Health Data Outside HIPAA: The Wild West of Unprotected Personal Data

Deven McGraw
Vince Kuraitis


This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

“…the average patient will, in his or her lifetime, generate about 2,750 times more data related to social and environmental influences than to clinical factors”

McKinsey analysis

The McKinsey “2,750 times” statistic is a pretty good proxy for the amount of your personal health data that is NOT protected by HIPAA and currently is broadly unprotected from sharing and use by third parties.

However, there is bipartisan legislation in front of Congress that offers expanded privacy protection for your personal health data. Senators Klobuchar & Murkowski have introduced the “Protecting Personal Health Data Act” (S.1842). The Act would extend protection to much personal health data that is currently not already protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996). 

In this essay, we will look in the rear-view mirror to see how HIPAA has provided substantial protections for personal clinical data — but with boundaries. We’ll also take a look out the windshield — the Wild West of unprotected health data.

Then in a separate post, we’ll describe and comment on the pending “Protect Personal Health Data Act”.

The Rear-View Mirror — Substantial HIPAA Protections, But With Boundaries

In 2016, HHS fulfilled its HITECH requirement to report on privacy and security issues outside HIPAA, issuing an extensive report to Congress: Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA* (the “2016 HHS Report”).

The 2016 HHS Report described many of HIPAA’s safeguards – for example:

“The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”

The 2016 HHS Report noted: “While HIPAA serves traditional health care well and continues to support national priorities for interoperable health information with its media neutral Privacy Rule, its scope is limited…”

The text of the Protecting Personal Health Data Act further quotes the 2016 HHS report:

“…entities not covered by the privacy protections of (HIPAA), such as wearable fitness trackers and health-focused social media sites, ‘engage in a variety of practices such as online advertising and marketing, commercial uses or sale of individual information, and behavioral tracking practices, all of which indicate information use that is likely broader than what individuals would anticipate'”.

The 2016 HHS Report extensively describes five major areas in which HIPAA’s privacy and security oversight and protections are different than those of entities not covered by HIPAA (aka, non-covered entities):

  • Difference in individuals’ access rights
  • Differences in re-use of data by third parties
  • Differences in security standards applicable to data holders and users
  • Differences in understanding of terminology about privacy and security protections
  • Inadequate collection, use, and disclosure limitations

(We’re also well aware of the criticisms of HIPAA’s gaps and shortcomings, but for today let’s focus on the HIPAA glass being more than half full.)

Out the Windshield — the Wild West of Unprotected Health Data

Let’s explore the McKinsey statistics a bit more deeply: “…the average patient will, in his or her lifetime, generate about 2,750 times more data related to social and environmental influences than to clinical factors”. Here’s a break out the types and amounts of data generated over a person’s lifetime:

Social determinants of health & health behaviors — 1,100 terabytes

Non-modifiable factors (e.g., genetics) — 6 terabytes

Clinical care — 0.4 terabytes

The hard drive of an average personal computer today can hold about 500 MB to 1 terabyte of data. So, over their lifetime an average person would fill up between 1,100 to 2,200 of today’s PCs with personal health data. That’s a lot.

But more importantly, the data relating to social and environmental influences is largely unprotected from sharing and use by third parties. As we noted earlier, we believe the “2,750 times” statistic is a pretty good proxy for the amount of your personal health data not protected by HIPAA.

A recent NCVHS Report — Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges — provides examples of how diverse personal health data can be gathered:

“The number of potential devices (personal or IoT) is enormous and increasing. Personal devices that collect health information include thermometers, pulse oximeters, blood pressure cuffs, clothing, belts, shoes, glasses, watches, activity monitors, cell phones, and many more. Almost any type of appliance, fitness equipment, camera, or other consumer product can become an IoT device with the capability of recording and reporting personal information over the Internet. An IoT device can collect data about activities, weight, health status, food purchases, eating habits, sleeping patterns, sexual activity, reading and viewing habits, and more.”

But wait…there’s more. Consider other ways that personal health data might be collected: 325K health apps, facial recognition technology, cameras, genetic tests, social media, intelligent personal assistant services such as Alexa, and many others.

Quoted in the NCVHS report, Law Professor Frank Pasquale concluded that for health data outside the healthcare sector, “in many respects, it is anything goes.”

Can the pending “Protecting Personal Health Data Act” offer better protections? How would the Act affect patients and other healthcare stakeholders? We’ll examine these questions in our next post — “Health Data Outside HIPAA: Will the Protecting Personal Health Data Act Tame the Wild West?

            * Disclosure: while Deven was at HHS, she contributed to this report

Vince Kuraitis, JD/MBA (@VinceKuraitis) is an independent healthcare strategy consultant with over 30 years’ experience across 150+ healthcare organizations. He blogs at e-CareManagement.com.

Deven McGraw , JD, MPH, LLM (@healthprivacy) is the Chief Regulatory Officer at Ciitizen (and former official at OCR and ONC). She blogs at https://medium.com/@ciitizen

2 replies »

  1. “I would prefer to see legislation on the USES of this data.”

    You point at a key distinction of any proposed privacy legislation. The “Wild West” currently puts all the burden on consumers (patients) to protect their data. Not realistic.

    Also agree that crypto could play a unique contributing role. Yes, lots of complexity here. Thanks for commenting.

  2. Thanks for filling us in on this important topic and upcoming legislation. It’s at least good to see this issue is getting some attention. Stronly recommend The Great Hack on Netflix. https://www.thegreathack.com This is a complex topic with lots of competing interests. My health data and associated risks about me that it may predict can work for me, to offer personalized guidance, or against me, say, affecting my ability to get a loan or a job. So I would prefer to see legislation on the USES of this data. In the agricultural era, when land and labor where the sources of value, our laws went a long way to protect our land rights and our privacy in our homes. We need better rights and more privacy and autonomy with our data. I believe crypto is the answer as we can begin to create data that is unique and signed by the data creator. We have a long way to go still technically, and even longer way to go legislatively, but again, it’s still good to see it’s getting attention.