Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Why HIPAA isn’t enough to protect your health data

Brian R. Jackson, MD
Policy
April 27, 2023
Share
Tweet
Share

After all the hours spent in HIPAA training over the years, physicians and other health care workers might think of HIPAA as a powerful regulation. It’s true that HIPAA does require health care workers to follow a number of rules, with pretty harsh penalties for violations. But from a patient’s perspective, how well does U.S. law protect overall health information privacy? Unfortunately, not very well, and things are getting worse.

The privacy provisions of HIPAA were enacted in 2002. Back then, most individuals’ health care data still took the form of paper-based medical records maintained by hospitals and clinics. Artificial intelligence and large-scale “Big data” analytic techniques had yet to emerge in their modern forms. Surveillance capitalism, the business model by which technology companies compile detailed profiles of their users to support ad targeting, was just getting started. So it was understandable that HIPAA was written to address the privacy risks of that earlier era rather than the risks that exist today. Three glaring deficiencies make HIPAA increasingly weak: the definition of covered entities, the de-identification loophole, and the focus on disclosures rather than the downstream uses of data.

In 2012, the retailer Target found itself in the national press for inadvertently outing a teenage girl to her parents as being pregnant. Target (more specifically, the software determining which customers to mail baby supply coupons to) had acquired knowledge of the pregnancy not by obtaining the girl’s medical records, but rather through analysis of her shopping patterns. Still, pregnancy is undeniably a health condition, and one for which someone might expect protection under HIPAA. But they would be disappointed. HIPAA only regulates the release of personal health information by health care workers and organizations, as well as health insurers and insurance claim clearinghouses, which are collectively referred to as covered entities. When non-covered entities such as Target, or pharmaceutical companies, or social media giants, or even many web-based health information companies, are able to obtain personal health data through sources other than traditional medical records, HIPAA doesn’t apply to them.

HIPAA’s second glaring weakness is the de-identification loophole. When certain identifiers such as names, dates, and locations are removed from a collection of clinical data, that data is no longer considered subject to HIPAA and can be legally shared or even sold to other organizations. (Disclosure: I’ve used de-identified health data in some of my own academic research projects.) There is also a large data broker industry that purchases de-identified medical records from hospitals and commercial laboratories, and then resells them to pharmaceutical companies and other customers.

The problem with de-identification is that while it creates the appearance of anonymity, it doesn’t actually make the data anonymous. If you take a de-identified data set and cross-reference it against other data sets containing information about those same individuals, it is often possible to re-identify the people in the first data set. Probabilistic methods add additional power, and matches don’t need to be 100 percent reliable to serve business goals such as targeted advertising. Re-identification of previously de-identified medical records isn’t just a theoretic risk. A recent investigation by Stat News found that Quintiles, a contract research organization, and Truven Health Analytics, a health care data broker, had successfully linked the de-identified medical records from millions of patients (obtained from MedicaLogic, then a subsidiary of General Electric) with an insurance claim database. This allowed re-identification with a reported accuracy rate of 95 percent.

The third problem with HIPAA is that while it penalizes certain types of inappropriate data sharing, it doesn’t do a good job distinguishing between different types of subsequent data uses. More people are comfortable with their data being used for academic research, for example, than for commercial uses such as targeted advertising. More nefarious uses, such as for employment or insurance plan discrimination, have become increasingly technically feasible and challenging to detect. Because of this potential for harm, combined with the relative ease of concealing causation within artificial intelligence algorithms, privacy law ought to have particularly strong restrictions on commercial uses of health data. Instead, commercial uses are actually less heavily regulated in the U.S. than academic research uses, because the latter are at least subject to a separate set of federal laws governing human subjects research.

Clearly, health privacy law needs to be modernized. Modernizing may bring additional benefits beyond individual privacy. If the public trusts that their health data won’t be misused, they might be more open to health data aggregation for academic and public health purposes. Consider 2020, for example, when the fragmented U.S. health care system struggled to gather reliable statistics on COVID-19 infections and therapeutic outcomes. Much better data were coming out of the United Kingdom during that time, despite having only a fifth as many people. The U.K. has national health identity numbers (which the U.S. has banned due to privacy concerns) and central health data aggregation. It also has the Data Protection Act of 2018 (the U.K. implementation of the European Union’s General Data Protection Regulation). In a democracy, public data aggregation is only sustainable in strong data privacy protections such as these.

Health care data includes the most private details of our lives. Americans want and deserve laws that control PHI in patients’ hands, not corporations.

Brian R. Jackson is a pathologist.

