Beyond HIPAA: Reimagining How Privacy Laws Apply to Health Data to Maximize Equity in the Digital Age

We face a health data privacy crisis. Unregulated digital technologies, mass surveillance, and weak privacy laws have created a health privacy crisis in which our health data is collected and used to profile us, manipulate our behavior, and charge us more for care. This crisis pushes people away from care, worsening our health and creating inequities. But a better, safer, and more privacy-protective future is possible through policymakers enacting privacy rules like a robust data minimization standard.

EPIC’s report Beyond HIPAA: Reimagining How Privacy Laws Apply to Health Data to Maximize Equity in the Digital Age comprehensively discusses the health data privacy crisis. The report explains:

  •  Ubiquitous online tracking, unregulated digital technologies, and weak privacy laws caused the health data privacy crisis;
  • Without privacy protections that promote trust, people retreat from care when they experience fear, stigma, criminalization, or mistrust;
  • The crisis allows tech companies, advertisers, and insurance companies to extract and exploit our health data to manipulate our behavior and charge us more for case;
  •  Data breaches push people from care and cause people to suffer from anxiety, fear, and mistrust;
  • Unregulated AI systems that typically do not meet FDA standards for medical devices are increasingly used in insurance and contexts; and
  • Minors’ health outcomes are more susceptible to harms caused by chatbots, targeted advertising, profiling, addictive feeds, and engagement-maximizing platform design.

Beyond HIPAA emphasizes how commercial surveillance and the health data privacy crisis disproportionately affect marginalized communities. Recent trends of criminalized health care, Medicare cuts, the presence of ICE at hospitals, and the rise of government intrusions of private more acutely harm vulnerable communities, worsening health equity. People retreat from care due to these privacy violations and a lack of protections. Accordingly, protecting health data promotes health equity.

Download report

The report examines State AG enforcement actions across six areas of privacy harms: Unwanted Calls & Texts, Data Breach, Data Privacy, Antitrust, Platform Accountability & Governance, and Algorithms & Automated Systems.

Wired highlighted Beyond HIPAA and its findings, “data brokers, ad-tech surveillance, and ICE enforcement are among the factors leading to a ‘health privacy crisis’ that is eroding trust and deterring people from seeking care.” Wired’s reporting underscored the role that large tech companies have played in orchestrating the health data privacy crisis.  It further explained that “artificial intelligence, which is increasingly used in health care and consumer applications, can magnify existing privacy harms by processing vast amounts of health-related data with little regulatory oversight.”

Beyond HIPPA promises that a better world is possible. Policymakers and industry leaders should embrace a data minimization approach. If we limit the collection, processing, sharing, and retention of personal information to what is necessary to provide health services, we will protect privacy and promote health equity. One especially pernicious practice is the sale of sensitive health data. This harmful practice should be banned, and the focus of health and health- related industries should be on providing quality care to improve health outcomes, not on harvesting and monetizing people’s data.

Read the report here.