Can HIPAA Stop Companies from Sharing Your Health Data? Maybe Not.

Contributed by Diane Harrison

Who Is and Isn’t Required to Protect My Personal Health Information?

• As noted by Blue Cross Blue Shield “Although HIPAA applies to health insurance carriers, group-sponsored health plans, health care providers, and health-care clearing houses, HIPAA also affects plan sponsors, billing agencies, agents, information systems vendors and service organizations.”

• “Not all health-related information is protected by privacy rules. Companies can now derive insights about your health from growing piles of so-called ‘alternative’ data that fall outside of HIPAA. This data—what some researchers refer to as your ‘shadow health record’—can include credit scores, court documents, smartphone locations, sub-prime auto loans, search histories, app activity, and social media posts,” says Fast Company. Read more. 

Why Should I Be Worried?
 

• Security Boulevard points out that “fitness app makers, just like every other industry, have suffered data breaches. The breach that hit UnderArmour’s MyFitnessPal in 2018 is the largest to date. It exposed the usernames, passwords, and email addresses of more than 150 million users. While hackers typically go after data they can easily monetize (like your credit card number) the thought that location data was exposed is especially troublesome. Given that joggers and bikers generally run and ride where they live, attackers could also identify where the user lived by looking at where the majority of their routes began and ended.” Read more. 

 

• Modern Health: “As more players get into the data-sharing game, more patients' data are at risk of breaches that affect security and privacy alike. ‘Just because something is anonymized, it is still possible to identify who that is when you merge that record with other records that are available,’ said Sam Hanna, director of George Washington University's online master's degree in health informatics program.” Read more.
  
  

How Can I Protect Myself?
 

• "Social networking sites ask you for a good deal of data about yourself to make it easier for other users to find and connect to you. Perhaps the biggest vulnerability this creates for users of these sites is the possibility of identity fraud, which is increasingly common," notes Security In a Box. Read more. 
  
  
• "Even if you feel confident that they are popular and trusted, always read their conditions closely, just as you would any form you sign in the doctor’s office. 'Start by making sure you read the terms and conditions before hitting ‘agree,’ ... Otherwise, you might be signing away your right to that data privacy without knowing it. Additionally, make sure you research an app before you download. Do they have a reliable reputation?'” Francis Dinha, CEO of privacy company OpenVPN, speaking to MarketWatch. Read more. 

 
What Medical Practices Can Do to Protect My Personal Information
 

• Health Tech Magazine: “Traditionally, healthcare providers have been held responsible for all aspects of privacy and security of patient data because they have created and controlled it. But boundaries shifted once electronic medical records came into play. The roles surrounding data privacy and ownership are now blurred.” Read more.
• Datica: When HIPAA was first introduced in 1996, in addition to be confusing and unorganized, it didn't address some of the important measures for information security. Eleven years later, HITRUST was created as a security framework that healthcare organizations could implement. 

 
“Today, the HITRUST CSF is the most widely adopted information privacy and security risk management framework among healthcare organizations in the United States. In addition, many organizations outside of the U.S. have also implemented the HITRUST CSF.” Read more. 
 
The first step to regaining control of your health data is understanding how it’s being used, why, and how that affects your security and privacy. While it may be some time before new regulations limit how personal health information is shared and with whom, for now, the best thing consumers can do to protect themselves is to be cautious about how they share their data and to hold healthcare providers accountable to modern data security standards.
 
Image via Unsplash