The future of healthcare is based on individuals’ sharing information at the click of a button, which offers efficiency and increased consumer engagement. Under (HIPAA)1, consumers have a right to access and use their health information when, where, and how they want to, including sending it to third-party apps.2 At the same time, HIPAA also protects the privacy of individually identifiable health information held by covered entities3 and their business associates, and limits how an individual’s health information can be used, disclosed, or exchanged, including for marketing purposes.
Today, the HIPAA Privacy Rule requires that individuals expressly authorize their protected health information (PHI, which is identifiable) when held by doctors, hospitals, health insurance companies, and other entities covered by HIPAA to be used for marketing, which includes marketing by the holder of the PHI and selling to a third party.4 This protection, strengthened by the Health Information Technology for Economic and Clinical Health Act of 2009, provides individuals with greater control over how their health information is used for marketing purposes.
New Efforts to Provide Patient Data Transparency
Outside of the traditional healthcare environments, technology today enables health information to be collected and shared by individuals who actively manage their health through wearable fitness trackers, social media, and other digital tools. These activities often are not covered by HIPAA, so they do not include legal prohibitions on marketing based on the information collected. The Office of the National Coordinator for Health Information Technology (ONC) recently embarked on an effort to update to the Model Privacy Notice (MPN), a voluntary, openly available resource developers can use to provide transparent notice to consumers about what happens to their data.
While HIPAA is specific to the health sector and is enforced by the HHS Office for Civil Rights, for these non-HIPAA activities, the FTC also has broad authority to enforce the FTC Act against for-profit entities engaging in unfair and deceptive acts or practices in or affecting commerce. This is a standard that the FTC has applied to a wide variety of entities, including those collecting, storing, and disposing of PHI on behalf of an entity covered by HIPAA.5 No explicit prohibition against using health data not regulated by HIPAA for marketing exists—some consumers willingly disclose health data to receive marketing information relevant to their specific health condition. Nonetheless, these marketing activities can be subject to FTC enforcement against unfair or deceptive practices.
In some circumstances, health data collected outside HIPAA may be sold or made available to data brokers, who in turn may make it available for marketing purposes.6 Privacy professionals understand the differences between HIPAA’s prohibition against marketing and the absence of such a prohibition for health data collected through new technologies like fitness trackers—consumers often do not. While the explosion of digital tools has many benefits, consumers are now more engaged and informed about what happens to their data.
1., 2. Health Insurance Portability and Accountability Act, Pub.L. 104-191, 110 Stat. 1936 (1996).
3. 45 C.F.R. 160.103. Covered entity is defined as health plans, healthcare clearinghouses, and healthcare providers conducting certain electronic transactions
4. 45 C.F.R. §§ 164.501; 164.508.
5. 15 U.S.C. § 45.
6. Data Brokers: A Call for Transparency and Accountability, FTC Report (May 2014), available at: https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.