The “P” in HIPAA does not stand for privacy. It's one of the first things many experts will say when asked to clear up any misconceptions about the health data law. Instead, it stands for portability — it's called the Health Insurance Portability and Accountability Act — and describes how information can be transferred between providers. Due to misinterpretations of HIPAA beginning with its name, misunderstandings about what the law actually does have a significant impact on our ability to recognize how types of data do and do not fall within its scope. This is especially true as a growing number of consumer technology devices and services bring together a wealth of information related to our health.
We often think of HIPAA as a consumer data privacy law because it directed the Department of Health and Human Services to come up with certain security provisions, such as breach notification regulations and a to protect individually identifiable information. But when HIPAA took effect in the 1990s, its main goal was to improve the way providers worked with insurance companies. Simply put, “people think HIPAA covers more than it actually does,” said Daniel Solove, a professor at George Washington University and CEO of privacy training company TeachPrivacy.
HIPAA has two big restrictions: a limited set of covered entities and a limited set of covered data, according to Cobun Zweifel-Keegan, DC executive director of the International Privacy Professionals Association. Covered entities include health care providers like doctors and health plans like health insurance companies. Covered data refers to medical records and other individually identifiable health information used by these covered entities. Under HIPAA, your GP cannot sell data related to your vaccination status to an advertising company, but to a fitness app (which would not be a covered entity) that tracks your steps and heart rate ( which are not considered covered data). ) it is absolutely possible.
“What HIPAA covers is information related to health care or payment for health care, as well as any identifiable information contained in that record,” Solove said. This doesn't cover health information shared with your employer or school, like if you turn in a sick note, but it does prevent your doctor from sharing more details about your diagnosis if they call to check.
However, a lot has changed in the nearly 30 years since HIPAA took effect. The lawmakers who created HIPAA did not anticipate the amount of data we would share about ourselves today, much of which can be considered personally identifiable. This information therefore does not fall within its scope. “When HIPAA was designed, no one really anticipated what the world was going to look like,” said Lee Tien, senior attorney at the Electronic Frontier Foundation. It's not poorly designed, HIPAA simply cannot keep up with the state we find ourselves in today. “You're constantly sharing data with other people who aren't doctors or who aren't part of the insurance company,” Tien said.
Think about all the data collected about us every day that could provide insight into our health. Noom tracks your diet. Peloton knows your activity levels. Calm sees you when you sleep. Medisafe knows your pill schedule. Betterhelp knows what mental health issues you might be suffering from and less than a year ago the FTC banned . The list is long and a large part can be used to sell food supplements, sleeping pills or something else. “Health data could be almost unlimited,” so if HIPAA didn’t have a limited scope of covered entities, the law would also be unlimited, Solove said.
Not to mention the amount of inferences companies can make about our health from other data. A explained how through a person's online searches and purchases, Target can discover that they are pregnant. HIPAA may not protect your health information from inspection by law enforcement. Even without a warrant, cops can recover your records . The police have but other data types like can also provide sensitive details. For example, it may show that you went to a specific clinic to receive care. Because of these inferences, laws like HIPAA will not necessarily prevent law enforcement from pursuing someone based on their health care decision.
Today, state-specific laws are emerging across the United States to help target some of the health privacy gaps that HIPAA does not cover. This means going beyond just medical records and healthcare providers to encompass more of people's health data footprint. He such as California, which provides options for charging anyone who negligently discloses medical information or additional breach protections for Pennsylvania-based consumers, but Washington state recently passed a law specifically targeting HIPAA loopholes .
Washington state's My Health My Data law, passed last year, aims to “protect personal health information that falls outside the scope of the Health Insurance Portability and Accountability Act,” according to from the Washington Attorney General's Office. Any entity that conducts business in Washington State and processes personal information identifying a consumer's past, present, or future physical or mental health condition must comply with the privacy protections of the law. These provisions include the right not to sell your health information without your authorization and to delete your health information upon written request. Under this law, unlike HIPAA, a or Target's pregnancy deductions would be covered.
My Health My Data is still being rolled out, so we'll have to wait and see what impact the law will have on the nation's health data privacy protections. However, this already gives rise to laws copied in .