If you think HIPAA means your health data is completely protected, think again
The United States has a long history of passing laws to protect consumers and their personal information. The Fair Credit Reporting Act was passed in 1970 to ensure fairness, accuracy and privacy for personal consumer data at credit reporting agencies. The Family Educational Rights and Privacy Act was passed in 1974 to protect the privacy of student educational records. The Children’s Online Privacy Protection Act was passed in 1998 to protect the personal information of children under the age of 13 online. And these are only a few examples.
However, in an age of rapidly changing technology, these sectoral laws are leaving gaps in consumer protection that are only getting bigger. New products and services are being developed every day that require access to sensitive personal information, yet are not covered by existing sectoral privacy laws.
Take the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a federal law that prohibits medical providers (that charge health plans), health care clearinghouses, and health plans from sharing personal health data with unauthorized third parties or using health data for an unauthorized purpose. Health data is some of the most sensitive personal data, and HIPAA was the first step in protecting consumers from having this data shared inappropriately or exploited as they moved through the health care system.
However, HIPAA does not apply to websites or mobile apps that collect health information but, because they do not charge health care plans, are not covered by the law. This gap deserves attention as Americans increasingly use these direct to consumer technologies, such as apps and wearable devices, to track their health data and assess their physical and mental wellbeing.
Importantly, these new offerings provide numerous benefits to consumers that should be preserved. Consumers should also have confidence that the health information collected about them won’t be misused. It’s a 21st century problem, requiring 21st century solutions.
A comprehensive federal privacy bill should not override existing laws, but fill in the gaps where technology and new consumer offerings have outpaced existing protections offered under laws like HIPAA. Our framework takes a comprehensive approach to privacy legislation that would set clear rules about how companies can collect and use data, including by requiring companies to obtain a consumer’s express consent before collecting or using health data and other classes of sensitive information.
We believe Americans’ personal information – especially their most sensitive data – deserves protections that are far broader and stronger than those that exist today. And we believe that Congress needs to act expeditiously to consider and pass comprehensive legislation that would deliver those consumer protections. Passing such a law is the natural next step in the United States’ long history of protecting consumers and their data from being harmed or misused.
You can read more about our proposed approach to this legislation here.