HIPAA and Its Limits

Generally speaking, the United States lacks comprehensive privacy laws at the federal level. Where federal privacy laws do exist, they contain quite a few exceptions and limitations that companies participating in the surveillance economy can exploit. The Health Insurance Portability and Accountability Act of 1996 is one such law.

Statute and Regulations

Public Law 104-191 is the Health Insurance Portability and Accountability Act of 1996, or HIPAA. HIPAA is spelled with two As, but it is usually pronounced “hippa” (as if it had two Ps instead). As passed by Congress, the HIPAA statute regulates group health plans like the ones offered to permanent employees by most employers. It also imposes some regulations on other types of health care plans and on medical billing. Section 264 of this law requires the Secretary of Health and Human services to create privacy regulations for “individually identifiable health information.” These federal regulations only preempt state medical privacy laws if the state privacy laws are less stringent than the federal regulations.¹

In response to this law, the U.S. Department of Health and Human Services has established regulations entitled “Standards for Privacy of Individually Identifiable Health Information,” which is shortened to the “Privacy Rule.” These regulations apply to health plans, health care providers, health care clearinghouses, and business associates that receive personally identifiable health information from one of the first three types of entity. Entities that are subject to HIPAA are generally expected to minimize the use and disclosure of individually identifiable health information. These entities must also give consumers a written notice of the organization’s privacy practices.²

Holes in HIPAA

From the outset, the HIPAA Privacy Rule contains a number of exceptions in which disclosure of individually identifiable health information is permitted. Some key areas in which information can be legally shared without the prior authorization of the patient include:

• Healthcare operations, including communications between providers and insurance companies;
• Situations where the law explicitly requires information to be shared;
• Public health activities, including the monitoring of communicable diseases;
• Situations involving abuse, neglect, or domestic violence;
• In response to a subpoena for use in court or in administrative hearings;
• For law enforcement purposes, including the identification or location of a suspect;
• Funeral directors and tissue/organ donation agencies after the death of an individual;
• Research purposes (such as by a university);
• When there is a threat to health or safety, including the need to “identify or apprehend an escapee or violent criminal”;
• For “essential government functions,” which include intelligence and national security interests; and
• In workers’ compensation cases.²

One key exception in HIPAA protection is for law enforcement. In the wake of the Dobbs v. Jackson Women’s Health Organization Supreme Court decision of 2022,³ there is a significant concern that states with strict abortion laws could implement mandatory reporting of reproductive-related healthcare. In particular, a woman who miscarries or experiences a stillbirth could be prosecuted for an illegal abortion due to disclosure of otherwise protected health information under this exception. Prosecution in such cases has already occurred in some states after such events. In one case, a woman was even indicted for losing her baby after someone else shot her in the abdomen.⁴

Apart from the regulatory exceptions, there is also a statutory exception to privacy under HIPAA, since the underlying law only addresses “individually identifiable health information” – also called Protected Health Information (PHI) in the medical industry. An “anonymized” health record that doesn’t contain the personal identifying information of an individual is not protected under HIPAA. Similarly, personal information about an individual that doesn’t contain any health-related information is also not protected. A record only becomes subject to HIPAA when it contains both health information and something that can be used to identify the person associated with that health information.⁵

Non-Covered Entities

A company that isn’t a health care provider, health insurer, or healthcare clearing house, and which isn’t performing work directly on behalf of one of those three kinds of entities, is NOT covered by HIPAA. Health information that is shared with a non-covered entity is therefore not subject to the HIPAA privacy rule. Companies can aggregate such information, use it for marketing purposes, and buy and sell these records just like any other business records in the United States (subject to limitations of state laws if a person happens to live in one of the few states with such laws). Some examples of situations where HIPAA does not apply include:

• Using a search engine or medical website to look up information. Any tracking data collected has no protection under HIPAA and can be used just like any other information harvested using Internet tracking techniques;
• Data collected by a smartphone health app, fitness tracker, or Internet-connected sex toy (more on these later in this section); and
• Being tracked by your phone to a healthcare provider, including to an abortion clinic. Since the phone manufacturer and app developers aren’t subject to HIPAA, whatever the phone collects on its own isn’t protected.⁴

There are also a few other cases where HIPAA protection doesn’t work quite as one would expect. We’ll look at some of these cases in the following lessons.

Notes and References

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.