Health Data Exposed: Gaps in US Privacy Law and Regulation
Many recent stories have underscored that health data is insufficiently protected in the United States. Here's what to know.
Multiple recent stories have underscored that US citizens’ health data is insufficiently protected, due to many gaps in United States health privacy law and regulation that companies exploit. Here’s what to know about the issue. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
The Health Insurance Portability and Accountability Act (HIPAA), often referred to as the US’ health privacy law, was passed in 1996 and has numerous gaps around the collection, sharing, and selling of health data (even identified health data), including by many websites and mobile apps.
Huge Gaps in US Health Privacy Law and Regulation
Many Americans might assume that all their health data is protected everywhere, anywhere, all the time, but that’s unfortunately false. There are many gaps in the US’ legal and regulatory structure for safeguarding health data, as underscored by several recent government actions and reports. For example:
On February 1, 2023, the US Federal Trade Commission (FTC) announced an enforcement action against telehealth and prescription drug discount company GoodRx, in part for sharing consumers’ health data with Facebook, Google, and other companies, without proper disclosure.
On March 2, the FTC announced a proposed order banning BetterHelp, the online counseling services company, from sharing consumers’ health (including mental health) data for advertising purposes.
And a recent report from the data brokerage research project I run at Duke University’s Sanford School of Public Policy highlighted that Americans’ mental health data, including clearly identified data, is for sale on the open market, covering conditions such as depression, anxiety, PTSD, bipolar disorder, and more. (For the quick-hit summary of former student Joanne Kim’s report, check out the opening of the document — and see my interview on PBS NewsHour about Joanne’s research and why this all matters.)
I wrote about these issues of health data brokerage, FTC enforcement, and HIPAA limits in an article for Lawfare last week. As I put it:
HIPAA and its requirements apply only to certain covered entities. That list of covered entities is composed of health care providers, health plans, and health care clearinghouses, which process or facilitate the processing of health information or transactions from one entity to another. It also includes covered entities’ business associates that perform covered functions (like a company handling health data for a hospital). HIPAA’s covered entities list does not include websites or apps developed by third parties with no links to a covered entity—even when those websites and apps collect and use health data. It does not include social media platforms. It also does not include data brokers or advertising technology companies. This means that the protections within HIPAA and its associated regulations do not apply to a wide range of companies that are collecting, analyzing, aggregating, and sharing or selling health data.
In the GoodRx case, for instance, it was not illegal per se for GoodRx to collect and then share (or sell) health data concerning US persons. The FTC took action primarily because GoodRx put a HIPAA-compliant label on its website (when GoodRx is not covered by HIPAA and HIPAA compliance seals are not real), and because it did not properly notify consumers it was sharing their health data.
An absence of laws and regulations to outright ban this practice poses many risks to people in the United States, on whom companies collect, share, and sell information:
The lack of legal and regulatory controls around the commercial collection, selling, and sharing of health data creates numerous privacy risks, including vis-a-vis data related to mental illnesses, chronic health conditions, pregnancy, trauma, and drug prescriptions. Health insurance companies buy data from the data brokerage ecosystem—including data on a person’s race, educational level, marital status, and net worth—to profile consumers and, apparently, to make determinations about insurance pricing. Law enforcement can buy this data without a warrant. For-profit entities and malicious individuals can surveil and target people seeking access to reproductive health care without their knowledge. Data about individuals taking antidepressants, veterans suffering from post-traumatic stress disorder, and people with Alzheimer’s and dementia is likewise available for purchase on the open market.
Check out the full Lawfare article for more of my thoughts on specific legislative proposals that could address most or some of this ecosystem, including the 2022 Health and Location Data Protection Act and the 2022 American Data Privacy and Protection Act (ADPPA). (The former is strong on regulating data brokerage; the latter is weak.)
As I conclude, policymakers need to understand just how many first-party collectors of health data are involved in sharing or selling that data, including to data brokers:
Congress needs to act, and some of the currently proposed measures—such as ADPPA and other bills that take the broken consumer “consent” approach to data collection—fail to appropriately address the privacy issues and consumer harms associated with the data brokerage ecosystem. Policymakers must start with understanding the pervasiveness of the brokerage of Americans’ health data and the range of documented and looming harms. Then, they must realize why overlooking first-party data collection, to focus just on third parties, fails to regulate the way that so many Americans’ mental health conditions, drug prescriptions, chronic health conditions, trauma, pregnancy, and other health data is made available for sale in the first place.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.