By Shreya Kapoor, LL.M. 2023
The Health Insurance Portability and Accountability Act (hereinafter referred to as ‘HIPAA’) was enacted on August 2, 1996 with the aim of protecting sensitive patient health information from non-consensual disclosure.1 In more recent years, the technologization of healthcare has increased convenience for providers and patients but also added urgency to the need to ensure the security of sensitive medical information.
Challenges with HIPAA
HIPAA aims to protect health information, but in practice the healthcare industry has faced challenges determining what exactly HIPAA requires and, more importantly, what is effective and sufficient to protect patient data.
One of the primary challenges is de-identification of sensitive data, which HIPAA requires. As defined in HIPAA, de-identification of data means cleansing health data so that it cannot directly identify an individual nor can the dataset create any reasonable basis to identify an individual.2 In effect, identifiers such as name, birth date, age, social security number, etc., are removed from the data to maintain anonymity and protect the privacy of the individual. Per HIPAA’s implementation specifications, there are two general approaches to information de-identification. First, an entity covered under HIPAA can remove all standard identifiers of an individual so that no actual knowledge used to identify an individual remains. Alternatively, entities can consult an expert who helps design a strategy for compliance with HIPAA’s de-identification standard.3 The expert must have appropriate knowledge of and experience with universally accepted statistical and scientific principles for rendering information not individually identifiable.4 This is called the ‘Expert Determination Method.’
Unfortunately, under both approaches, a high possibility of re-identification exists. This is called data-triangulation. After data-triangulation, the re-identified data again becomes subject to HIPAA, creating a cycle that makes compliance and effective protection of patient data challenging and inconsistent. In short, HIPAA’s de-identification requirements may not be sufficient to protect sensitive patient data.
In 2017, Google ran into these very issues. Google attempted to design an electronic healthcare record system that would predict a patient’s future adverse health events. To develop the predictive program, Google entered into a partnership with the University of Chicago. The University shared five years’ worth of ‘de-identified’ medical information with Google without the consent of its patients. Google and the University were subsequently sued for the use of the data in Dinerstein v. Google.5 Plaintiffs argued that the information shared between the University and Google could easily be re-identified and hence, the patient’s consent was necessary for its release. The court, however, focused on HIPAA’s explicit exemption for research purposes, which allows sharing of information to the extent that the identifiers are removed. Accordingly, the court held in favor of Google. The mere assumption that the information could be re-identified was not enough to hold Google or the University liable.6 In this way, HIPAA may not adequately protect sensitive patient data as innovation increases.
Due to the high risk of data re-identification, we might expect litigation against companies innovating in the healthcare realm to be common. However, besides Dinerstein, this space has not seen many other lawsuits. This may be because technology companies have learned from Google and the University of Chicago’s costly legal battle, or because patients are not aware of how their medical data may be used under HIPAA.
A second major issue with HIPAA is the lack of clarity regarding its applicability, in particular, determining whether an entity is covered. The law is applicable to health information generated by ‘covered entities’ (such as doctors, clinics, nursing homes, pharmacies, etc.) or its ‘business associates’ (such as insurance companies). Entities whose primary business is not related to healthcare are not included within either of the definitions. For instance, Apple may not be included despite having a health application, a menstrual tracking feature. Hence, HIPAA fails to understand that healthcare information is not only a subject matter for healthcare companies but also non-healthcare companies, who do have full access to the sensitive data.
Conclusion
Congress should consider amending HIPAA to fully protect sensitive healthcare data in the context of new healthcare technology and existing and forthcoming privacy laws. The recent Dobbs decision overruling Roe v. Wade highlights the increasing stakes associated with a patient’s sensitive healthcare data landing in the hands of another party without their consent. In amending HIPAA, Congress should focus on two areas of improvement. First, lawmakers should consult experts to improve HIPAA’s recommended de-identification processes so that sensitive health information cannot be easily re-identified. Dinerstein shows that without clearer standards for data de-identification, research and innovation will likely come at the cost of patients’ privacy. Second, Congress should expand the definition of covered entities and business associates to include non-healthcare entities, such as Amazon, Meta, and Apple. This is imperative because these companies have access to sensitive health information of almost every individual.7 With every new phone and app update, users are encouraged to track and thus provide more and more of their health information. Such tracking of health information requires protection, which is why these apps should fall under HIPAA’s scope.
