By VINCE KURAITIS and DEVEN McGRAW
This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”
“…the average patient will, in his or her lifetime, generate about 2,750 times more data related to social and environmental influences than to clinical factors”–McKinsey analysis
The McKinsey “2,750 times” statistic is a pretty
good proxy for the amount of your personal health data that is NOT protected by
HIPAA and currently is broadly unprotected from sharing and use by third
However, there is bipartisan legislation in front of Congress that offers expanded privacy protection for your personal health data. Senators Klobuchar & Murkowski have introduced the “Protecting Personal Health Data Act” (S.1842). The Act would extend protection to much personal health data that is currently not already protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996).
In this essay, we will look in the rear-view mirror to see
how HIPAA has provided substantial protections for personal clinical data — but
with boundaries. We’ll also take a look out the windshield — the Wild West of
unprotected health data.
Then in a separate post, we’ll describe and comment on the
pending “Protect Personal Health Data Act”.
The Rear-View Mirror
— Substantial HIPAA Protections, But With Boundaries
In 2016, HHS fulfilled its HITECH requirement to report on privacy and security issues outside HIPAA, issuing an extensive report to Congress: Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA* (the “2016 HHS Report”).
The 2016 HHS Report described many of HIPAA’s safeguards –
“The HIPAA Privacy Rule
provides federal protections for individually identifiable health information
held by covered entities and their business associates and gives patients an
array of rights with respect to that information. The Privacy Rule protects
individually identifiable health information held or transmitted by a covered
entity or its business associate, in any form