Image Source:

This article is written by Kaushik Bhattacharjee, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho.


Alex was running for a big promotion in his company. He was undoubtedly the best candidate for that role. His anxiety started to affect his work performance. He initially pretended everything’s a-okay. He was scared about the outcome he might face if he visits a professional. But when it was at its highest intensity, he had to consult a doctor. That medic prescribed a few tests including Acetylcholine (ACh) and Acetylcholinesterase (AChE). With adverse results in hand, that doctor declared him to be suffering from a severe anxiety disorder.  Things could have stopped there but as it was a networked hospital of his office, his employer got notified and eventually, his promotion went to someone else. 

This article will reflect on the importance of protecting medical data as it forms a vital part of the right to privacy. The legal framework of USA on medical data and privacy as well as the importance of health insurance in USA is discussed in detail.

Download Now

Medical data and medical privacy in the US

The above story is an imaginary one. But medical data and privacy related to that is very much vital to someone’s overall image in the society. Medical privacy revolves around medical data or health data of an individual or a population. Health data can be any data related to someone’s health conditions and quality of life. This data can be aggregated in various ways. Whenever an individual visits a health care professional, he may be asked various questions to appropriately assess his state of issues. He may be asked to undergo a few tests also. His answers to the questions of the medic as well as the findings of his medical examinations together create a set of medical data for him. 

Before the advancement of technology, health care systems used to collect most of the health-related data. Individuals move between places of healthcare systems; they interact with healthcare providers and health information gets produced out of this interaction. These places include clinics or doctors’ chambers, pharmacies, paying for insurance companies, hospitals, diagnostic laboratories, and senior homes. Information is also collected through participation in clinical trials, surveys conducted by health agencies, medical devices, and pathological tastings. This information, once collected, sorted and recorded properly, becomes health data. This data typically includes a record of services received, clinical outcomes consequent of those services. Moreover, in this age of information technology advancement, one’s visiting, joining, promoting, liking health related websites or social media groups do also contribute to that individuals’ health data.

In the US it is an age-old practice to record individuals health data. This record gets revisited from time to time by various authorities like employers, insurance providers, law enforcement agencies. It has often been seen that depending upon someone’s health record, that person is rewarded or deprived of certain facilities. But the problem is that not all health conditions deserve to be treated alike. For example, consider the example of the introduction. Even if a person suffers from a severe anxiety disorder, it is not guaranteed that his work performance will get impacted by that. It may and it may not also. Most of the time it will not as it is a curable condition. So, denial of promotion on the basis of such a report may not be entirely justified. Moreover, unauthorized disclosure of private medical information is not at all justifiable unless it is done by the rule of law.

Healthcare Insurance Portability and Accountability Act (HIPAA)

This scenario was very much real for many individuals. Companies had access to detailed updates regarding employees’ health insurance as well as their exact health status. At the same time, patients remained in the dark and weren’t able to receive their own medical records. This was a problem. The only way to protect one’s health information at the time was not to have any created in the first place, preventing patients from seeking the care they needed. As it was a rampant practice before 1996, the Federal Government under the Presidentship of President Bill Clinton passed the Healthcare Insurance Portability and Accountability Act (HIPAA) 0n 21st August 1996.  It was enacted primarily to upgrade and modernize the flow of healthcare information, determine how personally identifiable information maintained by the healthcare service providers and healthcare insurance industries should be protected from theft, fraud and unnecessary or unauthorized access.

There are following five sections of HIPAA rules which are known as titles:

  1. Title I deals with health care access, portability, and renewability of insurance.
  2. Title II is related to preventing health care fraud and abuse; administrative simplification along medical liability reform.
  3. Title III is about tax-related health provisions governing medical savings of individual accounts.
  4. Title IV deals with the application and enforcement of group health insurance.
  5. Title V is about revenue offset governing tax deductions.

Medical privacy and HIPAA

After its enactment in 1996, HIPAA took great care about individuals’ medical privacy in its Title II that is Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform. The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) was established, for the first time, and a well-structured national standard was set for the protection of certain health information of the individual members of the society. 

The U.S. Department of Health and Human Services (“HHS”) designed, drafted and consulted the general citizens before issuing the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The privacy rule standards determine how the individuals’ health information which is named “protected health information (PHI)” can be used and disclosed by organizations subject to the privacy rule. These entities are named “covered entities”. At the same time, it also formulated a standard for individuals’ regarding their privacy rights to help them understand and control how their health information is likely to be used. The main motto of the Privacy Rule was to ensure that individuals’ health information is adequately protected while allowing the flow of health information required to provide and promote the best quality health care and at the same time to take sufficient steps to protect the general public’s health and wellbeing. Some of the features mentioned below are there in ‘HIPAA’ privacy rules.

To whom it applies

All the administrative simplification rules along with the privacy rule, apply to the individuals attached with health care namely, health plans, health care clearinghouses, and to any health care provider who sends and receives health information to another party in electronic form.

What is protected information?

