Privacy is at risk as HIPAA fails to keep pace with digital health

Context: The private push comes amid a new investigation into third-party tracking software used by most hospitals by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services.

Catch up quick: This week, a University of Pennsylvania study in Health Affairs found nearly 99% of hospital websites allowed third-party tracking software, a threat the office had previously warned health organizations about. That prompted OCR to promise a new investigation.

The big picture: iPhones were still 11 years away when Congress passed HIPAA. But it hasn't been substantially modified since, and the bewildering pace of technological change has left vast amounts of sensitive data outside the scope of the law, threatening basic consumer privacy.

• AI-powered algorithms gather data from consumer social media activity, web searches, and phone use to calculate risk scores for employment or home financing, and Health Affairs study author Ari Friedman tells Axios it’s not a stretch to assume health data is swept up with it.
• "Many people including me are worried about bad consequences — your employment is terminated or you’re charged higher rates for a product," says I. Glenn Cohen, the director of Harvard Law's Petrie-Flom Center for Health Law Policy.

The intrigue: "It really goes back to ‘What information can be used against a person in ... ways that cause real harm?'” says Andrea Downing, who helped start a vulnerability research organization in the wake of the Cambridge Analytica scandal.

• Last fall, law enforcement used Facebook chats between a mother and daughter to charge the two with three felonies.

• In 2021 and 2023, regulators fined Flo, GoodRx, and BetterHelp for allegedly sharing users’ sensitive health data with tech companies — including Facebook and Google — despite promising to keep such information private.
• Online alcohol recovery startups Monument and Tempest on Tuesday were reported to have shared the personal data of some 100,000 patients with advertisers without their consent.

What they're saying: "People think of HIPAA as the federal government protecting my health care. What it actually is is an umbrella made of concrete with gaping holes in it," says Standard Care CEO Ryan Stellar.

• For example, the law fails to contemplate smartphone-based health care apps and digital health websites. "It's like cars before seat belts," Venrock partner Bob Kocher says.
• And most consumers don't distinguish between a message they sent to their hospital provider (within a HIPAA-protected EHR portal) and one sent over a digital health app (and thus not protected by HIPAA).
• "If we sequence you[r DNA] and find you have a high risk of diabetes or heart disease or cancer — or you have mental health issues or infertility, you don’t want that out there for people to buy or know," says Kocher.

Be smart: HIPAA's scope is narrower than many realize and only protects data shared inside a doctor's office or official health system portal.

• "Health data is living in all sorts of apps that aren’t under HIPAA jurisdiction," says Stellar.
• Social media and large tech companies are not HIPAA-covered entities, yet they hold personal health information that can jeopardize patients if breached, Downing says.

What's next: Private industry will likely need to develop mechanisms outside HIPAA to protect health data, says Lucia Savage, Omada Health's chief privacy officer and the former chief privacy officer for the Office of the National Coordinator for Health IT.

• OCR, the agency that oversees the law, is relatively slow-moving when it comes to policymaking.
• Legal precedent, including a 2009 lawsuit brought by the health care IT company Ciox against OCR that saw the agency weaken some components of the privacy protection law, show the limit of the agency's power.
• OCR "can’t just say, 'We cover all health information.' They have authority in that box that is the health care system," Savage says.
• Most of the penalties involved in violating health data privacy have seen small fines levied on wealthy companies. "You need to make these criminal violations, not civil ones," suggests Venrock's Kocher.

Yes, but: While several startups — including Stellar's — are working on various approaches to boost consumer protections, sources interviewed for this story questioned the capacity of such endeavors to initiate substantive change in the absence of real financial and legal incentives.

• "For the most part, all the major attempts to fix HIPAA have not really come to fruition, nor has there been real interest in a major data privacy law like we’ve seen in Europe," says Harvard's Cohen.

What's happening: Standard Care's Stellar is attempting to create a platform that will enable users to share specific health data with specific health care vendors.

• He and his company are developing a system wherein a user's specific permissions get logged in a kind of consent ledger that health care vendors would have access to.
• "In the long term, we’d like health data privacy to be as implicit to the web as HTTP. Very sophisticated security standards that you don’t think twice about and use multiple times a day," Stellar says.

What to watch: How the FTC enforces privacy for health companies that fall outside HIPAA's jurisdiction, as it did with Better Help and GoodRx. There's also a federal data privacy bill introduced last year that is expected to be reintroduced in this Congress.

• "This conversation is happening, it’s just happening in silos," says Stellar.

What HIPAA does and doesn't do

"There should be similar baseline [privacy] protections for the consumer health space and the HIPAA space," says Omada's Savage, "because consumers move back and forth freely without knowing the difference."

Why it matters: While far from perfect, HIPAA does permit the kinds of data-sharing that experts deem critical to interoperability and patient care, Lauren Riplinger, AHIMA's chief public policy and impact officer, tells Axios.

• Goodwin life science partner Roger Cohen agrees: "It's a pretty flexible standard. Generally, it lets you do what you need to do without getting bogged down too much."
• "The thing I’d say about HIPAA is I've never not found an answer about how to do this right," says Savage. "I’ve always been able to open the book and say here’s what we need to do."
• Riplinger also says it's important to recognize that consumers have different preferences for what data is protected and when, and any new legislation would need to carefully balance that.
• "We have to recognize privacy is on a spectrum," says Riplinger. "There are folks that feel really strongly about how their data is protected. Others feel like, 'Well, maybe I want to share some things but I don't want to share others.' Figuring out what that right fit is takes time."

Yes, but: Though the legal path to improving HIPAA is unclear, there are some key areas in which the law can and should be strengthened sources say.

• Clarifying how the law applies when people visit condition-specific websites, such as an online therapy site, without first verifying their identity.
• Shortening turnaround times for data exchange so they can occur in real time, rather than the current 24-hour standard.
• Letting users grant permission to parties of their choosing to access specific and limited data, rather than opting in or being defaulted to broad data-sharing.
• Making violations of the law criminal rather than civil and increasing the fines associated with such violations.