Background: CHIPPA provides critical protection against the misuse, without knowledge or consent, of our personal health data collected by entities that are not covered by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). CHIPPA would require regulated entities to establish and make publicly available a consumer health data privacy policy governing the collection, use, sharing, and sale of consumer health data. CHIPPA would also require companies to limit their use of health information to what individuals expect and to obtain their informed and affirmative consent before sharing their personal health data.
Our Position: Individuals are generally aware of the fact that federal law protects some health information, but many are not aware that this protection only extends to health information shared with entities covered under HIPAA – namely healthcare providers, healthcare plans, and similar entities. Under CHIPPA, individuals could obtain access to collected health data, withdraw consent for use of that data, and could request deletion of their health data. CHIPPA would also require valid consumer authorization specifically before an entity could sell their data.