Privacy & Cybersecurity

Hide On Website: 

Protecting Health Data Outside the Healthcare System

January 06, 2023

Since the early 2000s, the Health Insurance Portability and Accountability Act (HIPAA) has been the nation’s primary health privacy law, protecting patient data held by the healthcare system – hospitals, doctors, clinics, and health insurers.

With the explosive proliferation of digital technologies, an ever-increasing amount of health data is generated by consumers themselves. This data is both held and used by companies that are not bound by the obligations of HIPAA, leaving that data largely under-protected and under-regulated.

With the generous support of the Robert Wood Johnson Foundation (RWJF), the Executives for Health Innovation and the Center for Democracy & Technology (CDT) released the Consumer Privacy Framework for Health Data (the Framework) in February of 2021. The Framework outlines the current gaps in legal protections and discusses how non-HIPAA-covered health data should be used, accessed, and disclosed. A second round of funding from RWJF led to the development of the final report, The Case for Accountability: Protecting Health Data Outside the Healthcare System, authored by EHI.

The Final Report
EHI’s report makes the case for why a robust accountability mechanism is needed to govern the use of health data held and used by health tech companies. In the absence of new federal data privacy legislation, EHI has put forward a private-sector solution – a neutral, independently run self-regulatory program that will oversee the data use policies and procedures of Framework members.

Self-Regulatory Program
In January 2022, EHI launched a Request for Proposals from organizations interested in housing and running the Framework’s self-regulatory program. After careful consideration of the proposals submitted by an independent, objective committee of experts, EHI announced that it had selected BBB National Programs to implement and house this new program, overseeing compliance with the Framework and protecting consumer health data not bound by the obligations of HIPAA

Press Releases




Podcast: A Conversation with John Riggi on Cybersecurity Risks Facing Health Systems

January 19, 2023


During this two-part episode, we had the pleasure of speaking with John Riggi, national advisor for cybersecurity and risk at the American Hospital Association about the current state of cybersecurity risks and threats facing health systems. A leading expert in the field, John addresses the types of attacks we're experiencing, where they are coming from, and motives for attacks. In addition, as cyber threats increase and become more widespread, John discusses how executives can prepare and prioritize readiness for an attack response.

Part One:
Preparing Health Execs for the Inevitable Cyber Attack



Part Two:
What Surprises Health Execs About Cyber Attacks?



John Riggi
National Advisor for Cybersecurity and Risk
American Hospital Association

Executive Spotlight: A Deep Dive Into Upcoming Cybersecurity Legislation With Healthcare Executives

January 12, 2023

In 2022, Executives for Health Innovation (EHI) convened a small group of cybersecurity experts, regulators, and policy experts to discuss cybersecurity concerns facing the healthcare industry.

During this impressive roundtable, the group identified the top concerns driving executives, including:

  • new guidance and regulations related to medical devices, healthcare systems, and patient data;
  • the current legislative challenges facing Congress; and
  • recent FDA draft guidance and pending legislation.

A summary of the key concerns and highlights from the discussion are offered in this report.

EHI thanks Booz Allen Hamilton for their generous support in convening and moderating this roundtable and their continued support of our organization’s work addressing cybersecurity challenges in healthcare.


LexisNexis® Risk Solutions and EHI Release New Report on Cybersecurity

Washington, DC – July 13, 2022 - Today, LexisNexis® Risk Solutions and Executives for Health Innovation (EHI) released the report, Tackling Cybersecurity Threats Without Sacrificing Usability. The report contains insights from an Executive Roundtable panel comprised of cybersecurity experts from LexisNexis Risk Solutions; Marshfield Clinic Health System; Mayo Clinic; Office of the National Coordinator for Health IT (ONC); and Providence Health.

Report: Tackling Cybersecurity Threats Without Sacrificing Usability

July 13, 2022

Through the COVID-19 pandemic, cybersecurity threats to hospital systems rose 123% and ransomware, more specifically, affected more than 18 million patient records nationwide – a 470% increase from 2019. The same report found in 2020 alone, hackers pulled in more than $2.1 million in ransom. ECRI named cybersecurity attacks as the top health technology hazard to patient safety for 2022. The risk to patient lives has never been higher.

In the Spring of 2022, a small group of cybersecurity professionals convened for an executive roundtable, Tackling Cybersecurity Threats Without Sacrificing Usability. Participants collaborated with the purpose of sharing their experiences of protecting their health system and patients from cyber-attacks while also retaining optimal user experience.

This report from LexisNexis® Risk Solutions and EHI shares solutions being developed, innovative plans being implemented, and best practices created through personal experiences. The discussions allowed the executives to shed light on the greatest vulnerabilities to patient safety.



