Rope splitting apart.

When HIPAA is not Enough

By Brian Annulis, Gregory Kerr, Ryan Whitney

July 6, 2018

Domestic health care providers may be tempted to believe that compliance with HIPAA standards is enough to evidence a comprehensive health information privacy and security program. They may be mistaken. Health information privacy and security is not just about compliance with HIPAA. There are other federal, state and international rules and regulations that may apply, such that HIPAA compliance may not be enough.

The recent compliance date (May 25, 2018) for the European Union’s (EU’s) General Data Protection Regulation[i] (GDPR) has prompted renewed (and, in some cases new) attention to personal information privacy and security by data processors and controllers, including domestic health care providers and suppliers.  Whether GDPR applies to US-based health care providers or not (see below), the GDPR compliance date is a worthwhile reminder to domestic healthcare providers that a comprehensive healthcare data privacy and security program requires more than just consideration of and adherence to the data privacy and security standards set forth in the Health Insurance Portability and Accountability Act of 1996[ii] (HIPAA) and its implementing regulations.[iii]  Other federal, state, and international laws may apply to a domestic  health care provider’s operations and its use and disclosure of patient and personal information and those laws should be considered.

Part 2 Programs

Federal rules govern the confidentiality of substance use disorder records.  Often referred to as the “Part 2” rules because of their codification at 42 C.F.R. Part 2, those rules protect the confidentiality of records relating to the identity, diagnosis, prognosis, or treatment of any patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research.[iv] In many respects more stringent than HIPAA, the Part 2 rules seek to ensure the privacy and confidentiality of individuals and records associated with substance use diagnosis and treatment.  For example, under Part 2, a federally assisted substance use disorder program may only release patient identifying information with the individual’s written consent, pursuant to a court order, or under a few other limited exceptions.[v]  Thus, if a HIPAA covered health care provider holds itself out as providing substance use disorder diagnosis, treatment, or referral for treatment and is federally funded, the provider must abide by Part 2 rules (and HIPAA) for the use and disclosure of program records.

Telephone Consumer Protection Act

Passed in 1991, the Telephone Consumer Protection Act (TCPA) sought to regulate, among other things, the use of automated telephone dialing systems generating so-called(“robocalls”) and artificial and prerecorded voice messaging to residential landlines and mobile phones.[vi] The rules are complex and set forth different standards for landlines and mobile phones and for calls made for informational versus advertising/marketing purposes.

In regard to health care providers, the TCPA regulations allow a person or entity to call or text a mobile phone using an automated telephone dialing system or an artificial or prerecorded voice with the prior express consent of the caller (i.e., prior express written consent is not required) if the call delivers a “health care” message and the call is made by a HIPAA covered entity or its business associate.[vii] Prior consent (written or otherwise) is not required for a caller to use an artificial or prerecorded voice to call a residential landline if (among other things) the call delivers a “health care” message by a HIPAA covered entity or its business associate.[viii]

No TCPA definition of “health care related” exists but, generally, if the call involves a HIPAA-defined treatment purpose, it should be considered health care related under TCPA. That said, it is important for US health care providers to ensure compliance with the TCPA as it allows for the imposition of substantial fines and penalties.[ix] Also, keep in mind that HIPAA requirements deal with the use and disclosure of protected health information (PHI) whereas TCPA involves health care related information. If a call contains both PHI and health care related information, both laws may apply.

Breach Notifications

Data breach notification laws exist at both the state and federal levels. All HIPAA covered entities and business associates must at least follow the federal breach notification guidelines[x] if he data breach involves PHI, but states can also pass more stringent breach notification standards and standards that apply to a broader category of data than just PHI.[xi] Thus, after a security incident or data breach involving personal information, HIPAA covered entities (and business associates) must also consider state consumer protection and breach notification requirements for affected individuals/state residents. A HIPAA covered entity should first determine which state laws may be  implicated by collecting the state residencies of affected individuals. After this, a HIPAA covered entity should check the following in each identified state’s consumer protection statutes and regulations:

  • Definition of “breach”
  • Definition of “Personal Information” or similar substitute
  • Safe harbor/de-identified qualifications
  • Timing requirements for notification
  • Risk analysis factors

Often, state breach notification laws are only implicated if the personal information involved is of a financial nature and the unauthorized access was to computerized information.  There may also be exceptions/carve-outs for HIPAA-regulated entities; however, this is not always true.  Further, HIPAA covered entities and business associates may also collect and maintain more than just PHI.  Once you determine whether state law applies, an attendant breach risk assessment should ensue. Note that this must be done for both the federal breach notification requirements and each state where personal information of a resident has potentially been compromised.


