The ‘narrow scope’ of HIPAA: Protecting patients in an age of digital growth

Digital healthcare tools and apps can be more beneficial than risky if they’re used responsibly, according to a perspective published in Circulation on Feb. 24.

Jessica R. Golbus, MD, MS, and colleagues said the journal that the current era of big data is exciting and even empowering for patients—being able to measure and share their CV data with a fitness trainer, for example, or monitoring their diet through a free app, can help hold them accountable for their own health and create a visual track record of their progress. But that sense of empowerment comes with a caveat.

“Rapid growth in our information economy, spurred by advancements in digital technology and artificial intelligence, is expanding the amount and type of data collected in healthcare,” the authors wrote. “Although the [Health Insurance Portability and Accountability Act] (HIPAA) regulates inappropriate sharing of protected health information, a substantial amount of health-related data are outside its purview and unregulated in the United States. The narrow scope of HIPAA is especially apparent in the marketplace, where users and uses of health-related data have expanded far beyond what the drafters of HIPAA initially anticipated.”

When those writers penned HIPAA in 1996, they probably didn’t foresee a digital market inundated with healthcare apps, wearables and online programs in 2020, Golbus et al. wrote. But those entities exist now, and most collect personal information—information patients might not realize isn’t protected under HIPAA.

The authors noted one recent study of 24 popular, medically related mobile apps in which researchers found that 19 of those apps—nearly 80%—shared user data with 55 unique entities.

“It is not surprising that the boundary between simple digital data and highly sensitive health information can be crossed quite quickly,” they wrote.

There’s a wealth of data out there that patients probably don’t realize they’re putting up for grabs, the team said. If someone shared a personal story about their MI recovery or cancer treatment on a health site like PatientsLikeMe, for example, third parties could leverage that information for their own use. Some companies record patients’ online searches and social media “likes” to “glean insight into diagnoses such as depression.”

Even heading to the local pharmacy and picking up a bottle of over-the-counter vitamins means data sharing, Golbus and colleagues said, because that purchase is recorded by both the store and the person’s credit card company.

The authors said we all have an obligation to educate ourselves on the safe use of digital tech, but physicians in particular need to be thorough in explaining any potential privacy issues to patients they’re recommending for certain treatments or clinical trials. They also said we need better legislation surrounding the use and distribution of health information.

“The confluence of growing health-related data, increased computing power, new technology and new stakeholders creates both opportunities and challenges for providers and researchers interested in leveraging digital tools for clinical care,” Golbus et al. wrote. “This can be particularly difficult to navigate, however, given a relative paucity of legislative or normative controls over the data.”