Prepared By


Report: Patient Matching, Identity Access Management, and Interoperability

May 12, 2022

The move toward digitization in healthcare has led to the proliferation of health data. Although organizations now have access to better data on their patients, it is imperative they keep the data within patient records complete, accurate, and up to date to protect their patients while also ensuring that their records are properly linked.

Accurate data matching has been a long-time problem in the healthcare industry. The promotion of interoperability exacerbates that problem by creating duplicate and mismatched records if organizations do not have the ability to see through sparse data.

This report is based on an executive roundtable from Executives for Health Innovation (EHI) and the health care business of LexisNexis® Risk Solutions, where experts discussed and shared insights on how their organizations plan on complying with evolving interoperability regulations, while addressing the impacts that it will have on their ability to balance customer experience and data security.



Prepared By


Webinar: Using AI/Machine Learning for Patient Matching to Support Patient Safety and Improve Care

Access to accurate, complete, and timely data is one of the most valuable assets in any healthcare organization. Quality data improves care coordination, clinical outcomes, and saves lives but can only be achieved with accurate patient identification or matching across multiple sources. Interoperable electronic health records (EHRs) allow the electronic sharing of patient information between these difference sources, but sharing the data successfully requires the capacity to connect each patient with the correct record.

Policy Briefing: All Things Privacy Policy

March 29, 2022

There has been a lot going here at EHI on health data privacy that you may be wondering – what are the key takeaways? This interactive discussion focused on all things privacy policy, including EHI & CDT’s two new consumer health data privacy reports, the status of EHI’s work to facilitate a self-regulatory data privacy system, and new, bipartisan legislation to update HIPAA.


  • Alice Leiter, Vice President and Senior Counsel, EHI
  • Brett Meeks, Vice President, Health Innovation Alliance
  • Catherine Pugh, Assistant Vice President, Policy, EHI

About the Member Policy Briefing
Each month (the third Tuesday), Executives for Health Innovation (EHI) host a member-only monthly policy briefing featuring policymakers, staff, and health policy experts. This is a great opportunity to learn about timely issues and their impact on health IT and digital health. The 30-minute interactive discussion is held virtually and is a great opportunity to engage directly with experts on policies directly impacting your organization.

Webinar: EHI & CDT Release Second Phase of Consumer Privacy Framework for Health Data

March 24, 2022

Hosted by Executives for Health Innovation (EHI) and the Center for Democracy & Technology (CDT), this webinar was the culmination of a project spearheaded by EHI and CDT and generously funded by the Robert Wood Johnson Foundation (RWJF), which aims to protect consumer data that is both held and used by companies that are not bound by the obligations of HIPAA.

The EHI and CDT Consumer Privacy Framework for Health Data (the Framework) was Released in February 2021. The report addresses the current gaps in legal protections and outlines how non-HIPAA-covered health data should be used, accessed, and disclosed.

A second round of funding from RWJF led to the development of two follow-up reports, The Case for Accountability: Protecting Health Data Outside the Healthcare System, authored by EHI, and Placing Equity at the Center of Health Care & Technology, authored by CDT.

What You’ll Hear:
EHI and CDT gave an overview and discussion of these two reports, in addition to an announcement of BBB National Programs as the organization that has been chosen by EHI to house and run a self-regulatory data use program.

Read the EHI Report and Learn More About the Self-Regulatory Data Use Program »

Webinar: Can the Interoperability Rule Change Healthcare Integration Forever?

March 22, 2022

Power care coordination and care management by reusing FHIR APIs.

As FHIR APIs become more commonplace and new regulatory mandates loom, it could be useful to find multiple uses for your APIs. If we can move from creating stand-alone APIs to repurposing existing APIs, we can accelerate project delivery, reduce project costs, and create new experiences for patients and partners.

During this webinar, an esteemed panel of experts dug into the opportunities and roadblocks associated with the reuse of APIs, including:

  • Do you need patient consent to reuse APIs?
  • Do you need additional security to make reuse work safely?
  • Is the Patient Access API the right building block?
  • Why are experienced APIs so important to reuse for program agility?
  • How can we put Interoperability Rule FHIR APIs to work?

Featured Speakers:

  • John Halamka, M.D., M.S., President, Mayo Clinic Platform
  • Viet Nguyen, MD - Chief Standards Implementation Officer, HL7 International
  • Marc Overhage, MD, PhD, Chief Medical Informatics Officer, Anthem, Inc.
  • Ruby Raley, VP of Healthcare, Axway

Sponsored by: