What Journalists Need to Know about Healthcare Privacy
Your WebMD searches, Apple Watch metrics, Noom app, cancer support group on Facebook – none of these are covered by HIPAA. How journalists can help protect and educate consumers.
Program Date: Nov. 30, 2022
By Anne Godlasky, National Press Foundation
Updated Thu Jan 12, 2023

HIPAA turns 20 this year, and while it remains “the single most important element of healthcare privacy law,” according to WilmerHale lawyer Kirk Nahra, “the most interesting part of healthcare privacy law at this point in time is what’s not subject to HIPAA.”

Nahra briefed NPF data privacy fellows on what they should know as tech journalists about the complexities of HIPAA. [Transcript | Video]

The P is Not for Privacy

The Health Insurance Portability and Accountability Act was established so people with preexisting medical conditions could get insurance even if they changed employers – hence “portability” – said Nahra.

Congress also wanted doctors and insurers to use standard forms. “The idea was, be more efficient, save money, be more accurate – great, still aren’t at privacy,” Nahra said. “Then Congress basically said, we’re going to make all this information electronic and you can send it at the push of a button. Maybe we should think about privacy and security.”

But Congress never made a healthcare privacy law, so the onus fell to the Department of Health and Human Services to write a regulation. Who was covered was defined “not by privacy, not by security, but by the entities that were involved in portability and standard electronic transaction,” Nahra said. “Life insurers have tons of healthcare information about their customers … [but] because you don’t take your life insurance with you from one employer to the next, life insurers aren’t allowed to be subject to these privacy rules.” The same applies to workers’ compensation, disability, auto insurance, and even doctors and other healthcare providers if they don’t submit claims to health insurance companies since that would mean they are not using the standard electronic transaction.

“It makes no sense whatsoever from a consumer perspective to say that your privacy rights depend on how your doctor bills. But that’s what we’re stuck with,” Nahra said.

What HIPAA Doesn’t Cover

When people complain on social media “usually in large capital letters about a violation of their HIPAA rights, usually misspelling HIPAA,” they’re usually incorrect about it having to do with HIPAA, Nahra said.

HIPAA-covered entities include health insurers, healthcare providers (doctors, hospitals, pharmacies) and “business associates,” such as vendors used by hospitals.

What’s not subject to HIPAA may surprise you, including pharmaceutical companies, employers and universities.

“When you have an accident at work, when you have a Family Medical Leave Act claim, when you have a doctor’s note for why you missed work, none of that is covered by the HIPAA rules,” Nahra said.

When it comes to employers interested in an employee’s health or habits, some people confuse that as a HIPAA violation when in fact it’s more likely a discrimination issue.

“I can’t ask you today if you’re pregnant or you’re interested in being pregnant – not a Dobbs issue,” he said. “There’s lots of discrimination issues, but they’re not privacy issues and they’re certainly not HIPAA issues.”

Even student health clinics generally are not covered because they do not submit to insurance. Instead, the Federal Educational Records and Privacy Act (FERPA) comes into play. In several cases, universities were sued because they obtained records of students’ sexual assaults from campus health clinics for information that would’ve been protected by HIPAA if the student had been treated by the local hospital instead.

What’s outside HIPAA is an “exploding” issue, Nahra said. It includes websites and apps, like WebMD, devices like Apple Watch, personal health record systems for consumers, patient support groups (whether on Facebook or in person). None of that is covered by HIPAA because the individual is in control, Nahra said.

“As technology and medical devices get more sophisticated, some of them meet the definitions of healthcare providers, but it’s only healthcare providers who submit standard electronic transactions” with insurers that are subject to HIPAA rules, he said.

Personal privacy vs. public interest

In creating HIPAA, HHS didn’t just want to protect individuals, it wanted to protect the efficiency and efficacy of the healthcare system. For instance, if someone comes to the hospital with Ebola, it would be dangerous if the hospital had to ask the patient’s permission to inform public health authorities, Nahra said.

HIPAA rules also have a standard for de-identifying information to allow for medical research.

If you say “no data of mine can ever be used for research without my specific permission in a specific example … that gives you more protections as a consumer that you may not really be any benefit to you and [would be] a detriment to society,” Nahra said. “There’s a public interest in medical research … even if it’s not specific to your information or your current situation.”

HIPAA also has a provision that allows a health provider to disclose information related to certain types of criminal activity.

This is now complicated by the Supreme Court’s Dobbs decision.

“The example that I’ve used prior to Dobbs was a patient assaulting a nurse. You don’t want the privacy rules to get in the way of being able to report the patient who assaults the nurse. That same provision might now be used by someone in the hospital to report somebody who’s getting an abortion that might be illegal in the state,” Nahra said.

Though HIPAA is well-established law, it remains a complicated arena.

“The current state of U.S. privacy law today is bad for consumers, mostly bad for businesses and only good for me – but lawyer job security is not a public policy goal,” Nahra quipped.

For more, jump to these specific discussion points in the video:

This program was sponsored by Arnold Ventures and Medtronic. NPF is solely responsible for the content.

Kirk J. Nahra
Co-Chair, Cybersecurity and Privacy Practice, WilmerHale
1
Transcript
What HIPPA Covers - And What It Doesn't
Subscribe on YouTube

Download [226.00 KB]

7
Resources
Resources for HIPAA Doesn’t Cover Everything

Healthcare in the National Privacy Law Debate,” Kirk Nahra, January 2020, WilmerHale

A public service announcement about the HIPAA Privacy Rule,” Kirk Nahra, IAPP, June 2021

HIPAA Privacy and Security for Beginners, Wiley, July 2014

How to Navigate Mental Health Apps That May Share Your Data,” Shreya Tewari, ACLU, September 2022

Amazon’s Recent Acquisitions Highlight the Value of Consumer Data (and the Evolving Privacy Issues),” Ryan Blaney, National Law Review, October 2022

Data Security in Healthcare Wearable Technology,” LexStart, 2021

Who owns patient data? The answer is not that simple,” The BMJ Journal, August 2020

Help Make Good Journalists Better
Donate to the National Press Foundation to help us keep journalists informed on the issues that matter most.
DONATE ANY AMOUNT
You might also like
What is the Internet of Bodies?
Discrimination Driven by Data
Data Privacy Act Has Bipartisan Support. But …
Tech Reporters’ Tips for Covering Meta, Google, FTC
Sponsored by