Health Data Outside HIPAA: Simply Extending HIPAA Would Be a #FAIL
Posted
In summary:HIPAA’s rules were not designed to address privacy risks introduced by widespread personal information collection and use in the modern digital ecosystem. HIPAA’s rules were designed to support information flows within the health care system and allow for broad uses and disclosures of data by both covered entities and business associates without the need to obtain patient consent. HIPAA is “leaky” it expressly allows covered entities and business associates to share data outside of HIPAA, including selling de-identified data, without patient consent. HIPAA’s rules protect data and also protect incumbents’ interests in controlling health data. Ultimately Congressional action is needed to establish meaningful privacy protections for personal data.