The Genetic Information Nondiscrimination Act of 2008[xii] (GINA) prohibits discrimination in health coverage and employment based on genetic information.[xiii]  Many states also have laws that protect against genetic discrimination in health insurance and employment situations.[xiv]  Like HIPAA and the federal breach notification law, all entities that are subject to GINA must comply with all applicable GINA requirements, and more protective State laws, as applicable.  For health care providers with access to genetic information, GINA does not prevent healthcare providers from recommending or administering genetic tests to their patients; however, providers and practitioners must safeguard such information, like any other Protected Health Information, and implement policies and procedures to ensure that such information is not improperly used or disclosed to unintended recipients (e.g., employers and unauthorized insurance underwriters).[xv]


The GDPR requires organizations doing business with citizens in the EU to protect the “personal data” and privacy of those citizens.  The GDPR also requires such organizations to respect certain rights afforded to EU citizens and data subjects residing in the EU that extend beyond rights afforded to individuals under HIPAA (e.g., the right to erasure or so-called “right to be forgotten”).[xvi]  . Notably, the GDPR applies to organizations located anywhere in the world, so long as they process the personal data of EU citizens and the processing activities relate to the offering of goods or services to EU data subjects or the monitoring of the data subject’s behavior in the EU (e.g., using web or browser cookies).[xvii]

Even though the GDPR has the potential to apply to organizations worldwide, it may not apply to many US healthcare providers.  US healthcare providers that operate clinics in the EU will be impacted.  Likewise, US healthcare providers that have clinical trials sponsored by businesses located in the EU will most certainly be impacted.  US healthcare providers without a physical presence in the EU, but who actively solicit EU citizens for the provision of healthcare items and services in the US (i.e., medical tourism) will also likely be impacted and directly regulated by the GDPR.  Finally, US healthcare providers that continue to monitor the health of an EU citizen who returns to the EU, but was treated by the domestic healthcare provider for an emergent condition while the EU citizen was in the US will be governed by the GDPR.  On the other hand, a US hospital that does not market or promote itself in the EU, treats EU citizens domestically and only in emergent scenarios, and does not otherwise track or monitor the health of EU citizens will likely not be impacted by the GDPR.

For a risk assessment perspective, the first thing a US healthcare provider should do regarding the GDPR is perform an organizational assessment and data mapping exercise.  First, determine if the GDPR applies to your business and, if so, what personal data your organization maintain.  Once you determine if the GDPR applies and, if so, what types of personal data your organization maintains and where, you can develop and implementation GDPR compliance plan and strategy.  The good news is that there are many similarities and overlap between the GDPR and HIPAA, such that a US healthcare provider may be well-suited to address applicable GDPR obligations and requirements.

The California Consumer Privacy Act of 2018

As noted above, many states have consumer protection statutes applicable to personal data and attendant breach notification obligations.  California is one such state that recently significantly expanded the scope of its law.  Even if you are not directly impacted by the GDPR, you may be impacted by the California Consumer Privacy Act of 2018 (the Act).[xviii] The Act, which is scheduled to go into effective on January 1, 2020, protects California consumers and would apply to all businesses doing business with California consumers that satisfy certain criteria, including having annual gross revenues in excess of $25 million.[xix]   Much like the GDPR, the Act expands the definition of “personal information”[xx] to include broad categories of information such as internet and electronic network activity, commercial information and professional information, imposes additional obligations on a regulated businesses[xxi] and affords consumers more rights regarding the regulated business’ use and disclosure of the consumer’s personal information.[xxii]  The Act does not apply to PHI regulated by HIPAA,[xxiii]  but it still has the potential to impact the operations of U.S. healthcare providers and businesses doing business with California consumers (e.g., operators of wellness apps).

In Conclusion

Health care organizations regulated by HIPAA are accustomed to rules affecting their use and disclosure of individually identifiable health information.  But, ensuring HIPAA-compliance may not be enough.  In addition to HIPAA, state, federal and international laws may affect how US healthcare providers and businesses use, disclose and safeguard an individual’s personal and protected health information and data.  HIPAA compliance may have sufficed in a previous world. Now, HIPAA-compliance may no longer be enough.

[i] Regulation (EU) 2016/679 (April 27, 2016)
[ii] 42 U.S.C. 1320d et seq.
[iii] 45 C.F.R. Parts 160 and 164.
[iv] See 42 C.F.R. 2.1
[v] See 42 C.F.R. Part 2, subparts C, D and E.
[vi] 47 U.S.C. § 227; 47 C.F.R. 64.1200
[vii] 47 C.F.R. 64,1200(a)(2)
[viii] 47 C.F.R. 64,1200(a)(3)
[ix]See 47 USC 227(b)(3), (c)(5), ((f)(1)
[x] 42 CFR Part 164, subpart D.
[xi] See, e.g., CA Civ. Code 1798.82.
[xii] Pub. L. No. 110-233, 42 U.S.C. 2000ff
[xiii] See 29 C.F.R. 1635.4
[xiv] See 410 ILCS 513/1.
[xv] See 42 C.F.R. 164.530(c), 164.502(a).
[xviii] Working Party, Opinion 15/2011 on the Definition of Consent (WP 187) (July 13, 2011).
[xix] CMS Wire GDPR: What You Need to Know About the Right to Erasure, by Adam Prince (March 9, 2018)
[xx] GDPR Directive, art. 17, at 43.
[xvi] GDPR Directive, art. 17.
[xvii] GDPR Directive, art. 3.
[xviii] California AB 375 (approved June 28, 2018)
[xix] Cal. Civ. Code 1798.140(c)(1)(A).
[xx] Id. at 1798.140(o)
[xxi] See id. at 1798.100(b)
[xxii] See id at 1798.105.
[xxiii] Id. at 1798.145(c).