Any kind of health information which is also called “individually identifiable health information” held or transmitted by a covered entity, are protected. This includes:

  • Past, present or future physical or mental health condition of an individual, 
  • the provision of health care to the individual, or 
  • the past, present, or future payment for the provision of health care provided or to be provided to the individual.

Uses and disclosure that is permitted

A covered entity has permission, to use and disclose protected health information, without an individual’s authorization, for the following reasons: 

(1) To the individual whose information is that; 

(2) Treatment, payment, and health care operations; 

(3) Opportunity to agree or object; 

(4) Arrival of a situation which is otherwise permitted for use and disclosure; 

(5) Public interest and benefit activities; 

(6) For the purposes of research, public health and health care operations are a small subset of data. 

Covered entities have to apply the highest standard of professional ethics and best judgments in deciding which of these permissive uses and disclosures can be made.

Authorised uses and disclosure

Individual’s written authorization must be obtained by a covered entity for any kind of use or disclosure of any part of his PHI that is not for treatment, health care operations, payment or otherwise permitted or required to be followed by the Privacy Rule

What is health insurance?

America has seen multiple health insurance laws since the introduction of medicare by President Harry Truman in the year 1945. As of 2019, 92% of American citizens were covered by some kind of health insurance. Only 8% of citizens were out of the coverage. Multiple laws contributed to bringing such a high percentage of individuals under the cover of medical insurance. ‘HIPAA’ as well as the “Affordable Care Act” or in short Obamacare, both contributed to achieving this.

Role of HIPAA

Insurance portability, renewability is covered under Title I of HIPAA. Title I covers something that is quite familiar today that is insurance reform. But it is to be kept in mind that Title I only covers employer-provided plans. Plans that are individually financed fall under the Affordable Care Act.

HIPAA Title I makes it easier for an individual to change jobs without losing his health coverage and limits his new health plan’s ability to deny coverage based on a medical condition that he had before getting the coverage which is termed as a pre-existing condition. It also empowers the person with added opportunities to enrol in a new group plan or individual health insurance policy and prohibits discrimination against him by the new plan or insurance provider. Under HIPAA, employer health plans may not be able to refuse health coverage for a new employee with pre-existing conditions as long as certain conditionalities are met.

HIPAA also provides an extra opportunity for those who have previously declined health coverage with their employer’s insurance plan to enrol at a date outside of the plan’s open enrollment period. For example, special enrolment situations occur when:

  • Cessation of spouse’s insurance coverage because of divorce, separation or death.
  • Once someone attains 18 years of age and comes out of parent’s insurance plan.
  • Termination of employment of spouse and termination of insurance along with that event.
  • Changes in employment conditions like full time to part-time making the employee not eligible for insurance coverage.

Under HIPAA, individuals or their family members cannot be denied eligibility or benefits or charged more for the coverage based on certain health factors. Insurers cannot use the following factors as reasons for denying medical coverage:

  • Health condition;
  • Medical conditions (physical or mental);
  • Previously made claim record;
  • Past receipt of health care;
  • History of medical support required previously;
  • Genetic information, or;
  • Disability.

Role of Affordable Care Act

The “Affordable Care Act (ACA)” is a healthcare reform bill signed into law by President Barack Obama in March 2010. Formally known as the “Patient Protection and Affordable Care Act”, nicknamed “Obamacare”, the law includes a list of healthcare policies intended to extend health insurance coverage to millions of uninsured Americans

Sweeping changes to the U.S. healthcare system was witnessed with the introduction of ACA. Maximum attention was drawn towards the following things: 

  • Allowing offspring’s to be covered under their parents’ insurance plans until they turn 26.
  • Allowing businesses and individuals to compare plans and only after that opt for coverage through state health insurance exchanges.
  • Expanding Medicaid eligibility to bring more people under its umbrella.
  • Making subsidies available on the state health insurance exchanges for a bigger group of individuals.
  • Enforcing a stringent standard for health insurance policies.
  • Restraining employers from requiring employees to wait for more than 90 days for health insurance eligibility.
  • Premium Rate increase of more than 10% needed public justification; insurance companies needed to spend 80% of premiums on actual healthcare services.
  • Insurers may not cancel insurance coverage arbitrarily in response to an illness.
  • A few specific preventive care is included at no additional cost to the insured person.
  • Individuals remained free to choose any physician within the plan’s network and may use an out-of-network emergency room without penalty if there is a real emergency.
  • The insurance holder is granted the right to appeal to the authorities whenever an insurer denies payment for healthcare services.

The most controversial part of the original ACA was the individual mandate, whereby a provision requiring everyone to have healthcare coverage was brought forward. They had to get it either from an employer or through the ACA or another source or face tax penalties. The mandate was obliterated in 2017.


Americans have seen multiple laws in their health care sectors. Recent laws, though not full proof and complex to implement and comply with, achieved their desired object to a great extent. Not only do these laws ensure the privacy and secrecy of the patients but also, they are successful in increasing the coverage of health insurance among common Americans. Thus, it can be concluded that individuals now can feel comfortable going to a doctor to receive treatment without fear that it will be the talk of the office break room the next day.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here