Insufficient Protection: Why Relying on HIPAA Alone Falls Short in Safeguarding Your Health Data
Despite the extensive HIPAA training that physicians and healthcare workers undergo, the regulation may not provide adequate protection for patients' health data. While HIPAA requires strict compliance with its rules and imposes harsh penalties for violations, it falls short in safeguarding overall health information privacy from a patient's standpoint. This is due to the emergence of advanced technologies, such as artificial intelligence and big data analytics, which were not prevalent when HIPAA's privacy provisions were enacted in 2002. Additionally, the business model of surveillance capitalism, which involves gathering detailed user profiles to support ad targeting, has further exacerbated the issue. As a result, HIPAA's definition of covered entities, the de-identification loophole, and the focus on disclosures rather than the downstream uses of data have made the regulation increasingly weak over time.
The case of Target in 2012 gained national attention when the retailer unknowingly revealed a teenage girl's pregnancy to her parents through the targeted mailing of baby supply coupons based on the analysis of her shopping patterns. This incident raises concerns about the protection of health information under HIPAA. Despite pregnancy being a health condition, HIPAA only regulates the disclosure of personal health information by healthcare organizations, health workers, health insurers, and insurance claim clearinghouses, collectively known as covered entities. This means that non-covered entities, including retail stores like Target, pharmaceutical companies, social media platforms, and web-based health information companies, are not subject to HIPAA regulations if they obtain personal health data through sources other than traditional medical records. As a result, HIPAA doesn't provide adequate protection for individuals' health information in the modern era where personal data can be collected from a variety of sources beyond traditional medical records.
The second significant weakness of HIPAA is the de-identification loophole. Once certain personal identifiers such as names, dates, and locations are removed from clinical data, the data is no longer subject to HIPAA regulations and can be legally shared or sold to other organizations. This has resulted in the emergence of a data broker industry that purchases de-identified medical records from hospitals and commercial laboratories, and then resells them to pharmaceutical companies and other customers. As a researcher, I have personally utilized de-identified health data for some of my academic projects. However, the lack of regulation around de-identified data creates opportunities for third-party companies to access and use sensitive health information without patients' knowledge or consent.
De-identification of personal health information presents a problem, as it merely gives the appearance of anonymity without actually providing it. If a de-identified data set is cross-referenced against other data sets containing information about the same individuals, it is often possible to re-identify those individuals. Additionally, probabilistic methods can increase the chances of successful re-identification, even if the matches aren't entirely reliable, allowing companies to achieve their business goals, such as targeted advertising. This risk of re-identification isn't just theoretical; a recent investigation by Stat News revealed that a health care data broker, Truven Health Analytics, and a contract research organization, Quintiles, had successfully linked millions of patients' de-identified medical records (obtained from MedicaLogic, a General Electric subsidiary) with an insurance claim database, resulting in a reported accuracy rate of 95 percent. Therefore, HIPAA's current regulations on de-identification fail to ensure adequate privacy protection for individuals' health information.
The third issue with HIPAA is that it fails to differentiate between different types of downstream data uses, despite penalizing certain types of inappropriate data sharing. For instance, while some individuals may be comfortable with their health data being used for academic research, they may not be comfortable with its use for commercial purposes such as targeted advertising. Furthermore, more malicious uses of health data, such as employment or insurance plan discrimination, are becoming increasingly feasible and difficult to detect. Given this potential for harm, privacy laws should heavily restrict commercial uses of health data. However, in the U.S., commercial uses of health data are actually less regulated than academic research uses because the latter are subject to separate federal laws governing human subjects research. This lack of regulation around commercial uses of health data is concerning, given the ease with which causation can be concealed within artificial intelligence algorithms, and the potential for such data to be used for nefarious purposes.
It is evident that health privacy laws need to be modernized to provide adequate protection for individuals' health information. Doing so may bring additional benefits beyond individual privacy, including increased trust in health data aggregation for academic and public health purposes. For instance, during the COVID-19 pandemic in 2020, the fragmented U.S. health care system struggled to gather reliable statistics on infections and therapeutic outcomes. In contrast, the United Kingdom, which has national health identity numbers and central health data aggregation, was able to provide much better data despite having only a fifth of the U.S. population. The U.K.'s implementation of the European Union's General Data Protection Regulation through the Data Protection Act of 2018 has provided strong data privacy protections that have allowed for sustainable public data aggregation in a democracy. Therefore, modernizing health privacy laws is critical to improving public trust in health data aggregation and facilitating better public health outcomes.
Health care data contains some of the most sensitive and private details of individuals' lives. Americans rightfully expect and deserve laws that prioritize controlling the release and use of personal health information in the hands of patients, rather than corporations or other entities. Protecting individuals' health information from unauthorized disclosure or misuse is critical to maintaining the trust of patients in the healthcare system and enabling them to make informed decisions about their care. Therefore, it is essential to establish and enforce regulations that prioritize individuals' privacy and security rights over the interests of corporations or other entities that may seek to exploit their health information for profit or other purposes.