Prev

The struggle of internationally trained physicians in Canada

April 27, 2023 Kevin 0
…
Next

Revolutionizing crime-solving with AI: How ChatGPT-4 can unlock critical evidence in unsolved cases

April 27, 2023 Kevin 0
…

Tagged as: Public Health & Policy

Post navigation

< Previous Post
The struggle of internationally trained physicians in Canada
Next Post >
Revolutionizing crime-solving with AI: How ChatGPT-4 can unlock critical evidence in unsolved cases

ADVERTISEMENT

More by Brian R. Jackson, MD

  • a desk with keyboard and ipad with the kevinmd logo

    When FDA fines become the cost of doing business

    Brian R. Jackson, MD

Related Posts

  • Why working at polling locations is good public health

    Rob Palmer, Isaac Freedman, and Josh Hyman
  • The public health solution to gun deaths

    Nancy Dodson, MD, MPH, Jeffrey Oestreicher, MD and Nina Agrawal, MD
  • Protect the women who protect us

    Kellie Lease Stecher, MD
  • Gun violence is a public health crisis

    Ton La, Jr., MD, JD
  • Melting the iron triangle: Prioritizing health equity in dynamic, innovative health care landscapes

    Nina Cloven, MHA
  • Are negative news cycles and social media injurious to our health?

    Rabia Jalal, MD

More in Policy

  • Bundled payments in Medicare: Will fixed pricing reshape surgery costs?

    AMA Committee on Economics and Quality in Medicine, Medical Student Section
  • Who gets to be well in America: Immigrant health is on the line

    Joshua Vasquez, MD
  • Online eye exams spark legal battle over health care access

    Joshua Windham, JD and Daryl James
  • The One Big Beautiful Bill and the fragile heart of rural health care

    Holland Haynie, MD
  • Why health care leaders fail at execution—and how to fix it

    Dave Cummings, RN
  • Healing the doctor-patient relationship by attacking administrative inefficiencies

    Allen Fredrickson
  • Most Popular

  • Past Week

    • Who gets to be well in America: Immigrant health is on the line

      Joshua Vasquez, MD | Policy
    • Why specialist pain clinics and addiction treatment services require strong primary care

      Olumuyiwa Bamgbade, MD | Conditions
    • Harassment and overreach are driving physicians to quit

      Olumuyiwa Bamgbade, MD | Physician
    • Why peer support can save lives in high-pressure medical careers

      Maire Daugharty, MD | Conditions
    • When a medical office sublease turns into a legal nightmare

      Ralph Messo, DO | Physician
    • Addressing menstrual health inequities in adolescents

      Callia Georgoulis | Conditions
  • Past 6 Months

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • Who gets to be well in America: Immigrant health is on the line

      Joshua Vasquez, MD | Policy
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
  • Recent Posts

    • The shocking risk every smart student faces when applying to medical school

      Curtis G. Graham, MD | Physician
    • Clinical ghosts and why they haunt our exam rooms

      Kara Wada, MD | Conditions
    • High blood pressure’s hidden impact on kidney health in older adults

      Edmond Kubi Appiah, MPH | Conditions
    • Deep transcranial magnetic stimulation for depression [PODCAST]

      The Podcast by KevinMD | Podcast
    • How declining MMR vaccination rates put future generations at risk

      Ambika Sharma, Onyi Oligbo, and Katrina Green, MD | Conditions
    • The physician who turned burnout into a mission for change

      Jessie Mahoney, MD | Physician

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

View 2 Comments >

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Who gets to be well in America: Immigrant health is on the line

      Joshua Vasquez, MD | Policy
    • Why specialist pain clinics and addiction treatment services require strong primary care

      Olumuyiwa Bamgbade, MD | Conditions
    • Harassment and overreach are driving physicians to quit

      Olumuyiwa Bamgbade, MD | Physician
    • Why peer support can save lives in high-pressure medical careers

      Maire Daugharty, MD | Conditions
    • When a medical office sublease turns into a legal nightmare

      Ralph Messo, DO | Physician
    • Addressing menstrual health inequities in adolescents

      Callia Georgoulis | Conditions
  • Past 6 Months

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • Who gets to be well in America: Immigrant health is on the line

      Joshua Vasquez, MD | Policy
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
  • Recent Posts

    • The shocking risk every smart student faces when applying to medical school

      Curtis G. Graham, MD | Physician
    • Clinical ghosts and why they haunt our exam rooms

      Kara Wada, MD | Conditions
    • High blood pressure’s hidden impact on kidney health in older adults

      Edmond Kubi Appiah, MPH | Conditions
    • Deep transcranial magnetic stimulation for depression [PODCAST]

      The Podcast by KevinMD | Podcast
    • How declining MMR vaccination rates put future generations at risk

      Ambika Sharma, Onyi Oligbo, and Katrina Green, MD | Conditions
    • The physician who turned burnout into a mission for change

      Jessie Mahoney, MD | Physician

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Why HIPAA isn’t enough to protect your health data
2 comments

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...