Today’s reality of health apps, fitness trackers, health monitoring devices, and cyber attacks were unimaginable at the time. Despite repeated updates, it’s not clear whether the protections that HIPAA offers are robust enough to effectively safeguard patients from the many threats they face.
HIPAA loopholes allow digital data abuse
Back in December 2022, the Office for Civil Rights (OCR), which enforces HIPAA, raised the alarm about pixel trackers. Many healthcare organizations, including leading hospitals, use ads and website analytics solutions that include pixel trackers from companies like Google and Meta. The OCR warned that these pixels could violate HIPAA if they expose patients’ protected health information (PHI).
These pixels might only be embedded in public-facing content pages, but they still collect identifying information about the viewer, such as their geographic locations and/or IP address. The OCR pointed out that if the visitor goes on to view a page about AIDS medications, cancer treatments, or psychiatric care, for example, the pixel has now collected identifying information that might be related to their health issues.
Some healthcare providers bristled at this warning and sued the OCR for overreach. Their case was upheld by a federal judge in Texas earlier this summer, which means that HIPAA is now ineffective in protecting patients from pixel trackers on websites. From an enforcement perspective, it also doesn’t help that the HHS hasn’t audited any covered entity for HIPAA compliance since 2017, due to budget shortages.
The same concern applies to email newsletters from healthcare providers. These messages usually include the recipient’s name, always their email address, and sometimes their geographic location or healthcare areas of interest too. “Think about this, there’s a patient or a non-patient who signs up and is receiving your general email newsletter, and they click on a link, that click is tracked, and that click is tied back to an individual who signed up and if they clicked a link around receiving a mammogram, well, you’ve now got PHI,” points out Paubox’s Dean Levitt.
HIPAA doesn’t apply to law enforcement data acquisition
It’s important to note that even if HIPAA was applied perfectly to every relevant entity, it doesn’t permit healthcare providers to withhold information from law enforcement requests. In today’s highly politicized climate, this could result in significant harm to patients.
For example, since Roe v. Wade was overturned, restrictive anti-abortion laws in many states mean that patients who get an abortion, and professionals who provide one, could face criminal proceedings. Even women who have a miscarriage could be accused of getting an illegal abortion.
Patient data that reveals the timing of menstrual periods, medication that was prescribed, and other symptoms could all be crucial in these legal proceedings. The Final Rule, which becomes law towards the end of 2024, was passed to rectify this, but it only relates to women who travel to get an abortion in a state where it’s legal. It doesn’t protect a woman who has a miscarriage from having her private health data used in court against her.
Poor cybersecurity is a patient care issue
HIPAA requires covered entities to establish strong data privacy policies, but it doesn’t regulate cybersecurity standards. HIPAA was deliberately designed to be tech agnostic, on the basis that this would keep it relevant despite frequent technology changes. But this could be a glaring omission.
For example, Change Healthcare, a medical insurance claims clearinghouse, experienced a data breach when a hacker used stolen credentials to enter the network. If Change had implemented multi-factor authentication (MFA), a basic cybersecurity measure, the breach might not have taken place. But MFA isn’t specified in the HIPAA Security Rule, which was passed 20 years ago.
Cybersecurity in the healthcare industry falls through the cracks of other regulations. The CISA update in early 2024 requires companies in critical infrastructure industries to report cyber incidents within 72 hours of discovery. However, this doesn’t include insurance companies, health IT providers and labs or diagnostics facilities.
“Crucially, there are many third-parties in the healthcare ecosystem that our members contract with who would not be considered ‘covered entities’ under this proposal, and therefore, would not be obligated to share or disclose that there had been a substantial cyber incident – or any cyber incident at all,” warns Russell Branzell, president and CEO of CHIME.
Mobile apps are a weak link
HIPAA’s Privacy Rules don’t apply to most health apps, because they aren’t considered covered entities. There are so many apps that collect sensitive health data, including nutrition apps, period tracking apps, fitness apps, sleep apps, and mental health apps. Many of them are installed in smartphones by default, and far too many fail at data privacy and security.
In 2022, Mozilla investigated 27 mental health apps. All but two of them failed to meet even the most basic data privacy and security requirements. For example, they had no clear policies on what they do with your data, who they share it with, how long they store it, or how they protect it from hacking attempts. Few apps promised to delete data upon request. When Mozilla revisited the issue in 2023, just six apps showed significant improvement.
The situation is highlighted by high-profile data privacy abuses. For example, the FTC fined mental health app BetterHelp $7.8 million for sharing sensitive user data with advertisers, despite promising not to do so. Talkspace, a platform for people to communicate with licensed therapists, was found to have routinely reviewed and mined user conversations for business insights and data for training AI bots.
Many apps justify sharing data by claiming that it’s “anonymized.” Even if data is anonymized as promised, it can still be connected to you when it’s combined with other information. The more data points in a dataset, the easier it is to de-anonymize PHI.
“Although these apps undoubtedly make mental health services more convenient, they also generate massive amounts of sensitive data, and therefore have raised serious concerns over patient privacy,“ writes Darrell M. West, senior fellow at the Center for Technology Innovation.
The harm of poor data privacy regulation
Weak HIPAA provisions could result in serious patient harm. Many healthcare companies conduct wide-ranging intake questionnaires, covering gender identity, sexual orientation, and mental health history. At its most benign, this could be monetized to target ads. More worryingly, mental health data could be used by employers to vet new hires, or even by extremist groups or abusers looking for vulnerable people to target.
With HIPAA falling short in many ways, it’s vital for service providers of all types to keep an eye on where legislation is headed – and how they can future-proof their businesses by prioritizing patient data privacy regardless of legislation.
