Health Care Privacy: Closing The Gaps In HIPAA Regulation

Though general rules established by the Health Insurance Portability and Accountability Act and its implementing regulations (collectively known as HIPAA) are relatively well known, fewer people are familiar with some finer details, such as the fact that HIPAA is somewhat limited in scope. It's also a common misconception that HIPAA applies to all or most individually identifiable health information.

In reality, HIPAA only applies to a narrow set of covered entities—health care clearinghouses, health plans, and most health care providers—as well as their business associates.¹ Given the explosion in the use of health apps, connected devices, and other direct-to-consumer products and services that routinely collect health information, many companies and considerable swaths of health information remain outside the scope of HIPAA and have historically faced little regulation.

The tide began turning on this front in 2023, with many of the year's most important headlines in health privacy generated by federal and state actions aimed at regulating companies and information not subject to HIPAA. Back in February 2023, in the first of a flurry of enforcement actions, the Federal Trade Commission (FTC) imposed a $1.5 million civil penalty against GoodRx under the Health Breach Notification Rule (HBNR) and section 5 of the FTC Act. This marked the FTC's first enforcement action under the HBNR, a rule that took effect in 2009 requiring certain non-HIPAA-regulated entities to notify consumers, the FTC, and potentially media outlets in the event of a breach of health information. In June, the FTC published a Notice of Proposed Rulemaking modifying the HBNR, with many of the modifications aimed at clarifying the FTC's intent to apply the HBNR to health apps and connected devices and to expansively interpret what constitutes a "breach" under the rule.

In 2023, several states also passed data protection legislation focused on protecting consumer health data. Washington state was the first mover by enacting the My Health My Data Act (MHMDA), the nation's first law that specifically protects consumer health data not regulated by HIPAA. Shortly after, Nevada followed suit by enacting its own law similar to the MHMDA, and Connecticut passed an amendment to the Connecticut Data Privacy Act to include specific protections for consumer health data.

Over the coming months, we expect several key developments in the regulation of health information. We anticipate that the FTC will continue to be an active enforcer against digital health companies under both the HBNR and the FTC Act. The FTC could also finalize its proposed modifications to the HBNR. We also expect more states to follow in the footsteps of Washington and others that have passed health-specific data protection laws, adding to the growing patchwork of state data protection laws. Lastly, the Department of Health and Human Services, which recently finalized modifications to 42 C.F.R. part 2,^[2] continues to remain active in enforcing HIPAA violations and has proposed modifications to HIPAA and that are still pending finalization.

1. Business associates are generally service providers that handle individually identifiable health information in providing a service
to a covered entity or another business associate.

2. 42 C.F.R. part 2 is a set of regulations governing the confidentiality of substance use disorder records.