Data Governance
,
Data Privacy
,
Data Security
Isn’t All Health Data Sensitive? Yes, But Safeguarding Some of It Is Even Trickier

Arguably all health information is sensitive, based on the nature of the data. But some health information is regarded as especially sensitive, either through the eyes of regulators or the strong gut reaction of patients and others when certain types information are compromised.
See Also: Using the Netskope HIPAA Mapping Guide
Protecting that ultra-sensitive information can be extra challenging for a range of reasons, some experts said. Those records might fall into a variety of different buckets, including mental and behavioral health, reproductive health information, pediatric records, and many more.
“There’s no one-size-fits-all solution to identifying extra sensitive health data, as one individual may have greater privacy concerns and sensitivity about their health data then others,” said regulatory attorney Adam Greene of the law firm Davis Wright Tremaine.
“An X-ray of a broken wrist may not be particularly sensitive to most people, but could be extremely sensitive to a professional athlete,” he said.
Hackers view some sensitive health information such as mental health records, plastic surgery exam photos, and other such delicate records as a potential bonanza for extortion. For instance, a string of ransomware and data theft attacks on plastic surgery clinics in 2023 triggered the FBI to issue a cybercrime warning for such medical practices (see: Plastic Surgeons Warned About a New Face Cyber Extortion).
“There’s always going to be a focus by hackers on covered entities that hold certain sensitive data,” said regulatory attorney Amy Magnano of the law firm Morgan Lewis.
’Confusing’ and “Complicated’ Laws
Protecting ultra-sensitive information “is an incredibly confusing and complicated and evolving part of the law,” said regulatory attorney Kirk Nahra of the law firm WilmerHale.
“HIPAA generally does not distinguish between categories of health information,” he said. “There are exceptions – including the recent Dobbs rule – but these are not fundamental in their application, he said.
Privacy protections related to abortion procedures are perhaps the most hotly debated type of patient information. For instance, last June – in response to the June 2022 Supreme Court’s Dobbs ruling, which overturned the national right to abortion – the Biden administration’s U.S. Department of Health and Human Services modified the HIPAA Privacy Rule to add additional safeguards for the access, use and disclosure of reproductive health information.
The rule is aimed at protecting women from the use or disclosure of their reproductive health information when it is sought to investigate or impose liability on individuals, healthcare providers or others who seek, obtain, provide or facilitate reproductive healthcare that is lawful under the circumstances in which such healthcare is provided.
But that rule is being challenged in federal court by 15 state attorneys general seeking to revoke the regulations. They allege the rule is hampering states’ ability to gather information “critical to policing serious misconduct like Medicaid billing fraud, child and elder abuse, and insurance-related malfeasance” because healthcare providers – citing the HIPAA regulations – are refusing to turn over documents subpoenaed for investigations (see: 15 States Sue HHS to Drop HIPAA Reproductive Health Info Reg).
Substance Abuse Protections
But long before the recently added privacy safeguards for reproductive health information, another federal law has also provided additional protections over the use and disclosures of other types of data – substance use disorder patient records related information that are maintained in connection with federally assisted treatment programs.
Those regulations – the Confidentiality of Substance Use Disorder Patient Records, 42 CFR Part 2 – over the years, however, unfortunately created certain obstacles. That includes difficulties for healthcare providers who do not participate in federally assisted Part 2 programs, but who treat substance disorder patients for other medical care.
For instance, inconsistencies in Part 2 regulations versus HIPAA can prevent doctors and ER departments from accessing the patient’s relevant medical history before they prescribe medicine or treatment.
Some of those issues were addressed in a final rule issued last year by HHS that aimed to better align Part 2 with HIPAA.
HHS said the final rule modified Part 2 to help improve coordination among providers treating patients for substance use disorders and enhancing integration of behavioral health information with other medical records to improve patient health outcomes (see: HHS Rule Aligns Substance Disorder Privacy Regs, HIPAA).
“The 42 CFR Part 2 rules – which pre-date HIPAA by many years – show today the potential negative implications from a separate set of rules for specific kinds of data, and the law has been moving for almost 15 years towards making Part 2 more like HIPAA,” Nahra said.
But even though federal regulators have taken actions aimed at better coordinating how sensitive Part 2 information can be shared, other obstacles still persist, some experts said.
“A common challenge is technological limitations with protecting especially sensitive data,” said regulatory attorney Adam Greene of the law firm Davis Wright Tremaine.
“For example, 42 CFR Part 2 may prohibit disclosure of substance use disorder information to another treating physician without the patient’s consent, but the electronic health record may not allow for excluding substance use disorder information from medication lists or problem lists.
Managing Ultra-Sensitive Data
HHS’ proposed update to the HIPAA security rule addresses some of the challenges facing certain health information, Magnano said. “One of the proposed updates in the HIPAA security rule is network segmentation,” she said (see: What’s In HHS’ Proposed HIPAA Security Rule Overhaul?).
“There are certain entities that have, let’s say, Part 2 information – substance, use, disorder, treatment information – and some entities have made the deliberate decision to have that information stored in separate segmented areas than in their broader electronic medical record,” she said.
Navigating the Regulations
Besides federal laws such as HIPAA and Part 2 – as well as ramped up enforcement in the last couple of years by the Federal Trade Commission in a handful privacy and breach cases involving non-HIPAA related health data – state laws are also adding to the mix of complicated challenges involving the privacy of health information, including particularly sensitive data.
“It is primarily at the state level where these new laws are coming into play and where the data categories matter,” Nahra said. “Companies need to be thinking about these issues, both inside HIPAA and outside of it – and in fact more of the laws apply outside of HIPAA because there often are HIPAA carve-outs,” Nahra said.
For instance, the Washington state My Health My Data law that went into effect last year adds additional wrinkles including involving health data that is not covered by HIPAA.
The My Health My Data law covers consumer health data that is “personal information linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.” That includes sensitive information such as genetic data, reproductive health information and biometrics.
Still, “the Washington law – driven by Dobbs – is having the unintended consequence of making it harder to find particular categories of patients for clinical research, with important implications for finding more diverse patient populations for trials,” Nahra said.
Taking Action
Healthcare entities and other regulated organizations can take certain steps to assess whether certain health data they handle might fall into extra-sensitive categories that could require certain added protections.
Greene said some factors to consider includes whether the health data faces additional legal requirements beyond typical protected health information under federal law – such as 42 CFR part 2 – or state law.
“Most states have additional authorization requirements for certain categories of sensitive health information,” he said.
Other factors to consider include whether the information poses a high risk for identity theft, such as Social Security numbers – or if there are indications that the individual has heightened privacy concerns, “such as a minor receiving reproductive healthcare without a parent’s involvement or a professional athlete,” he said.
Greene also suggests that regulated organizations may want to work closely with their electronic health record vendors to ensure that they fully understand the capabilities and limitations of their platform for protecting extra sensitive health data.
Organizations also should “should consider whether a patient consent is needed as part of the patient registration process to address circumstances where disclosures cannot be avoided,” he said.