Wearing Down HIPAA: How Wearable Technologies Erode Privacy Protections.

Author:Katuska, John T.
  1. INTRODUCTION II. BACKGROUND A. Covered Entities and Business Associates B. Protected Health Information C. HIPAA's Privacy Rule and Security Rule D. Wearable Health Technology and Health Technology Companies E. Application of the Privacy and Security Rules to Covered Entities and Business Associates III. ANALYSIS A. The Privacy Rule and Security Rule in Practice 1. Problems with HIPAA's Application to Health Technology Companies a. Most Health Technology Companies Are Not Covered Entities b. Not All Health Technology Companies That Produce Wearable Health Technology Are Business Associates B. Uncertainty Limits HIPAA 's Effectiveness and Negatively Impacts Health Technology Companies and Consumers 1. HIPAA 's Effectiveness Is Undermined if Health Technology Companies Are Not Subject to the Privacy Rule and Security Rule 2. Individuals' Health Information Could Be at Risk of Unwanted Disclosure 3. Regulatory Uncertainty Could Lead Health Technology Companies Astray IV. RECOMMENDATION A. The Goals of HIPAA Would Be More Effectively Achieved by Expanding the Definition of Covered Entities B. Individuals' Health Information Would Be Better Protected by Expanding the Definition of Covered Entities and Consumers Could Purchase Wearable Health Technology Without Fear of Unwanted Disclosures C. Companies Would Have Better Guidance as to Whether to Comply with the Privacy Rule and Security Rule V. CONCLUSION I. INTRODUCTION

    With the increasing popularity of wearable health technology, (1) more and more personal health data is being collected. Because this data is collected for personal use and often by technology companies that do not deal in healthcare, the privacy protections provided by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (2) may not always be available to individuals using these technologies. This Note argues for an expansion of HIPAA to further guard individuals' protected health information (PHI) by broadening the scope of what is considered a covered entity. The Note will discuss the current HIPAA definitions of covered entities and PHI, analyze whether and how those definitions apply to technology companies that produce wearable health technology, and address whether such technology companies are required to abide by HIPAA's Privacy Rule and Security Rule to protect individuals' health information.

    Part II of this Note will explore what kinds of businesses are subject to HIPAA regulations, what type of health information is protected by HIPAA's Privacy Rule and Security Rule, and what technological developments have emerged that confuse HIPAA's application. Part III will analyze the problems that arise when determining whether health technology companies are subject to HIPAA's regulations. Part III will also discuss the issues that may arise if these companies are not covered by HIPAA. Part IV recommends changing HIPAA's definition of covered entities to better protect PHI and regulate the current health technology market.


    Passed in 1996, HIPAA is federal law aimed at addressing a "variety of issues related to health care" and health information. (3) This Note will focus on Title II of HIPAA, which establishes national standards for health care transactions as well as rules regarding the privacy and security of individualized health information when possessed by certain entities. (4)

    HIPAA's protections do not apply to all companies that collect or otherwise obtain an individual's health information, nor do they apply to all forms of health information. (5) Those companies or individuals to whom HIPAA regulations do apply are referred to as "covered entities [or] business associates,"6 while only PHI is protected by HIPAA's Privacy Rule and Security Rule. Therefore, to understand how and why modern technology companies and wearable health technology can slip through the cracks of HIPAA protection, it is important to first understand what makes an entity a covered entity or business associate, what type of health information can be deemed PHI, what protections are afforded to PHI under HIPAA's Privacy Rule and Security Rule, and what wearable health technology and the technology companies that produce those wearables look like today.

    1. Covered Entities and Business Associates

      For HIPAA regulations to apply, the entity controlling the information must be a covered entity or business associate. There are three broad categories of organizations or individuals that HIPAA defines as covered entities: (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit any health information in electronic form in connection with a transaction covered by this chapter. (9)

      Health plans are, "[w]ith certain exceptions, an individual or group plan that provides or pays the cost of medical care...." (10) Health plans include health insurance companies like Aetna or Kaiser Permanente, health maintenance organizations (HMOs), employer-provided health plans, and government-provided health care programs such as Medicare, Medicaid, and TRICARE. (11) Health care clearinghouses are "entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa." (12) These entities can include "billing service[s], repricing compan[ies], community health management information system[s] or community health information system[s], and 'valueadded' networks and switches that either process or facilitate the processing of health information" into a standard format. (13) Health care providers are those groups or individuals who directly provide care to individuals--"doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies ... but only if they transmit any information in an electronic form in connection with a transaction for which HHs[, the Department of Health and Human Services,] has adopted a standard." (14)

      HIPAA regulations also apply to business associates of covered entities. (15) A business associate is any person who

      (i) On behalf of [a] covered entity or of an organized health care arrangement ... creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities ... billing, benefit management, practice management, and repricing; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation ... management, administrative, accreditation, or financial services to or for such covered entity ... where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. (16) Typical business associates might be CPA firms, attorneys, consultants, health care clearinghouses, independent medical transcriptionists, or pharmacy benefits managers whose work involves or requires access to PHI obtained from covered entities. (17) A covered entity may also be a business associate of a separate covered entity if it has any of the defining characteristics of a business associate. (18) While the definition of a business associate is broad, there are several entities that are expressly excluded from the definition of business associate, such as certain health care providers, health plan sponsors, government agencies, and covered entities in specific situations. (19)

    2. Protected Health Information

      As noted above, not all forms of health information are afforded protection by HIPAA regulation. (20) Those types of health information that are protected are referred to as protected health information (PHI) and are generally defined as "individually identifiable health information ... that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium." (21) PHI excludes individually identifiable health information "(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (22) (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years." (23)

      The key to deciding whether health information is PHI is to determine whether or not it is "individually identifiable." (24) Individually identifiable health information is a "subset of health information," which:

      (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. (25) Simply put, PHI is any information that identifies or could reasonably identify an individual and relates to any medical condition of the individual, the provision of health care services to that individual, or the individual's payment for the rendered health care services. (26) Under this definition, laboratory bills, hospital bills, medical records, medical referral documents, and the like would likely be considered PHI if controlled by a covered entity or business associate. (27)

    3. HIPAA 's Privacy Rule and Security Rule

      The two HIPAA rules most relevant to this Note are the Privacy Rule and the Security Rule. The Privacy Rule applies broadly to covered...

To continue reading