be transparent, easily accessible and easy to understand.

– Regulators should consider new strategies to ensure that consumers review and accept the terms and conditions governing the use of their health information.

– Small businesses should be considered for some hosting from interoperability requirements to ease industry entry without exorbitant start-up costs.

– Additional specifications should be publicly approved prior to regulatory adoption to ensure they meet basic consumer privacy and security requirements and expectations.

* Individuals must have access to their health data and be able to easily know how their health information may be shared.

– Consumers should be informed in a clear, concise and easy to understand manner of how to access their personal health information and how it might be used and disclosed.

– Health insurance providers should seek new solutions to give consumers more options on how their information is shared.

– Policies should support the ultimate goal of requesting specific permission from individuals for the use of particularly sensitive data (e.g. DNA) and giving them the ability to delete information where possible and safe . For example, legislators and regulators should evaluate and modify existing record retention requirements to make it easier to delete data at a consumer’s request.

However, clinicians and other healthcare entities should be protected if they must rely on incomplete or unavailable data in these situations.

* Privacy requirements governing private entities should support digital platforms and telehealth in a way that promotes the privacy and security of the information exchanged.

– Privacy requirements must be responsive and evolve to better support digital solutions, meet data collection, security and storage requirements, and cybersecurity risks associated with the transmission of information in real time .

– Consumer protection requirements that limit communication channels for health-related communications should be updated.

– Government policies should support efforts by entities to develop consistent and secure mechanisms to share information with other entities and consumers to scale digital solutions, but avoid delays or cybersecurity risks.

* Confidentiality requirements should evolve to better meet public health requirements.

– Privacy requirements, coupled with increased communication and coordination between entities, should enable data sharing and automated solutions to support public health authorities.

* The commercial sale of identifiable health information should be prohibited without the consent of the individual.

– Identifiable data cannot be sold under HIPAA. Digital tools not subject to HIPAA must be subject to similar privacy law ensuring that a consumer’s identifiable data cannot be sold without the consumer’s knowledge beyond the initial terms and conditions of the “click zone”.

* United States should adopt a national approach to the privacy and security of health information.

– A federal standard can help overcome and anticipate a varied patchwork of state laws for a more cohesive approach. In the meantime, coordination between the states and the federal government should continue to be a goal.

– States should be consulted on how to work with their federal and private sector partners.

– Coordination between States will promote consistent definition of health information and enforcement of confidentiality requirements.

– We support federal initiatives to promote a national patient identifier where the use of a patient identifier is necessary and possible.

* Laws and regulations and the resulting costs should be analyzed along with any resulting benefits prior to the implementation of new or changing policies or administrative, technical and physical controls.

– Such analysis will help ensure that new policies and controls are proportionate to consumer needs and balance risks and benefits.

* Government policies must recognize that as an industry, health insurance providers have continued to invest in and adhere to strong cybersecurity practices and policies.

– Information sharing between public and private entities facing threats, attacks or mitigation strategies should be allowed and encouraged.

– Dialogue between industry partners should be encouraged to develop and promote the best industry protection for information.

– Government policies must recognize that the increased use and evolution of digital solutions, virtual healthcare, cloud storage and information systems require investments in cybersecurity to promote secure environments capable of responding to the consumer needs and communication between entities.

* Consumer data such as race, ethnicity, religion, sexual orientation, gender identity and disability status should be used to reduce disparities and improve outcomes.

– The data should not be used to discriminate or have negative effects on any person or community. Data should be used where necessary to create equity.

– Standards bodies should work with public and private entities to determine the best way to collect data. Organizations should strive to collect as little data as necessary to achieve the intended goal. Any mandate for data collection should only come after the standards are comprehensive and clearly defined, including the means by which each entity with access to the data should take steps to protect the privacy of that data.

– Government entities must permit the use of demographic information to support an individual’s health, public health initiatives, and other HIPAA-compliant purposes – but only in accordance with these principles. Non-health related data (eg, location, shopping preferences) should be protected as should identifiable health information when used in conjunction with or linked to identifiable data.