Reports of a federal probe into hospital websites tracking and sharing personal data are putting the landmark HIPAA law in the spotlight — and exposing its limitations, Axios' Erin Brodwin and I report.

Why it matters: The Health Insurance Portability and Accountability Act is nearly three decades old. And the bewildering pace of technological change in the years since Congress passed it has left vast amounts of sensitive data being exchanged outside the scope of the law, threatening basic consumer privacy, experts tell Axios.

The big picture: HIPAA was designed at a different time and specifically for the data stored and shared by traditional health care organizations.

• But today, consumers may have their personal information stashed in a digital app, discussed in a social media group and monitored by a phone or wearable device. All are not covered by HIPAA.
• Most consumers, moreover, don't distinguish between a message sent to a hospital patient portal (protected by HIPAA) and one sent over a digital health app (not protected).

"It's like cars before seat belts," Venrock partner Bob Kocher told Axios. "There was no direct-to-consumer health care when HIPAA was written."

Zoom in: In one example from a study published Monday that prompted the civil rights investigation, the vast majority of public-facing websites of hospitals — which do fall under HIPAA — allowed third-party companies to track data.

• "My working theory is that nobody thought about it too hard. This just kind of became standard practice," said Ari Friedman, lead author of the study. "That's how the web works."
• It can create real harm for patients, though, as any online activity is increasingly scooped up by AI-powered algorithms and used, for instance, to calculate risk scores used by employers or landlords, Friedman said.
• "Many people, including me, are worried about bad consequences — your employment is terminated or you’re charged higher rates for a product," says Harvard Law health law expert I. Glenn Cohen.

What's next: Private industry will likely need to develop mechanisms outside HIPAA to protect health data, says former chief privacy officer for the Office of the National Coordinator for Health IT Lucia Savage, who is now chief privacy officer at Omada Health.

• The HHS Office of Civil Rights (OCR), which oversees the law, is slow-moving when it comes to policymaking, she said.
• And legal precedent, including a 2009 lawsuit brought by the health IT company Ciox that prompted a weakening of some components of the privacy protection law, show the limit of OCR's power.
• OCR "can't just say: 'We cover all health information.' They have authority in that box that is the health care system," said Savage.

What's happening: Standard Care CEO and former Enzyme vice president Ryan Stellar said he's attempting to create a platform that will enable users to share certain health data with specific health care vendors.

• He and his company are currently developing a system in which a user's specific permissions get logged in a kind of consent ledger that health care vendors would have access to.
• "In the long term we’d like health data privacy to be as implicit to the web as HTTP. Very sophisticated security standards that you don’t think twice about and use multiple times a day," Stellar says.

What to watch: The Federal Trade Commission has signaled plans to enforce privacy for health companies that fall outside HIPAA's jurisdiction, as it did with Better Help and GoodRx.

• There's also a federal data privacy bill introduced last year that is expected to be reintroduced in this Congress.

Medicare Advantage and Medicare prescription drug plans will face more stringent marketing requirements next year, the Biden administration announced Wednesday, Axios' Maya Goldman writes.

Why it matters: Lawmakers have recently called on the Centers for Medicare and Medicaid Services to increase oversight of "deceptive" Medicare Advantage marketing tactics.

• Insurers told CMS in February that could harm seniors and people with disabilities, and too much regulation at once could lead to higher premiums and reduced benefits.
• But insurers did say they supported some CMS proposals to strengthen consumer protections.

Zoom out: The finalized marketing policies are part of a Biden administration push to rein in bad actors in the Medicare Advantage program.

• Last week, CMS finalized a change to Medicare Advantage payment that plans also claimed would raise premiums and reduce benefits – but the agency gave plans a major concession by phasing the payment changes in over three years.

The details: CMS is prohibiting ads that do not mention a specific plan name or that use words, imagery or Medicare logos in ways that could mislead or confuse beneficiaries.

• Insurance agents have to tell prospective enrollees how many plans are available from the organization they represent but have up to a year to re-contact beneficiaries to discuss plan options.
• CMS didn't finalize a requirement that would have blocked brokers and agents from being able to share enrollees information with other entities.

Separately, the policy rule streamlines prior authorization requirements to discourage Medicare Advantage from using internal clinical criteria to restrict care.

• Plans have to adhere to published Medicare coverage determinations or widely accepted clinical criteria.

Idaho could be at the center of a free speech battle over abortion care, Axios' Sareen Habeshian and Oriana González write.

Driving the news: The American Civil Liberties Union announced Wednesday that it's suing the Idaho attorney general for "threatening health care providers who exercise their First Amendment right to give patients information about out-of-state abortion care."

Details: The suit is intended to stop state Attorney General Raúl Labrador from applying a legal opinion in which he states that Idaho law does not allow health care providers to refer patients out of state for abortion care or to prescribe abortion pills.

• The state has two abortion bans in place, a near-total trigger ban and a six-week ban, both of which have been allowed by the Idaho Supreme Court to remain in effect.

Don't forget: When the Supreme Court's decision to overturn Roe v. Wade, Justice Brett Kavanaugh wrote in his concurring opinion that a state could not prohibit a resident from going to another state to obtain an abortion "based on their constitutional right to interstate travel."

• The Supreme Court has previously held that a state does not have the authority to enforce its law beyond its borders, but legal experts say that in the post-Roe landscape, the high court could revisit that issue.

While the price of insulin has soared 184% since 2012, the costs appear to have plateaued in the last few years, new data from the Health Care Costs Institute shows.

• Following a peak in the average price of $541 in 2019, prices decreased by 8% between 2019 and 2021.

What's happening: The entry of several biosimilars, HCCI says.

• The clinically similar but less costly versions of insulin had prices between 21% and 67% less than the original biologic, per HCCI data.

🍸 Moderate drinking has no health benefits, analysis of decades of research finds. (New York Times)

💉 These drugs are so futuristic that doctors need new training. (Wall Street Journal)

📄 Doctors are drowning in paperwork. Some companies claim AI can help. (NPR)