The “P” in HIPAA does not stand for privacy. This is one of the first things many experts will say to clear up any misconceptions about the health information law. Instead, it spells out portability — it’s called the Health Insurance Portability and Accountability Act — and describes how information can be transferred between providers. With the misinterpretations of HIPAA starting with just its name, misunderstandings about what the law actually does have a major impact on our ability to recognize what types of data do and do not fall within its scope. This is especially true as a growing number of consumer technology devices and services collect vast amounts of data related to our health.
We often think of HIPAA as a piece of consumer privacy legislation because it directed the Department of Health and Human Services to come up with certain security provisions, such as breach notification rules and torts. to protect personally identifiable information. But when HIPAA was enacted in the 1990s, its primary purpose was to improve the way providers work with insurance companies. Simply put, “people think HIPAA covers a lot more than it actually does,” said Daniel Solove, a professor at George Washington University and CEO of privacy training company TeachPrivacy.
According to Jobn Zweifel-Keegan, DC managing director of the International Association of Privacy Professionals, HIPAA has two major limitations on its scope: a limited set of entities and a limited set of data. Covered entities include health care providers such as doctors and health plans such as health insurance companies. Covered information refers to medical records and other individually identifiable health information used by covered entities. Under HIPAA, your general practitioner cannot sell information about your vaccination status to an advertising firm, but a fitness app that tracks your steps and heart rate (which would not be a covered entity) certainly could.
“What HIPAA covers is information related to payment for health or health care and any identifiable information contained in that file,” Solove said. It doesn’t cover any health information shared with your employer or school, for example if you provide a sick note, but it protects your doctor from sharing details about your diagnosis if they call to confirm.
A lot has changed in the nearly 30 years since HIPAA was enacted. The lawmakers behind HIPAA had no idea how much information we share about ourselves today, much of which is personally identifiable. Hence, this information is not included in its scope. “When HIPAA was designed, no one really anticipated what the world would look like,” said Lee Tien, senior attorney at the Electronic Frontier Foundation. It’s not poorly designed, HIPAA just can’t keep up with our situation today. “You’re always sharing information with other people who aren’t doctors or insurance companies,” Tien said.
Think of all the data collected about us every day that can inform us about our health. Noom tracks your diet. Peloton knows your activity levels. He sees you when you sleep peacefully. Medisafe knows your pill schedule. Betterhelp knows what mental health condition you may have and was banned by the FTC less than a year ago. . The list goes on and most of it can be used to sell dietary supplements or sleeping aids or whatever. “Health data can be almost limitless,” Solove said, so without HIPAA’s limited scope, the law would be limitless.
Not to mention the amount of savings companies can make on our health based on other data. Moment It details how someone can tell Target is pregnant just by their online searches and purchases. HIPAA cannot protect your medical information from being viewed by law enforcement officials. Even without a warrant, the cops can take your records . There is a police but like other data types can also provide sensitive details. For example, it may indicate that you went to a particular clinic to receive care. According to these findings, laws like HIPAA will not necessarily prevent law enforcement from prosecuting someone based on a health care decision.
Today, state-specific laws are being enacted across the United States to help target some health information privacy gaps not covered by HIPAA. This means moving beyond just medical records and healthcare providers to encompass more of people’s health data footprints. He As in California, it offers options to pay to protect against anyone who negligently discloses medical information or some additional violations for consumers in Pennsylvania, but Washington state recently passed a law targeting HIPAA’s loopholes.
Washington State’s My Health My Information Act, passed last year, aims to “protect personal health information beyond the scope of the Health Insurance Portability and Accountability Act.” From the Washington Attorney General’s Office. Any entity doing business in Washington State that handles personal information that identifies a consumer’s past, present, or future physical or mental health status must comply with the privacy protections of the act. These provisions include the right not to sell your health information without your permission and to have your health information deleted upon written request. Under this statute, unlike HIPAA, sec or Target’s conclusions regarding pregnancy will be covered.
My Health My Data is still rolling out, so we’ll have to wait and see how the law affects national health data privacy protections. Again, this already leads to copycat laws .
