Key Stakeholders:

Health plans must comply with the HIPAA Privacy Rule when handling PHI. They must provide patients with a notice of privacy practices that explains how their PHI will be used and disclosed. Compliance efforts are costly and administratively burdensome. Insurers want to find the balance between privacy and efficient claims processing. 

Sees the Privacy Rule as an important standard but wants flexibility for public health and research. Strict privacy protections can hamper health oversight activities and population health analysis. 

The Privacy Rule requires researchers to obtain individual authorization to use identifiable health data for research purposes, with some exceptions. This can make large-scale studies involving thousands of records cumbersome and infeasible. There are concerns that strict privacy protections will inhibit important public health and comparative effectiveness research that relies on large datasets. Some modifications have been proposed to facilitate these types of studies. However, researchers recognize the need for privacy protections.

The Privacy Rule requires reasonable safeguards for protecting electronically transmitted and stored health data. This creates challenges for interoperable health IT systems. Developers must implement technical controls like access management, audit logs, and encryption to limit unauthorized access to ePHI through health information exchanges and telehealth platforms. The complexity of designing compliant systems can stifle innovation and raise costs. Health IT groups have advocated for privacy accommodations to enable next-generation data-sharing models.