BACKGROUND

Created, operated, and managed by the Healthcare Leadership Council, the Confidentiality Coalition was originally formed in response to the enactment of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which established national standards for protecting individuals’ health information. These federal privacy standards apply to healthcare entities, including health plans, healthcare clearinghouses, providers such as doctors, hospitals, and pharmacists, as well as business associates that support these entities to safeguard the use and disclosure of protected health information (PHI), across paper and electronic formats.

To implement HIPAA and subsequent legislative amendments, the Department of Health and Human Services issued, updated and has the authority to continue to modify the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), the Security and Electronic Signature Standards (“Security Rule”) and the Breach Notification for Unsecured Protected Health Information (“Breach Notification Rule).

While the landscape of healthcare privacy continues to evolve with technological advances, the Confidentiality Coalition  is focused on supporting and advancing policies that protect the confidentiality of personal health information while advancing innovation. Our work spans key areas such as:

• Cybersecurity – Ensuring strong protections against cyber threats to safeguard health data.
• Data Privacy – Advocating for policies that protect patient information while enabling responsible data use.
• Artificial Intelligence – Addressing the ethical and privacy implications of AI in healthcare.
• Interoperability – Promoting secure and seamless health data exchange to improve patient care.

The Confidentiality Coalition remains committed to striking a balance between patient privacy, data security, and the responsible use of health information to improve healthcare outcomes.

LEGISLATIVE RESOURCES:

The following congressional committees have primary jurisdiction over legislation pertinent to healthcare and health privacy and security policy.

Senate:
Appropriations
Commerce, Science and Transportation
Finance
Homeland Security and Governmental Affairs
Health, Education, Labor and Pensions
Judiciary

House:
Appropriations
Education and Labor
Energy and Commerce
Homeland Security
Judiciary
Ways and Means

REGULATORY RESOURCES:

The federal agencies and advisory committees involved in privacy and security policy include:

OCR Health App Developer Portal  OCR’s guidance on when and how the Health Insurance Portability and Accountability Act (HIPAA) regulations apply to mobile health applications, including:

• Mobile Health Apps Interactive Tool
• Health App Use Scenarios & HIPAA
• FAQs on the HIPAA Right of Access, Apps & APIs
• FAQs on HIPAA & Health Information Technology
• Guidance on HIPAA & Cloud Computing

HHS Office for Civil Rights (OCR)
OCR has regulatory and enforcement authority for the HIPAA Privacy and Security rules and issues guidance and interpretations of the HIPAA rules.

HHS Office of the National Coordinator (ONC)
ONC is charged with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of health information; includes examining and recommending practices that protect privacy and promote security.

• HHS Health IT Policy Committee (HITPC)
  The HIT Policy Committee makes recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information.
• HITPC’s Privacy and Security Workgroup
  ONC has organized a workgroup (subcommittee) under the auspices of the HIT Policy Committee to move forward on a range of privacy and security issues.
• HHS Health IT Standards Committee (HITSC)
  The HIT Standards Committee makes recommendations to the National Coordinator for Health IT on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.

Centers for Medicare and Medicaid Services (CMS)
CMS administers the Medicare and Medicaid EHR Incentive Programs; privacy and security are important components of the program’s implementation.

Cybersecurity and Infrastructure Security Agency (CISA)

Federal Communications Commission (FCC)
The FCC regulates interstate and international communications by radio, television, wire, satellite and cable.  In the healthcare area, the FCC authorizes a wide variety of radiofrequency-based medical devices including both implanted devices (e.g., heart pacemakers) and patient monitoring devices (e.g., wireless telemetry).

Federal Trade Commission (FTC)
Privacy is a central element of the FTC’s consumer protection mission; FTC educates consumers and businesses about the importance of personal information privacy, including the security of personal information.

Food and Drug Administration (FDA)
The FDA encourages further development of mobile medical applications (“apps”) that improve health care and provide consumers and health care professionals with valuable health information very quickly. The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications.

Department of Homeland Security (DHS)

National Committee on Vital and Health Statistics (NCVHS)
NCVHS was established by Congress to serve as an advisory body to the Department of Health and Human Services (HHS) on health data, statistics and national health information policy.

National Institute of Standards and Technology (NIST)
NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.