[Readers who are familiar with HIPAA can skip to the tweets below.]
Recently there’s been a lot of discussion about how the 1996 HIPAA law, whose regulations govern health data privacy (and access), is not sufficient for today’s world of apps and digital everything. For instance, the regs say docs & hospitals generally have to be careful with your medical records – but apps and wearables like Fitbits didn’t exist at the time, so HIPAA says nothing about what apps learn about you, nor what such companies do with it. Same for sites like Facebook and Amazon’s ever-listening Alexa. So everyone in the field agrees HIPAA needs to be replaced.
But meanwhile, something came to light last night that was a big surprise to many of us, though experts knew it: HIPAA doesn’t necessarily protect health data from all your care providers – only those who bill the government electronically! Here’s what we saw on the HISTalk site:
You aren’t a Covered Entity (covered by HIPAA) if you don’t bill electronically?? HIPAA regulations only govern so-called Covered Entities, a legalese term that defines which entities are covered (duh). Evidently, if they don’t bill HHS electronically, they’re excluded! For instance, a practice who doesn’t even take insurance is untouched by HIPAA.
This came to light on the public chat board for FHIR, the software standard I’ve been talking about. I asked about it to the article’s publisher HISTalk and to Deven McGraw @HealthPrivacy, the most respected HIPAA authority I know. Apparently this arises from HIPAA’s origin as a way to move health insurance information. (“HIP..” is Health Insurance Portability…”):
The article’s publisher HISTalk replied to my tweet: “HHS has several ‘are you a Covered Entity’ tests on its site.” And indeed there it is: “but only if they transmit any information [electronically].”
I’d never heard this in all these years of discussions about health data, health privacy, etc. so it was quite a surprise.
Meanwhile, my other go-to HIPAA authority, health law attorney David Harlow, noted that since HHS requires electronic billing, pretty much all providers have to follow HIPAA (because pretty much everyone accepts federal health insurance, i.e. Medicare and Medicaid):
At this point Medicare EDI (electronic billing) is required w few exceptions and many private payors are not far behind. So only a small minority of providers can escape HIPAA at this point – and they are (partly) covered by a tangled web of other laws.— David Harlow (@healthblawg) February 3, 2020
Remember: data from your apps and gadgets is completely unregulated. We need new regulations.
If you care about privacy, remember that HIPAA only affects companies who bill the government for healthcare.
- Does Facebook? Of course not: everything you click and type on Facebook goes into your profile, which can be used by marketers and politicians and employers and anyone else who buys into the Facebook data system.
- Does Fitbit bill government insurance? Does Garmin, or Apple, or Amazon? Of course not. Etc.
Apple stands out as having made a major commitment to preventing hackers, crackers, and governments from getting at your data, health and otherwise – even when it’s to the detriment of advertisers or the government. But that’s not because of HIPAA – it’s because Apple really is committed to keeping your data private.
There are many more tweets in the discussion, going into all sorts of nooks and crannies – “What about paper records?” Yes, they must be protected too; “What if a doc bills HHS but not for me?” Yes, they’re still a “Covered Entity”, etc. And regardless of HIPAA, as attorney Harlow’s tweet says, there can be many other regulations (state and other) that may govern privacy. But that’s enough for now. If you have questions, ask in comments and I’ll see what I can come back with for answers.