Health information and privacy

Privacy, electronic health information, and the limits of HIPAA

Recently I read a thread on someone else’s Facebook page about the possibility that her health insurance company might have access to information from her fitness tracker. One commenter stated that it would be a HIPAA violation. It may be time to revisit what HIPAA does and does not do, given the recent increase in concern about medical information and privacy.

HIPAA (Health Insurance Portability and Accountability Act of 1996) has provisions that protect the privacy of health information. An apparently common misconception is that all health information is protected by HIPAA but, in fact, it also specifies who has the information. HIPAA only applies to medical providers and others who have access to medical information as part of their jobs. It does not apply to anyone else. Of course, your own information is your own, to share as you choose but social media and electronic tracking increase the possibilities for inadvertently and unintentionally sharing your information. Meanwhile, your information could be collected by an organization that appears to be a medical provider but is not, and therefore is not covered by HIPAA, such as the ones described in this frightening article about “pregnancy help clinics.”

For other examples of what HIPAA does and does not cover, see my blog post from last year about questions regarding vaccination status.

What steps can we take to protect our information? I am not particularly tech-savvy, but I did some sleuthing. Your devices may have privacy settings, but any third-party app (like a period tracker) can collect and sell your data. Sometimes you can ask the app not to track, and it is a good practice to read the terms and conditions, in case you are agreeing to your data being used in ways you don’t want. Apparently unused apps can still access your data. You can find more information here and here.

We now live in an age of “digital surveillance.” Everything we do on the internet is subject to observation and monetization. Even WebMD tracks and sells your data. Believing that HIPAA protects all health information produces in a false sense of security.