HIPAA protects health data privacy, but not in the ways most people think

The “P” in HIPAA doesn’t stand for privacy. It’s one of the first things a lot of experts will say when asked to clear up any misconceptions about the health data law. Instead, it stands for portability — it’s called the Health Insurance Portability and Accountability Act —and describes how information can be transferred between providers. With misinterpretations of HIPAA starting with just its name, misunderstandings of what the law actually does greatly impact our ability to recognize how the kinds of data do and don't fall under its scope. That’s especially true as a growing number of consumer tech devices and services gather troves of information related to our health.

We often consider HIPAA a piece of consumer data privacy legislation because it did direct the Department of Health and Human Services to come up with certain security provisions, like breach notification regulations and a health privacy rule for protecting individually identifiable information. But when HIPAA went into effect in the 1990s, its primary aim was improving how providers worked with insurance companies. Put simply, “people think HIPAA covers more than it actually does,” said Daniel Solove, professor at George Washington University and CEO of privacy training firm TeachPrivacy.

HIPAA has two big restrictions in scope: a limited set of covered entities, and limited set of covered data, according to Cobun Zweifel-Keegan, DC managing director of the International Association of Privacy Professionals. Covered entities include healthcare providers like doctors and health plans like health insurance companies. The covered data refers to medical records and other individually identifiable health information used by those covered entities. Under HIPAA, your general practitioner can't sell data related to your vaccination status to an ad firm, but a fitness app (which wouldn't be a covered entity) that tracks your steps and heart rate (which aren't considered covered data) absolutely can.

“What HIPAA covers, is information that relates to health care or payment for health care, and sort of any piece of identifiable information that’s in that file,” Solove said. It doesn’t cover any health information shared with your employer or school, like if you turn in a sick note, but it does protect your doctor from sharing more details about your diagnosis if they call to verify.

A lot has changed in the nearly 30 years since HIPAA went into effect, though. The legislators behind HIPAA didn’t anticipate how much data we would be sharing about ourselves today, much of which can be considered personally identifiable. So, that information doesn’t fall under its scope. “When HIPAA was designed, nobody really anticipated what the world was going to look like,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation said. It’s not badly designed, HIPAA just can’t keep up with the state we’re in today. “You're sharing data all the time with other people who are not doctors or who are not the insurance company,” said Tien.

Think of all the data collected about us on the daily that could provide insight into our health. Noom tracks your diet. Peloton knows your activity levels. Calm sees you when you’re sleeping. Medisafe knows your pill schedule. Betterhelp knows what mental health conditions you might have, and less than a year ago was banned by the FTC from disclosing that information to advertisers. The list goes on, and much of it can be used to sell dietary supplements or sleep aids or whatever else. “Health data could be almost limitless,” so if HIPAA didn’t have a limited scope of covered entities, the law would be limitless, too, Solove said.

Not to mention the amount of inferences that firms can make about our health based on other data. An infamous 2012 New York Times investigation detailed how just by someone’s online searches and purchases, Target can figure out that they’re pregnant. HIPAA may not protect your medical information from being viewed by law enforcement officers. Even without a warrant, cops can get your records just by saying that you’re a suspect (or victim) of a crime. Police have used pharmacies to gather medical data about suspects, but other types of data like location information can provide sensitive details, too. For example, it can show that you went to a specific clinic to receive care. Because of these inferences, laws like HIPAA won’t necessarily stop law enforcement from prosecuting someone based on their healthcare decision.

Today, state-specific laws crop up across the US to help target some of the health data privacy gaps that HIPAA doesn’t cover. This means going beyond just medical files and healthcare providers to encompass more of people’s health data footprint. It varies between states, like in California which provides options to charge anyone who negligently discloses medical information or some additional breach protections for consumers based in Pennsylvania, but Washington state recently passed a law specifically targeting HIPAA’s gaps.

Washington State’s My Health My Data Act, passed last year, aims to “protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act,” according to a press release from Washington’s Office of the Attorney General. Any entity that conducts business in the state of Washington and deals with personal information that identifies a consumer’s past, present or future physical or mental health status must comply with the act’s privacy protections. Those provisions include the right not to have your health data sold without your permission and having health data deleted via written request. Under this law, unlike HIPAA, an app tracking someone’s drug dosage and schedule or the inferences made by Target about pregnancy would be covered.

My Health My Data is still rolling out, so we’ll have to wait and see how the law impacts national health data privacy protections. Still, it’s already sparking copycat laws in states like Vermont.